Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 24/07/2011; 16:00)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\docume~1\nana&p~1\locals~1\temp\rarsfx0\9517641.exe Script: Quarantine, Delete, BC delete, Terminate	6040			??	700.48 kb, rsAh, created: 24.07.2011 15:50:51, modified: 24.07.2011 21:22:50 Command line: "C:\DOCUME~1\NANA&P~1\LOCALS~1\Temp\RarSFX0\9517641.exe"
c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe Script: Quarantine, Delete, BC delete, Terminate	3648	AcroTray	Copyright 1984-2011 Adobe Systems Incorporated and its licensors. All rights reserved.	??	609.43 kb, rsAh, created: 09.10.2010 03:14:50, modified: 27.05.2011 08:52:30 Command line: "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
c:\program files\xemicomputers\active desktop calendar\adc.exe Script: Quarantine, Delete, BC delete, Terminate	2828	Active Desktop Calendar Application	Copyright (C) 2008	??	3692.00 kb, rsAh, created: 23.07.2011 08:29:26, modified: 13.08.2008 15:33:30 Command line: "C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe"
c:\program files\ati multimedia\main\atidtct.exe Script: Quarantine, Delete, BC delete, Terminate	1512	ATI Device Detection Application	Copyright © 2005 ATI Technologies Inc.	??	52.00 kb, rsAh, created: 14.06.2005 21:49:12, modified: 14.06.2005 21:49:12 Command line: "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
c:\program files\ati technologies\ati control panel\atiptaxx.exe Script: Quarantine, Delete, BC delete, Terminate	3356	ATI Desktop Control Panel	Copyright (C) 1998-2004 ATI Technologies Inc.	??	336.00 kb, rsAh, created: 09.05.2008 17:30:05, modified: 07.12.2004 21:10:00 Command line: "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
c:\program files\ati multimedia\main\atisched.exe Script: Quarantine, Delete, BC delete, Terminate	1800	ATI Scheduler	Copyright © 2001-2005 ATI Technologies Inc.	??	36.00 kb, rsAh, created: 14.06.2005 21:50:28, modified: 14.06.2005 21:50:28 Command line: "C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE"
c:\program files\alwil software\avast5\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate	1940	avast! Service	Copyright (c) 2011 AVAST Software	??	41.20 kb, rsAh, created: 07.02.2010 16:26:35, modified: 04.07.2011 07:43:51 Command line: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
c:\program files\alwil software\avast5\avastui.exe Script: Quarantine, Delete, BC delete, Terminate	2852	avast! Antivirus	Copyright (c) 2011 AVAST Software	??	3411.84 kb, rsAh, created: 07.02.2010 16:26:35, modified: 04.07.2011 07:43:54 Command line: "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
c:\program files\classic phonetools\capfax.exe Script: Quarantine, Delete, BC delete, Terminate	3340	Surveillance Capture Fax	Copyright © BVRP Software 2000	??	20.25 kb, rsah, created: 10.05.2008 20:45:36, modified: 10.12.2001 17:34:06 Command line: "C:\Program Files\Classic PhoneTools\CapFax.EXE"
c:\program files\capswiz\capswiz.exe Script: Quarantine, Delete, BC delete, Terminate	1464	CapsWiz allows the CapsLock, NumLock, and ScrollLock keys to be set automatically based on the active window.	Copyright 1999 Ted Barham	??	224.00 kb, rsAh, created: 16.07.2002 20:14:35, modified: 16.07.2002 20:14:35 Command line: "C:\Program Files\CapsWiz\CapsWiz.exe"
c:\program files\ati technologies\ati.ace\core-static\ccc.exe Script: Quarantine, Delete, BC delete, Terminate	1488	Catalyst Control Centre: Host application	2002-2006	??	48.00 kb, rsAh, created: 02.09.2008 11:40:46, modified: 02.09.2008 11:40:46 Command line: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe" 0
c:\program files\cisco systems\cisco connect\ccprt.exe Script: Quarantine, Delete, BC delete, Terminate	3692	Cisco Connect Printer Manager	Copyright © 2002-2011 Cisco Systems, Inc. and/or its affiliates. All rights reserved.	??	1150.12 kb, rsaH, created: 03.07.2011 10:11:31, modified: 03.07.2011 10:10:09 Command line: "C:\Program Files\Cisco Systems\Cisco Connect\CCPrt.exe"
c:\program files\common files\sonic shared\cinetray.exe Script: Quarantine, Delete, BC delete, Terminate	3508	Sonic CinePlayer(R) Tray Application	Copyright © 2002-2004 Sonic Solutions	??	112.00 kb, rsAh, created: 25.07.2006 02:01:00, modified: 25.07.2006 02:01:00 Command line: "C:\Program Files\Common Files\Sonic Shared\CineTray.exe"
c:\windows\system32\ctfmon.exe Script: Quarantine, Delete, BC delete, Terminate	952	CTF Loader	© Microsoft Corporation. All rights reserved.	??	15.00 kb, rsAh, created: 04.08.2004 08:00:00, modified: 13.04.2008 20:12:16 Command line: ctfmon.exe
c:\windows\system32\spool\drivers\w32x86\3\e_famtcfa.exe Script: Quarantine, Delete, BC delete, Terminate	4316	EPSON Status Monitor 3	Copyright (C) SEIKO EPSON CORP. 2006	??	169.00 kb, rsAh, created: 09.03.2007 05:01:00, modified: 09.03.2007 05:01:00 Command line: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTCFA.EXE /FU "C:\DOCUME~1\NANA&P~1\LOCALS~1\Temp\epi14.tmp"
c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	1060	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	1009.50 kb, rsAh, created: 04.08.2004 08:00:00, modified: 13.04.2008 20:12:19 Command line: C:\WINDOWS\Explorer.EXE
c:\program files\microsoft office\office12\groovemonitor.exe Script: Quarantine, Delete, BC delete, Terminate	2052	GrooveMonitor Utility	© 2006 Microsoft Corporation. All rights reserved.	??	30.34 kb, rsAh, created: 25.10.2008 11:44:34, modified: 25.10.2008 11:44:34 Command line: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate	3220	iTunesHelper	© 2003-2011 Apple Inc. All rights reserved.	??	411.29 kb, rsAh, created: 07.06.2011 17:51:12, modified: 07.06.2011 17:51:12 Command line: "C:\Program Files\iTunes\iTunesHelper.exe"
c:\hp\kbd\kbd.exe Script: Quarantine, Delete, BC delete, Terminate	3332	KBD EXE	Copyright © Hewlett-Packard Company 2000	??	60.00 kb, rsAh, created: 08.05.2008 20:35:35, modified: 02.02.2005 16:44:24 Command line: "C:\HP\KBD\KBD.EXE"
c:\program files\common files\logitech\khal\khalmnpr.exe Script: Quarantine, Delete, BC delete, Terminate	4352	Logitech KHAL Main Process	(C) 1998-2005 Logitech. All rights reserved.	??	27.50 kb, rsAh, created: 04.05.2008 19:22:11, modified: 10.03.2005 13:01:10 Command line: KHALMNPR.EXE /API
c:\program files\ati multimedia\main\launchpd.exe Script: Quarantine, Delete, BC delete, Terminate	3932	ATI Multimedia Center Launchpad	Copyright © 2002-2005 ATI Technologies Inc.	??	100.00 kb, rsAh, created: 14.06.2005 21:53:18, modified: 14.06.2005 21:53:18 Command line: "C:\Program Files\ATI Multimedia\main\launchpd.exe"
c:\program files\common files\logitech\g-series software\lgdcore.exe Script: Quarantine, Delete, BC delete, Terminate	3188	Logitech G-series Profiler	© 2004-2006 Logitech. All rights reserved.	??	1100.00 kb, rsAh, created: 22.07.2006 21:22:42, modified: 22.07.2006 21:22:42 Command line: "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
c:\program files\logitech\profiler\lwemon.exe Script: Quarantine, Delete, BC delete, Terminate	4084	Logitech WingMan Event Monitor	© 1999-2005 Logitech. All rights reserved.	??	72.00 kb, rsAh, created: 09.05.2008 19:46:56, modified: 18.04.2005 11:16:02 Command line: "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
c:\program files\common files\microsoft shared\vs7debug\mdm.exe Script: Quarantine, Delete, BC delete, Terminate	2428	Machine Debug Manager	Copyright© Microsoft Corporation. All rights reserved.	??	328.00 kb, rsAh, created: 19.03.2003 01:55:56, modified: 19.03.2003 01:55:56 Command line: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"
c:\program files\ati technologies\ati.ace\core-static\mom.exe Script: Quarantine, Delete, BC delete, Terminate	3008	Catalyst Control Center: Monitoring program	2002-2007	??	48.00 kb, rsAh, created: 02.09.2008 11:48:12, modified: 02.09.2008 11:48:12 Command line: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM"
c:\program files\microsoft office\office12\onenotem.exe Script: Quarantine, Delete, BC delete, Terminate	3180	Microsoft Office OneNote Quick Launcher	© 2006 Microsoft Corporation. All rights reserved.	??	95.39 kb, rsAh, created: 26.02.2009 15:24:50, modified: 26.02.2009 15:24:50 Command line: "C:\Program Files\Microsoft Office\OFFICE12\ONENOTEM.EXE" /tsr
c:\program files\peerblock\peerblock.exe Script: Quarantine, Delete, BC delete, Terminate	2328	PeerBlock	Copyright (C) 2009-2010 PeerBlock, LLC	??	1824.11 kb, rsAh, created: 15.05.2010 08:22:16, modified: 14.10.2010 21:40:20 Command line: "C:\Program Files\PeerBlock\peerblock.exe"
c:\program files\real\realplayer\update\realsched.exe Script: Quarantine, Delete, BC delete, Terminate	3088	RealNetworks Scheduler	Copyright © RealNetworks, Inc. 1995-2010	??	267.13 kb, rsAh, created: 21.01.2011 07:13:49, modified: 30.05.2011 20:13:20 Command line: "C:\program files\real\realplayer\update\realsched.exe" -osboot
c:\program files\common files\acronis\schedule2\schedhlp.exe Script: Quarantine, Delete, BC delete, Terminate	3516	Acronis Scheduler Helper	Copyright (C) 2000-2004 Acronis	??	137.27 kb, rsAh, created: 30.10.2007 20:07:40, modified: 30.10.2007 20:07:40 Command line: "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
c:\program files\logitech\setpoint\setpoint.exe Script: Quarantine, Delete, BC delete, Terminate	2200	Logitech SetPoint Event Manager	(C) 1998-2005 Logitech. All rights reserved.	??	428.00 kb, rsAh, created: 04.05.2008 19:22:10, modified: 31.03.2005 17:11:38 Command line: "C:\Program Files\Logitech\SetPoint\SetPoint.exe"
c:\documents and settings\nana & pa dan\desktop\setup_11.0.0.1245.x01_2011_07_24_21_21.exe Script: Quarantine, Delete, BC delete, Terminate	6020			??	97175.40 kb, rsAh, created: 24.07.2011 15:38:21, modified: 24.07.2011 15:38:24 Command line: "C:\Documents and Settings\Nana & Pa Dan\Desktop\setup_11.0.0.1245.x01_2011_07_24_21_21.exe"
c:\program files\techsmith\snagit 8\snagit32.exe Script: Quarantine, Delete, BC delete, Terminate	3464	SnagIt 8	Copyright © 1996-2007 TechSmith Corp. All rights reserved.	??	6245.57 kb, rsAh, created: 01.05.2007 11:11:48, modified: 01.05.2007 11:11:48 Command line: "C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe"
c:\windows\soundman.exe Script: Quarantine, Delete, BC delete, Terminate	3120	Realtek Sound Manager	Copyright (c) 2001-2004 Realtek Semiconductor Corp.	??	564.00 kb, rsAh, created: 04.05.2008 19:04:20, modified: 16.04.2007 15:28:22 Command line: "C:\WINDOWS\SOUNDMAN.EXE"
c:\program files\speedfan\speedfan.exe Script: Quarantine, Delete, BC delete, Terminate	3688			??	3210.50 kb, rsAh, created: 22.04.2008 03:59:28, modified: 22.04.2008 03:59:28 Command line: "C:\Program Files\SpeedFan\speedfan.exe"
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate	756	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	??	57.50 kb, rsAh, created: 04.08.2004 08:00:00, modified: 17.08.2010 09:17:06 Command line: C:\WINDOWS\system32\spoolsv.exe
c:\program files\acronis\trueimagehome\timountermonitor.exe Script: Quarantine, Delete, BC delete, Terminate	3484	Monitor for Acronis True Image Backup Archive Explorer	Copyright (c) Acronis 2000-2007	??	887.90 kb, rsAh, created: 30.10.2007 20:11:48, modified: 30.10.2007 20:11:48 Command line: "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
c:\program files\acronis\trueimagehome\trueimagemonitor.exe Script: Quarantine, Delete, BC delete, Terminate	3040	Acronis True Image Monitor	Copyright (C) Acronis, 2000-2007.	??	2534.78 kb, rsAh, created: 30.10.2007 20:06:42, modified: 30.10.2007 20:06:42 Command line: "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
c:\program files\techsmith\snagit 8\tschelp.exe Script: Quarantine, Delete, BC delete, Terminate	4320	TechSmith HTML Help Helper	Copyright (c) 2002-2007 TechSmith Corporation. All rights reserved.	??	57.57 kb, rsAh, created: 01.05.2007 11:12:10, modified: 01.05.2007 11:12:10 Command line: "C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe"
Detected:84, recognized as trusted 79

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcrobatFNP.dll Script: Quarantine, Delete, BC delete	19791872	FLEXnet Secure Activation Module	Copyright (c) 2006, Macrovision Europe Ltd. and/or Macrovision Corporation	--	3648
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\adistres.dll Script: Quarantine, Delete, BC delete	1694498816	Acrobat Distiller	Copyright Adobe Systems Inc. 1992-2010	--	756
C:\Program Files\Alwil Software\Avast5\defs\11072401\algo.dll Script: Quarantine, Delete, BC delete	134152192			--	1940
C:\Program Files\ATI Multimedia\atisserv.dll Script: Quarantine, Delete, BC delete	268435456	ATI Shared Services	Copyright © 2001-2005 ATI Technologies Inc.	--	1512
C:\Program Files\ATI Multimedia\main\DtctEnu.rsc Script: Quarantine, Delete, BC delete	10616832	ATI Device Detection Language Resources	Copyright © 2005 ATI Technologies Inc.	--	1512
C:\Program Files\ATI Multimedia\main\LnchEnu.rsc Script: Quarantine, Delete, BC delete	10813440	ATI Launchpad Language Resources	Copyright © 2001-2005 ATI Technologies Inc.	--	3932
C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll Script: Quarantine, Delete, BC delete	268435456	ATI Desktop Control Panel	Copyright (C) 1998-2004 ATI Technologies Inc.	--	3356
C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll Script: Quarantine, Delete, BC delete	12779520	ATI Desktop Control Panel	Copyright (C) 1998-2004 ATI Technologies Inc.	--	3356
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.ENU Script: Quarantine, Delete, BC delete	10420224	ATI Desktop Control Panel	Copyright (C) 1998-2004 ATI Technologies Inc.	--	3356
C:\Program Files\XemiComputers\Active Desktop Calendar\MouseHook.dll Script: Quarantine, Delete, BC delete	42074112			--	6040, 3648, 2828, 1512, 3356, 1800, 2852, 3340, 1464, 1488, 3692, 3508, 952, 4316, 1060, 2052, 3220, 3332, 4352, 3932, 3188, 4084, 3008, 3180, 2328, 3088, 3516, 2200, 6020, 3464, 3120, 3688, 3484, 3040, 4320
C:\WINDOWS\system32\IniFileLibrary.dll Script: Quarantine, Delete, BC delete	285212672	This DLL contains classes that simplify the creation and editing of standar INI files.		--	1464
Modules detected:836, recognized as trusted 825

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	AF16E000	018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	BA5C2000	002000 (8192)
Modules detected - 163, recognized as trusted - 161

Services

Service	Description	Status	File	Group	Dependencies
MDM Service: Stop, Delete, Disable, BC delete	Machine Debug Manager	Running	C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Script: Quarantine, Delete, BC delete		RPCSS
Detected - 140, recognized as trusted - 139

Drivers

Service	Description	Status	File	Group	Dependencies
Abiosdsk Driver: Unload, Delete, Disable, BC delete	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
abp480n5 Driver: Unload, Delete, Disable, BC delete	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, BC delete	SCSI miniport
adpu160m Driver: Unload, Delete, Disable, BC delete	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Aha154x Driver: Unload, Delete, Disable, BC delete	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable, BC delete	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78xx Driver: Unload, Delete, Disable, BC delete	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
AliIde Driver: Unload, Delete, Disable, BC delete	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
amsint Driver: Unload, Delete, Disable, BC delete	amsint	Not started	amsint.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc Driver: Unload, Delete, Disable, BC delete	asc	Not started	asc.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3350p Driver: Unload, Delete, Disable, BC delete	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3550 Driver: Unload, Delete, Disable, BC delete	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Atdisk Driver: Unload, Delete, Disable, BC delete	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
BVRPMPR5 Driver: Unload, Delete, Disable, BC delete	BVRPMPR5 NDIS Protocol Driver	Not started	E:\INSTAL~E\Core\BVRPMPR5.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, BC delete	Base
cd20xrnt Driver: Unload, Delete, Disable, BC delete	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Changer Driver: Unload, Delete, Disable, BC delete	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
CmdIde Driver: Unload, Delete, Disable, BC delete	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
Cpqarray Driver: Unload, Delete, Disable, BC delete	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dac960nt Driver: Unload, Delete, Disable, BC delete	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dpti2o Driver: Unload, Delete, Disable, BC delete	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, BC delete	SCSI miniport
hpn Driver: Unload, Delete, Disable, BC delete	hpn	Not started	hpn.sys Script: Quarantine, Delete, BC delete	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable, BC delete	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, BC delete	SCSI Class
i2omp Driver: Unload, Delete, Disable, BC delete	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ini910u Driver: Unload, Delete, Disable, BC delete	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, BC delete	SCSI miniport
IntelIde Driver: Unload, Delete, Disable, BC delete	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
lbrtfdc Driver: Unload, Delete, Disable, BC delete	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
mraid35x Driver: Unload, Delete, Disable, BC delete	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
PCIDump Driver: Unload, Delete, Disable, BC delete	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable, BC delete	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable, BC delete	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable, BC delete	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable, BC delete	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
perc2 Driver: Unload, Delete, Disable, BC delete	perc2	Not started	perc2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
perc2hib Driver: Unload, Delete, Disable, BC delete	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, BC delete	Filter
pgfilter Driver: Unload, Delete, Disable, BC delete	pgfilter	Not started	C:\Program Files\PeerGuardian2\pgfilter.sys Script: Quarantine, Delete, BC delete
ql1080 Driver: Unload, Delete, Disable, BC delete	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable, BC delete	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql12160 Driver: Unload, Delete, Disable, BC delete	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1240 Driver: Unload, Delete, Disable, BC delete	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1280 Driver: Unload, Delete, Disable, BC delete	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Simbad Driver: Unload, Delete, Disable, BC delete	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
Sparrow Driver: Unload, Delete, Disable, BC delete	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_hi Driver: Unload, Delete, Disable, BC delete	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable, BC delete	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc810 Driver: Unload, Delete, Disable, BC delete	symc810	Not started	symc810.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc8xx Driver: Unload, Delete, Disable, BC delete	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
TosIde Driver: Unload, Delete, Disable, BC delete	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
ultra Driver: Unload, Delete, Disable, BC delete	ultra	Not started	ultra.sys Script: Quarantine, Delete, BC delete	SCSI miniport
usbanyka Driver: Unload, Delete, Disable, BC delete	USB Web Camera	Not started	C:\WINDOWS\system32\DRIVERS\UsbAnyka.sys Script: Quarantine, Delete, BC delete
ViaIde Driver: Unload, Delete, Disable, BC delete	ViaIde	Not started	ViaIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
WDICA Driver: Unload, Delete, Disable, BC delete	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 245, recognized as trusted - 194

Autoruns

File name	Status	Startup method	Description
C:\Documents and Settings\Nana Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia Software Installer, EventMessageFile
C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\Email.url Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\Email.url,
C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\answers.url Script: Quarantine, Delete, BC delete	Active	File in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\answers.url,
C:\Documents and Settings\Nana & Pa Dan\Local Settings\Temp\_uninst_70939356.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Start Menu\Programs\Startup\, C:\Documents and Settings\Nana & Pa Dan\Start Menu\Programs\Startup\_uninst_70939356.lnk,
C:\Program Files\A-PDF Watermark\PDFWM.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\A-PDF .lnk,
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1220945662-1957994488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, ATI Scheduler Delete
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1220945662-1957994488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, ATI DeviceDetect Delete
C:\Program Files\ATI Multimedia\main\launchpd.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1220945662-1957994488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, ATI Launchpad Delete
C:\Program Files\Alwil Software\Avast4\aswRes.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus\avast!, EventMessageFile
C:\Program Files\Biblesoft\PC Study Bible\Program\joshua.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Study Bible 5.lnk,
C:\Program Files\ClearAllHistory\cah.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\ClearAllHistory.lnk,
C:\Program Files\Common Files\Channel 3 Weather Wizard\TrueWeather.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\Channel 3 Weather Wizard.lnk,
C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {7D5C4BDD-B015-4401-8731-1507B87DE297} Delete
C:\Program Files\Common Files\Microsoft Shared\DW\DW.EXE Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Visual Studio Tools for Applications, EventMessageFile
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\MDM, EventMessageFile
C:\Program Files\LBD Reader\LBD Reader.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\LBD Reader.lnk,
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {6B19FEC2-A45B-11CF-9045-00A0C9039735} Delete
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {D545EBD1-BD92-11CF-8772-00A0C9039735} Delete
C:\Program Files\TitanTV\ATITVPIReader.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\TitanTVTVPIReader, EventMessageFile
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1220945662-1957994488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run, Active Desktop Calendar Delete
C:\Program Files\e-Sword\e-Sword.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Nana & Pa Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk,
C:\WINDOWS\System32\Drivers\AliIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
C:\WINDOWS\System32\Drivers\CmdIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
C:\WINDOWS\System32\Drivers\IntelIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
C:\WINDOWS\System32\Drivers\TosIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
C:\WINDOWS\System32\Drivers\ViaIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\viaide, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\mpg4c32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.MPG4 Delete
C:\WINDOWS\system32\mpg4c32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.MP42 Delete
C:\WINDOWS\system32\mpg4c32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.MP43 Delete
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
C:\WINDOWS\system\fp30utl.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FrontPage 3.0, EventMessageFile
c:\47972bbddf56a8b10588b8d4f0ed154c\wgasetup.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup, EventMessageFile
c:\program files\laplink gold\TSIUTIL.DLL Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\LapLink Gold 11.5, EventMessageFile
deskpan.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
kbd101.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1220945662-1957994488-725345543-1003\Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 1114, recognized as trusted - 1057

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{5C255C8A-E604-49b4-9D64-90988571CECB} Delete
	Extension module			{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} Delete
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{44226DFF-747E-4edc-B30C-78752E50CD0C} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
Elements detected - 32, recognized as trusted - 27

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, BC delete	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll Script: Quarantine, Delete, BC delete	QBVersionTool	QBVersionTool	Copyright © Intuit, Inc. 1993-2004.	{7D5C4BDD-B015-4401-8731-1507B87DE297} Delete
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL Script: Quarantine, Delete, BC delete	Registered ActiveX Controls	Microsoft(R) Developer Studio Explorer Shell Extensions	Copyright (C) Microsoft Corp. 1997	{6B19FEC2-A45B-11CF-9045-00A0C9039735} Delete
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL Script: Quarantine, Delete, BC delete	Developer Studio Components	Microsoft(R) Developer Studio Explorer Shell Extensions	Copyright (C) Microsoft Corp. 1997	{D545EBD1-BD92-11CF-8772-00A0C9039735} Delete
Elements detected - 257, recognized as trusted - 249

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 14, recognized as trusted - 14

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 7, recognized as trusted - 7

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 5, recognized as trusted - 5

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 28, recognized as trusted - 28
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
7 LISTENING 0.0.0.0 2288 [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING 0.0.0.0 18532 [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING 0.0.0.0 10301 [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING 0.0.0.0 53448 [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING 0.0.0.0 32973 [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
21 LISTENING 0.0.0.0 26729 [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
25 LISTENING 0.0.0.0 43067 [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
80 LISTENING 0.0.0.0 2144 [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
135 LISTENING 0.0.0.0 39086 [1384] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 63548 [4] System
Script: Quarantine, Delete, BC delete, Terminate
443 LISTENING 0.0.0.0 39086 [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 32936 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 2156 [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
1052 ESTABLISHED 127.0.0.1 27015 [3220] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1667 LISTENING 0.0.0.0 28905 [5484] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 61573 [1828] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 3877 [2240] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 LISTENING 0.0.0.0 140 [2240] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 26697 [1324] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 ESTABLISHED 127.0.0.1 1052 [656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 8406 [656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7 LISTENING -- -- [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING -- -- [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING -- -- [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING -- -- [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING -- -- [3192] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1476] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1476] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
161 LISTENING -- -- [3536] c:\windows\system32\snmp.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1100] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
520 LISTENING -- -- [1476] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING -- -- [656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING -- -- [656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING -- -- [1324] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
1053 LISTENING -- -- [3220] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1054 LISTENING -- -- [3220] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1434 LISTENING -- -- [3576] c:\program files\microsoft sql server\90\shared\sqlbrowser.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1828] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1828] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
2557 LISTENING -- -- [3692] c:\program files\cisco systems\cisco connect\ccprt.exe
Script: Quarantine, Delete, BC delete, Terminate
3456 LISTENING -- -- [2112] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, BC delete, Terminate
3980 LISTENING -- -- [1476] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1100] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [1324] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
19540 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Delete http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Elements detected - 9, recognized as trusted - 8

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 31, recognized as trusted - 31

Active Setup

File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 37, recognized as trusted - 34

Suspicious objects

File Description Type
C:\WINDOWS\System32\Drivers\aswSnx.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\WINDOWS\system32\DRIVERS\9517641drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\WINDOWS\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
\SystemRoot\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
\SystemRoot\system32\DRIVERS\9517641drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00BB0010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00BB0080<>7C80B56F
IAT modification detected: FreeLibrary - 00BB00F0<>7C80AC7E
IAT modification detected: GetModuleFileNameW - 00BB0160<>7C80B475
IAT modification detected: CreateProcessW - 00BB01D0<>7C802336
IAT modification detected: LoadLibraryW - 00BB02B0<>7C80AEEB
IAT modification detected: LoadLibraryA - 00BB0320<>7C801D7B
IAT modification detected: GetProcAddress - 00BB0390<>7C80AE40
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=07C0A0)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 805530A0
   KiST = 80501BBC (284)
Function NtAddBootEntry (09) intercepted (8060D5A2->AF4AC202), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAdjustPrivilegesToken (0B) intercepted (805E2876->AAC17690), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAllocateVirtualMemory (11) intercepted (8059DEEA->AF512D8C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (19) intercepted (805B1D8E->AAC17F94), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (1F) intercepted (80599A14->AAC18DC8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (23) intercepted (80605B84->AAC19312), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEventPair (24) intercepted (8060DE18->AF4AE848), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (25) intercepted (8056E38C->AAC18270), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateIoCompletion (26) intercepted (8056DD6A->AF4AE95E), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (8061ACEC->AAC16500), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (2B) intercepted (8060E210->AAC191F8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (2C) intercepted (8056E3C6->AAC1727E), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (2E) intercepted (8059A530->AAC190CC), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp AF52839C\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Function NtCreateSection (32) intercepted (805A0816->AAC17426), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (33) intercepted (8060BBBA->AAC19432), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (805C736A->AAC17C1C), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateTimer (36) intercepted (8060DAE0->AF4AE90C), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (38) intercepted (8059A554->AAC19162), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (39) intercepted (8063A75E->AAC1AB1A), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteBootEntry (3D) intercepted (805BE618->AF4AC226), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (8061B188->AAC16B0A), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (8061B358->AAC16EBE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (42) intercepted (8056E552->AAC186F2), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805B39A2->AAC1BD26), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (8061B538->AAC1700A), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (8061B7A2->AAC170A2), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFreeVirtualMemory (53) intercepted (805A8544->AF512E3C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (54) intercepted (8056E586->AAC18500), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (8057969A->AAC1AC0C), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey (62) intercepted (8061CF10->AAC164DC), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey2 (63) intercepted (8061CB1C->AAC164EE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (6C) intercepted (805A75C4->AAC1B374), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtModifyBootEntry (6D) intercepted (805BE618->AF4AC24A), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeKey (6F) intercepted (8061CEDA->AAC171CE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeMultipleKeys (70) intercepted (8061BB0E->AF4ACCDA), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (72) intercepted (80605C84->AAC193A8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEventPair (73) intercepted (8060DEF0->AF4AE870), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (8056F4AA->AAC18016), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenIoCompletion (75) intercepted (8056DE42->AF4AE988), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (8061C0CA->AAC166C0), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (78) intercepted (8060E2E8->AAC19288), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805C13F8->AAC178CC), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (7D) intercepted (8059F84C->AAC1B10E), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (7E) intercepted (8060BCB4->AAC194C8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (805C1684->AAC177BE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenTimer (83) intercepted (8060DC02->AF4AE936), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtProtectVirtualMemory (89) intercepted (805ADB5C->AF512ED4), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (8061C40C->AAC1713A), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryMultipleValueKey (A1) intercepted (80619E3A->AAC16D72), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryObject (A3) intercepted (805BB1A0->AF4ACBA0), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (A7) intercepted (805ADD1E->AAC1B6AE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (80618F10->AAC1699C), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (B4) intercepted (805C75C8->AAC1AFA0), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRenameKey (C0) intercepted (8061A70E->AAC16C2C), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (C1) intercepted (8061CDC0->AAC15F16), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (C2) intercepted (8059A930->AAC1982C), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (C3) intercepted (8059B8F8->AAC196F2), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (C8) intercepted (805981BA->AAC1A8B4), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (8061C6CC->AAC1628E), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (CE) intercepted (805CAD9E->AAC1BBC8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (CF) intercepted (8061C7C8->AAC15EAE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (D2) intercepted (805991A8->AAC18B0E), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootEntryOrder (D3) intercepted (8060D5A2->AF4AC26E), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootOptions (D4) intercepted (8060D5A2->AF4AC292), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (D5) intercepted (805C7A8C->AAC17E38), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (E6) intercepted (805F0BD6->AAC1A154), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) intercepted (805B6114->AAC1ADAA), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (F0) intercepted (806068D6->AAC1B7FE), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemPowerState (F1) intercepted (80649AD6->AF4AC186), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (8061925E->AAC16816), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtShutdownSystem (F9) intercepted (80609AF2->AF4AC162), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (FD) intercepted (805CAE66->AAC1B8F0), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (FE) intercepted (805CACD8->AAC1BA2A), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (FF) intercepted (8060EC2C->AAC1AA3E), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805C8DA6->AAC17A68), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (102) intercepted (805C8FA0->AAC179C8), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (10B) intercepted (805A83DA->AAC1B552), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtVdmControl (10C) intercepted (805F1F8E->AF4AC2B6), hook C:\WINDOWS\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (805A9964->AAC17B52), hook C:\WINDOWS\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function FsRtlCheckLockForReadAccess (804E9FA0) - machine code modification Method of JmpTo. jmp AAC09FD0 \SystemRoot\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
Function IoIsOperationSynchronous (804EE87E) - machine code modification Method of JmpTo. jmp AAC0A3AC \SystemRoot\system32\DRIVERS\9517641drv.sys, driver recognized as trusted
>>> Function restored successfully !
Function ObInsertObject (805B8C2C) - machine code modification Method of JmpTo. jmp AF5257F2 \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Function ObMakeTemporaryObject (805B1DB4) - machine code modification Method of JmpTo. jmp AF523D4C \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 284, intercepted: 79, restored: 84
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
CmpCallCallBacks = 00089076
Disable callback OK
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = AF527E88 -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = AF527EC8 -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = AF527FA4 -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = AF527FE4 -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
 Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
 >>  Abnormal SCR files association
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
7	LISTENING	0.0.0.0	2288	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	0.0.0.0	18532	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	0.0.0.0	10301	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	0.0.0.0	53448	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	0.0.0.0	32973	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
21	LISTENING	0.0.0.0	26729	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
25	LISTENING	0.0.0.0	43067	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
80	LISTENING	0.0.0.0	2144	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
135	LISTENING	0.0.0.0	39086	[1384] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	63548	[4] System Script: Quarantine, Delete, BC delete, Terminate
443	LISTENING	0.0.0.0	39086	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	32936	[4] System Script: Quarantine, Delete, BC delete, Terminate
1028	LISTENING	0.0.0.0	2156	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
1052	ESTABLISHED	127.0.0.1	27015	[3220] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1667	LISTENING	0.0.0.0	28905	[5484] c:\windows\system32\alg.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	61573	[1828] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5152	CLOSE_WAIT	127.0.0.1	3877	[2240] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5152	LISTENING	0.0.0.0	140	[2240] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	26697	[1324] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
27015	ESTABLISHED	127.0.0.1	1052	[656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	8406	[656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7	LISTENING	--	--	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	--	--	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	--	--	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	--	--	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	--	--	[3192] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[1476] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[1476] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
161	LISTENING	--	--	[3536] c:\windows\system32\snmp.exe Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[1100] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
520	LISTENING	--	--	[1476] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1025	LISTENING	--	--	[656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1026	LISTENING	--	--	[656] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1027	LISTENING	--	--	[1324] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
1053	LISTENING	--	--	[3220] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1054	LISTENING	--	--	[3220] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1434	LISTENING	--	--	[3576] c:\program files\microsoft sql server\90\shared\sqlbrowser.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1828] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1828] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
2557	LISTENING	--	--	[3692] c:\program files\cisco systems\cisco connect\ccprt.exe Script: Quarantine, Delete, BC delete, Terminate
3456	LISTENING	--	--	[2112] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, BC delete, Terminate
3980	LISTENING	--	--	[1476] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[1100] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[1324] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
19540	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate