Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 24/08/2011; 17:56)

List of processes

File name	PID	Description	Copyright	MD5	Information
AERTSr64.exe Script: Quarantine, Delete, BC delete, Terminate	1568			??	error getting file info Command line:
BTHelpNotifier.exe Script: Quarantine, Delete, BC delete, Terminate	1552			??	error getting file info Command line:
HPHC_Service.exe Script: Quarantine, Delete, BC delete, Terminate	3932			??	error getting file info Command line:
HPWA_Service.exe Script: Quarantine, Delete, BC delete, Terminate	4000			??	error getting file info Command line:
McciCMService.exe Script: Quarantine, Delete, BC delete, Terminate	1840			??	error getting file info Command line:
McciControlHost.exe Script: Quarantine, Delete, BC delete, Terminate	1072			??	error getting file info Command line:
c:\program files\networx\networx.exe Script: Quarantine, Delete, BC delete, Terminate	1608	NetWorx	2002-2011 SoftPerfect Research	??	2804.50 kb, rsAh, created: 22.08.2011 15:24:55, modified: 22.08.2011 17:51:40 Command line: "C:\Program Files\NetWorx\networx.exe" /auto
PuranADT.exe Script: Quarantine, Delete, BC delete, Terminate	1500			??	error getting file info Command line:
ReflectService.exe Script: Quarantine, Delete, BC delete, Terminate	1988			??	error getting file info Command line:
RtVOsd.exe Script: Quarantine, Delete, BC delete, Terminate	1892			??	error getting file info Command line:
RtVOsdService.exe Script: Quarantine, Delete, BC delete, Terminate	4080			??	error getting file info Command line:
SASCORE64.EXE Script: Quarantine, Delete, BC delete, Terminate	1492			??	error getting file info Command line:
tbbLoaderService.exe Script: Quarantine, Delete, BC delete, Terminate	2040			??	error getting file info Command line:
c:\program files (x86)\thinkbroadband.com\tbbmeter\tbbmeter.exe Script: Quarantine, Delete, BC delete, Terminate	2344	tbbmeter	Copyright © 2008, 2009, 2010, 2011	??	1233.02 kb, rsAh, created: 14.02.2011 18:25:30, modified: 20.08.2011 10:29:58 Command line: tbbMeter.exe slow
UpdateChecker.exe Script: Quarantine, Delete, BC delete, Terminate	1696			??	error getting file info Command line:
wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate	896			??	error getting file info Command line:
Detected:72, recognized as trusted 57

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ac875791282999d72dc87fa8b7441ae5\System.Web.Services.ni.dll Script: Quarantine, Delete, BC delete	1869283328	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2344
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\0d43c5e77ee7b8466700b16d7e7d4bb7\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	1877999616	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2344
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\16d2854bf69d59d94e64a918365705f1\System.Xml.ni.dll Script: Quarantine, Delete, BC delete	1871183872	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2344
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\3da7c6c1a0f26ae91883fd8b03ec192d\System.ni.dll Script: Quarantine, Delete, BC delete	1892089856	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2344
C:\Windows\TEMP\952ba960-743a-4847-9689-d6d9a726a04e\CliSecureRT.dll Script: Quarantine, Delete, BC delete	8781824			--	2344
Modules detected:356, recognized as trusted 351

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_amdsata.sys Script: Quarantine, Delete, BC delete	4FDF000	014000 (81920)
C:\Windows\System32\Drivers\dump_diskdump.sys Script: Quarantine, Delete, BC delete	4FD5000	00A000 (40960)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	4C00000	013000 (77824)
Modules detected - 160, recognized as trusted - 157

Services

Service	Description	Status	File	Group	Dependencies
ezSharedSvc Service: Stop, Delete, Disable, BC delete	Easybits Services for Windows	Running	C:\Windows\System32\ezSharedSvcHost.exe Script: Quarantine, Delete, BC delete
tbbLoaderService Service: Stop, Delete, Disable, BC delete	tbbLoaderService	Running	C:\Program Files (x86)\thinkbroadband.com\tbbMeter\tbbLoaderService.exe Script: Quarantine, Delete, BC delete
Detected - 175, recognized as trusted - 173

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\Combo-Fix\catchme.sys Script: Quarantine, Delete, BC delete	Base
MREMP50a64 Driver: Unload, Delete, Disable, BC delete	MREMP50a64 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
MREMPR5 Driver: Unload, Delete, Disable, BC delete	MREMPR5 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
MRENDIS5 Driver: Unload, Delete, Disable, BC delete	MRENDIS5 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
MRESP50a64 Driver: Unload, Delete, Disable, BC delete	MRESP50a64 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
Detected - 260, recognized as trusted - 255

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDAdvancedCheckLibrary, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDAlterEgo, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDBlindMan, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDBootCD, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDCleaner, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDCoffeeHooks, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDDelFile, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDECon, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDFiles, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDFSSvc, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDHelper, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDImmunize, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDImmunizeCmd, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDImmunizeLibrary, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDLists, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDLogReport, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDMain, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDOfficeAV, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDPEStart, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDPhoneScan, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDPrepPos, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDQuarantine, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDRootAlyzer, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDRunTokenized, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDSBIEdit, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDScan, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDScanLibrary, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDScript, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDSettings, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDShred, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDSODSvc, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDSysRepair, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDTools, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDToolsLibrary, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDTray, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDUpdate, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDUpdSvc, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDWelcome, EventMessageFile
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Spybot - Search & Destroy\SDWinLogon, EventMessageFile
C:\Program Files\NetWorx\networx.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NetWorx Delete
C:\Users\BTA\AppData\Local\Temp\_uninst_32359059.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\BTA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\BTA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_32359059.lnk,
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy, EventMessageFile
auditcse.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items detected - 616, recognized as trusted - 570

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Elements detected - 3, recognized as trusted - 3

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	ColumnHandler			{F9DB5320-233E-11D1-9F84-707F02C10627} Delete
Elements detected - 2, recognized as trusted - 1

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
CNMLM8T.DLL Script: Quarantine, Delete, BC delete	Monitor	Canon BJ Language Monitor MP220 series
localspl.dll Script: Quarantine, Delete, BC delete	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, BC delete	Monitor	Microsoft Shared Fax Monitor
tcpmon.dll Script: Quarantine, Delete, BC delete	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, BC delete	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, BC delete	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, BC delete	Provider	HTTP Print Services
Elements detected - 8, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 1, recognized as trusted - 1

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [732] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [896] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 0 [1616] c:\program files (x86)\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 0 [1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [436] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [900] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [980] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [504] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [496] services.exe
Script: Quarantine, Delete, BC delete, Terminate
49157 LISTENING 0.0.0.0 0 [1300] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
49157 ESTABLISHED 192.168.1.65 49163 [1300] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
49165 LISTENING 0.0.0.0 0 [1696] UpdateChecker.exe
Script: Quarantine, Delete, BC delete, Terminate
49205 ESTABLISHED 127.0.0.1 49206 [4748] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
49206 ESTABLISHED 127.0.0.1 49205 [4748] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
49207 ESTABLISHED 127.0.0.1 49208 [4748] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
49208 ESTABLISHED 127.0.0.1 49207 [4748] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
51621 ESTABLISHED 192.168.1.65 49156 [1300] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
51747 TIME_WAIT 192.168.1.254 2555 [0]
51748 TIME_WAIT 192.168.1.254 2555 [0]
51749 TIME_WAIT 192.168.1.254 2555 [0]
51751 TIME_WAIT 192.168.1.254 2555 [0]
51752 TIME_WAIT 192.168.1.254 2555 [0]
51753 TIME_WAIT 192.168.1.254 2555 [0]
51755 TIME_WAIT 192.168.1.254 2555 [0]
51756 TIME_WAIT 192.168.1.254 2555 [0]
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3544 LISTENING -- -- [980] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [368] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [368] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [896] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [896] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [1616] c:\program files (x86)\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [312] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING -- -- [1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING -- -- [1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING -- -- [1616] c:\program files (x86)\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
57589 LISTENING -- -- [368] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
59512 LISTENING -- -- [980] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
61601 LISTENING -- -- [4700] c:\program files (x86)\bt broadband desktop help\btbb\bthelpbrowser.exe
Script: Quarantine, Delete, BC delete, Terminate
62080 LISTENING -- -- [368] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63597 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63598 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
63910 LISTENING -- -- [1436] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Delete http://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Elements detected - 4, recognized as trusted - 3

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, BC delete Adobe Flash Player Control Panel Applet Copyright © 1996-2010 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Elements detected - 21, recognized as trusted - 20

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 14, recognized as trusted - 11

Suspicious objects

File Description Type

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7601, SP="Service Pack 1"
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[732] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
554	LISTENING	0.0.0.0	0	[896] wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	0	[1616] c:\program files (x86)\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
10243	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	0	[1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[436] wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[900] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[980] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[504] lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49156	LISTENING	0.0.0.0	0	[496] services.exe Script: Quarantine, Delete, BC delete, Terminate
49157	LISTENING	0.0.0.0	0	[1300] spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate
49157	ESTABLISHED	192.168.1.65	49163	[1300] spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate
49165	LISTENING	0.0.0.0	0	[1696] UpdateChecker.exe Script: Quarantine, Delete, BC delete, Terminate
49205	ESTABLISHED	127.0.0.1	49206	[4748] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
49206	ESTABLISHED	127.0.0.1	49205	[4748] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
49207	ESTABLISHED	127.0.0.1	49208	[4748] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
49208	ESTABLISHED	127.0.0.1	49207	[4748] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, BC delete, Terminate
51621	ESTABLISHED	192.168.1.65	49156	[1300] spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate
51747	TIME_WAIT	192.168.1.254	2555	[0]
51748	TIME_WAIT	192.168.1.254	2555	[0]
51749	TIME_WAIT	192.168.1.254	2555	[0]
51751	TIME_WAIT	192.168.1.254	2555	[0]
51752	TIME_WAIT	192.168.1.254	2555	[0]
51753	TIME_WAIT	192.168.1.254	2555	[0]
51755	TIME_WAIT	192.168.1.254	2555	[0]
51756	TIME_WAIT	192.168.1.254	2555	[0]
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3544	LISTENING	--	--	[980] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[368] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[368] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5004	LISTENING	--	--	[896] wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5005	LISTENING	--	--	[896] wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[1616] c:\program files (x86)\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[312] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	--	--	[1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	--	--	[1588] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	--	--	[1616] c:\program files (x86)\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
57589	LISTENING	--	--	[368] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
59512	LISTENING	--	--	[980] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
61601	LISTENING	--	--	[4700] c:\program files (x86)\bt broadband desktop help\btbb\bthelpbrowser.exe Script: Quarantine, Delete, BC delete, Terminate
62080	LISTENING	--	--	[368] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
63597	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
63598	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate
63910	LISTENING	--	--	[1436] svchost.exe Script: Quarantine, Delete, BC delete, Terminate