Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 23/10/2011; 15:18)

List of processes

File name	PID	Description	Copyright	MD5	Information
	536			??	?,error getting file info Command line:
	552			??	?,error getting file info Command line:
	596			??	?,error getting file info Command line:
	644			??	?,error getting file info Command line:
	1088			??	?,error getting file info Command line:
	1712			??	?,error getting file info Command line:
	1784			??	?,error getting file info Command line:
	1804			??	?,error getting file info Command line:
	1888			??	?,error getting file info Command line:
	1932			??	?,error getting file info Command line:
	2112			??	?,error getting file info Command line:
	2176			??	?,error getting file info Command line:
	2188			??	?,error getting file info Command line:
	2196			??	?,error getting file info Command line:
	2324			??	?,error getting file info Command line:
	2596			??	?,error getting file info Command line:
	2612			??	?,error getting file info Command line:
	2628			??	?,error getting file info Command line:
	2636			??	?,error getting file info Command line:
	2652			??	?,error getting file info Command line:
	2684			??	?,error getting file info Command line:
	2928			??	?,error getting file info Command line:
	2952			??	?,error getting file info Command line:
	2968			??	?,error getting file info Command line:
	2988			??	?,error getting file info Command line:
	3280			??	?,error getting file info Command line:
	3344			??	?,error getting file info Command line:
	3392			??	?,error getting file info Command line:
	3432			??	?,error getting file info Command line:
	3912			??	?,error getting file info Command line:
	1196			??	?,error getting file info Command line:
	1872			??	?,error getting file info Command line:
	2916			??	?,error getting file info Command line:
	3772			??	?,error getting file info Command line:
	2108			??	?,error getting file info Command line:
	1260			??	?,error getting file info Command line:
	2944			??	?,error getting file info Command line:
	4780			??	?,error getting file info Command line:
	4952			??	?,error getting file info Command line:
	4964			??	?,error getting file info Command line:
	5024			??	?,error getting file info Command line:
	5316			??	?,error getting file info Command line:
	5332			??	?,error getting file info Command line:
	5376			??	?,error getting file info Command line:
	5396			??	?,error getting file info Command line:
	5644			??	?,error getting file info Command line:
	2568			??	?,error getting file info Command line:
	4320			??	?,error getting file info Command line:
	3880			??	?,error getting file info Command line:
	4572			??	?,error getting file info Command line:
	2992			??	?,error getting file info Command line:
	4896			??	?,error getting file info Command line:
	4844			??	?,error getting file info Command line:
	2224			??	?,error getting file info Command line:
	5568			??	?,error getting file info Command line:
	4480			??	?,error getting file info Command line:
	4808			??	?,error getting file info Command line:
	5220			??	?,error getting file info Command line:
	3780			??	?,error getting file info Command line:
	5632			??	?,error getting file info Command line:
	3524			??	?,error getting file info Command line:
	2484			??	?,error getting file info Command line:
	3720			??	?,error getting file info Command line:
	4932			??	?,error getting file info Command line:
	300			??	?,error getting file info Command line:
	5352			??	?,error getting file info Command line:
	2148			??	?,error getting file info Command line:
	5448			??	?,error getting file info Command line:
	5400			??	?,error getting file info Command line:
	4240			??	?,error getting file info Command line:
	5656			??	?,error getting file info Command line:
	5144			??	?,error getting file info Command line:
	1448			??	?,error getting file info Command line:
	1936			??	?,error getting file info Command line:
	5348			??	?,error getting file info Command line:
	2096			??	?,error getting file info Command line:
	4744			??	?,error getting file info Command line:
	6052			??	?,error getting file info Command line:
	4364			??	?,error getting file info Command line:
	5960			??	?,error getting file info Command line:
	4452			??	?,error getting file info Command line:
c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	556	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	2858.50 kb, rsAh, created: 30.12.2008 17:14:54, modified: 28.10.2008 23:29:41 Command line: C:\Windows\Explorer.EXE
c:\program files\opencase\opencase media agent\mediaagent.exe Script: Quarantine, Delete, BC delete, Terminate	2496	OpenCASE Media Agent	ExtendMedia Inc. 2007	??	815.63 kb, rsAh, created: 03.08.2008 03:45:04, modified: 03.08.2008 03:45:04 Command line: "C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe"
c:\program files\webroot\security\current\framework\wrconsumerservice.exe Script: Quarantine, Delete, BC delete, Terminate	944	WRConsumerService	Copyright (C)2008, All Rights Reserved.	??	3301.94 kb, rsAh, created: 08.09.2011 18:40:07, modified: 08.09.2011 18:37:19 Command line: "C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe"
c:\program files\webroot\security\current\framework\wrtray.exe Script: Quarantine, Delete, BC delete, Terminate	2668	WRTray	© 2002-2010 Webroot Software Inc. All rights reserved.	??	1350.57 kb, rsAh, created: 08.09.2011 18:40:02, modified: 08.09.2011 18:37:13 Command line: "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
Detected:156, recognized as trusted 75

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\DDI\overicon.dll Script: Quarantine, Delete, BC delete	268435456	TODO:	TODO: (c) . All rights reserved.	--	556
C:\Program Files\Webroot\Security\Current\framework\frameworkresources.dll Script: Quarantine, Delete, BC delete	1948123136			--	944, 2668
C:\Program Files\Webroot\Security\Current\plugins\antimalware\antimalwareresources.dll Script: Quarantine, Delete, BC delete	1916141568			--	944
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\ca69ec9d6589d3526ee38212ef28e2bb\System.Data.ni.dll Script: Quarantine, Delete, BC delete	1686503424	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2496
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll Script: Quarantine, Delete, BC delete	1666842624	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2496
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0a1195c6b5fab213527364c9e8b26ef0\System.Web.ni.dll Script: Quarantine, Delete, BC delete	1630076928	System.Web.dll	© Microsoft Corporation. All rights reserved.	--	2496
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	1641938944	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2496
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll Script: Quarantine, Delete, BC delete	1796734976	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2496
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll Script: Quarantine, Delete, BC delete	1802240000	.NET Framework	© Microsoft Corporation. All rights reserved.	--	2496
Modules detected:616, recognized as trusted 607

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, BC delete	92729000	0BE000 (778240)
Modules detected - 160, recognized as trusted - 159

Services

Service	Description	Status	File	Group	Dependencies
msiserver Service: Stop, Delete, Disable, BC delete	Windows Installer	Not started	C:\Windows\system32\msiexec Script: Quarantine, Delete, BC delete		rpcss
Detected - 165, recognized as trusted - 164

Drivers

Service	Description	Status	File	Group	Dependencies
blbdrive Driver: Unload, Delete, Disable, BC delete	blbdrive	Not started	C:\Windows\system32\drivers\blbdrive.sys Script: Quarantine, Delete, BC delete
IpInIp Driver: Unload, Delete, Disable, BC delete	IP in IP Tunnel Driver	Not started	C:\Windows\system32\DRIVERS\ipinip.sys Script: Quarantine, Delete, BC delete		Tcpip
NwlnkFlt Driver: Unload, Delete, Disable, BC delete	IPX Traffic Filter Driver	Not started	C:\Windows\system32\DRIVERS\nwlnkflt.sys Script: Quarantine, Delete, BC delete		NwlnkFwd
NwlnkFwd Driver: Unload, Delete, Disable, BC delete	IPX Traffic Forwarder Driver	Not started	C:\Windows\system32\DRIVERS\nwlnkfwd.sys Script: Quarantine, Delete, BC delete
TrueSight Driver: Unload, Delete, Disable, BC delete	TrueSight	Not started	c:\windows\system32\drivers\TrueSight.sys Script: Quarantine, Delete, BC delete
Detected - 249, recognized as trusted - 244

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop 6.0.lnk,
C:\Program Files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Chikka Messenger v.4.lnk,
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Trend Micro AntiVirus.lnk,
C:\Users\Owner\AppData\Local\Temp\_uninst_74501824.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_74501824.lnk,
C:\Users\Owner\Desktop\Applications\CASETOOL.EXE Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\CASETOOL.EXE - Shortcut.lnk,
C:\WindowsSystem32\IoLogMsg.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner, EventMessageFile
C:\Windows\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 712, recognized as trusted - 695

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{5C255C8A-E604-49b4-9D64-90988571CECB} Delete
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL Script: Quarantine, Delete, BC delete	BHO			{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} Delete
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL Script: Quarantine, Delete, BC delete	Toolbar			{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} Delete
	Extension module			{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} Delete
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{3369AF0D-62E9-4bda-8103-B4C75499B578} Delete
	URLSearchHook			{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} Delete
	URLSearchHook			{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} Delete
Elements detected - 25, recognized as trusted - 17

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
	lnkfile			{00020d75-0000-0000-c000-000000000046} Delete
	Color Control Panel Applet			{b2c761c6-29bc-4f19-9251-e6195265baf1} Delete
	Add New Hardware			{7A979262-40CE-46ff-AEEE-7884AC3B6136} Delete
	Get Programs Online			{3e7efb4c-faf1-453d-89eb-56026875ef90} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	ActiveDirectory Folder			{1b24a030-9b20-49bc-97ac-1be4426f9e59} Delete
	ActiveDirectory Folder			{34449847-FD14-4fc8-A75A-7432F5181EFB} Delete
	Sam Account Folder			{C8494E42-ACDD-4739-B0FB-217361E4894F} Delete
	Sam Account Folder			{E29F9716-5C08-4FCD-955A-119FDB5A522D} Delete
	Control Panel command object for Start menu			{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} Delete
	Default Programs command object for Start menu			{E44E5D18-0652-4508-A4E2-8A090067BCB0} Delete
	Folder Options			{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} Delete
	Explorer Query Band			{2C2577C2-63A7-40e3-9B7F-586602617ECB} Delete
	View Available Networks			{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} Delete
	Contacts folder			{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} Delete
	Windows Firewall			{4026492f-2f69-46b8-b9bf-5654fc07e423} Delete
	Problem Reports and Solutions			{fcfeecae-ee1b-4849-ae50-685dcf7717ec} Delete
	iSCSI Initiator			{a304259d-52b8-4526-8b1a-a1d6cecc8243} Delete
	.cab or .zip files			{911051fa-c21c-4246-b470-070cd8df6dc4} Delete
	Windows Search Shell Service			{da67b8ad-e81b-4c70-9b91b417b5e33527} Delete
	Microsoft.ScannersAndCameras			{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} Delete
	Windows Sidebar Properties			{37efd44d-ef8d-41b1-940d-96973a50e9e0} Delete
	Windows Features			{67718415-c450-4f3c-bf8a-b487642dc39b} Delete
	Windows Defender			{d8559eb9-20c0-410e-beda-7ed416aecc2a} Delete
	Mobility Center Control Panel			{5ea4f148-308c-46d7-98a9-49041b1dd468} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
Elements detected - 290, recognized as trusted - 263

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 8, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 5, recognized as trusted - 5

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 30, recognized as trusted - 30
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [976] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 0 [2272] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
8999 LISTENING 0.0.0.0 0 [2496] c:\program files\opencase\opencase media agent\mediaagent.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 ESTABLISHED 127.0.0.1 49156 [2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 0 [2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [652] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1116] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1180] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [708] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 ESTABLISHED 127.0.0.1 27015 [2660] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
49160 LISTENING 0.0.0.0 0 [696] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
49165 CLOSE_WAIT 96.127.132.181 80 [556] c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate
49174 ESTABLISHED 74.125.53.125 5222 [2588] c:\program files\google\google talk\googletalk.exe
Script: Quarantine, Delete, BC delete, Terminate
49191 ESTABLISHED 127.0.0.1 49192 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49192 ESTABLISHED 127.0.0.1 49191 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49193 ESTABLISHED 127.0.0.1 49194 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49194 ESTABLISHED 127.0.0.1 49193 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49195 ESTABLISHED 127.0.0.1 49196 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49196 ESTABLISHED 127.0.0.1 49195 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49197 ESTABLISHED 127.0.0.1 49198 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49198 ESTABLISHED 127.0.0.1 49197 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49199 ESTABLISHED 127.0.0.1 49200 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49200 ESTABLISHED 127.0.0.1 49199 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49201 ESTABLISHED 127.0.0.1 49202 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49202 ESTABLISHED 127.0.0.1 49201 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
49309 ESTABLISHED 93.184.215.73 80 [5272] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
49311 CLOSE_WAIT 173.236.34.238 80 [5272] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
49312 CLOSE_WAIT 173.236.34.238 80 [5272] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
56135 LISTENING 0.0.0.0 0 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
60523 LISTENING 0.0.0.0 0 [5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1332] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1180] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1332] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1332] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1180] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [2272] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1608] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING -- -- [2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING -- -- [2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING -- -- [2272] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
51075 LISTENING -- -- [5272] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
53907 LISTENING -- -- [2660] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
53908 LISTENING -- -- [2660] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
56718 LISTENING -- -- [2732] c:\program files\windows sidebar\sidebar.exe
Script: Quarantine, Delete, BC delete, Terminate
58776 LISTENING -- -- [1332] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
58777 LISTENING -- -- [1332] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Elements detected - 11, recognized as trusted - 10

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 23, recognized as trusted - 23

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Script: Quarantine, Delete, BC delete Handler Logitech Desktop Messenger (BackWeb GA Pluggable Protocol) © 2006 BackWeb Technologies Ltd. All rights reserved. {9462A756-7B47-47BC-8C80-C34B9B80B32B}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Handler Microsoft .NET Runtime Execution Engine (Communicates with QuickBooks) © Microsoft Corporation. All rights reserved. {FC598A64-626C-4447-85B8-53150405FD57}
Delete
Elements detected - 24, recognized as trusted - 19

Suspicious objects

File Description Type
C:\Windows\system32\Drivers\uti1odu0.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Suspicion for Rootkit

Main script of analysis
Windows version: Windows Vista (TM) Home Premium, Build=6001, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B80010<>759D1C36
IAT modification detected: GetModuleFileNameA - 00B80080<>75A14625
IAT modification detected: FreeLibrary - 00B800F0<>75A10B10
IAT modification detected: GetModuleFileNameW - 00B80160<>75A15AF5
IAT modification detected: CreateProcessW - 00B801D0<>759D1C01
IAT modification detected: LoadLibraryW - 00B802B0<>759F382D
IAT modification detected: LoadLibraryA - 00B80320<>759F9671
IAT modification detected: GetProcAddress - 00B80390<>75A1BAC6
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Error loading driver - scan interrupted [C0000022]
 >>>> Suspicion for Rootkit uti1odu0 C:\Windows\system32\Drivers\uti1odu0.sys
1.4 Searching for masking processes and drivers
Masking process with PID=536, name = ""
 >> PID substitution detected (current PID=0, real = 536)
Masking process with PID=552, name = ""
 >> PID substitution detected (current PID=0, real = 552)
Masking process with PID=596, name = ""
 >> PID substitution detected (current PID=0, real = 596)
Masking process with PID=644, name = ""
 >> PID substitution detected (current PID=0, real = 644)
Masking process with PID=1088, name = ""
 >> PID substitution detected (current PID=0, real = 1088)
Masking process with PID=1712, name = ""
 >> PID substitution detected (current PID=0, real = 1712)
Masking process with PID=1784, name = ""
 >> PID substitution detected (current PID=0, real = 1784)
Masking process with PID=1804, name = ""
 >> PID substitution detected (current PID=0, real = 1804)
Masking process with PID=1888, name = ""
 >> PID substitution detected (current PID=0, real = 1888)
Masking process with PID=1932, name = ""
 >> PID substitution detected (current PID=0, real = 1932)
Masking process with PID=644, name = ""
 >> PID substitution detected (current PID=0, real = 644)
Masking process with PID=2112, name = ""
 >> PID substitution detected (current PID=0, real = 2112)
Masking process with PID=2176, name = ""
 >> PID substitution detected (current PID=0, real = 2176)
Masking process with PID=2188, name = ""
 >> PID substitution detected (current PID=0, real = 2188)
Masking process with PID=2196, name = ""
 >> PID substitution detected (current PID=0, real = 2196)
Masking process with PID=2324, name = ""
 >> PID substitution detected (current PID=0, real = 2324)
Masking process with PID=2596, name = ""
 >> PID substitution detected (current PID=0, real = 2596)
Masking process with PID=2612, name = ""
 >> PID substitution detected (current PID=0, real = 2612)
Masking process with PID=2628, name = ""
 >> PID substitution detected (current PID=0, real = 2628)
Masking process with PID=2636, name = ""
 >> PID substitution detected (current PID=0, real = 2636)
Masking process with PID=2652, name = ""
 >> PID substitution detected (current PID=0, real = 2652)
Masking process with PID=2684, name = ""
 >> PID substitution detected (current PID=0, real = 2684)
Masking process with PID=2928, name = ""
 >> PID substitution detected (current PID=0, real = 2928)
Masking process with PID=2952, name = ""
 >> PID substitution detected (current PID=0, real = 2952)
Masking process with PID=2968, name = ""
 >> PID substitution detected (current PID=0, real = 2968)
Masking process with PID=2988, name = ""
 >> PID substitution detected (current PID=0, real = 2988)
Masking process with PID=3280, name = ""
 >> PID substitution detected (current PID=0, real = 3280)
Masking process with PID=3344, name = ""
 >> PID substitution detected (current PID=0, real = 3344)
Masking process with PID=3392, name = ""
 >> PID substitution detected (current PID=0, real = 3392)
Masking process with PID=3432, name = ""
 >> PID substitution detected (current PID=0, real = 3432)
Masking process with PID=3912, name = ""
 >> PID substitution detected (current PID=0, real = 3912)
Masking process with PID=1196, name = ""
 >> PID substitution detected (current PID=0, real = 1196)
Masking process with PID=1872, name = ""
 >> PID substitution detected (current PID=0, real = 1872)
Masking process with PID=2916, name = ""
 >> PID substitution detected (current PID=0, real = 2916)
Masking process with PID=3772, name = ""
 >> PID substitution detected (current PID=0, real = 3772)
Masking process with PID=644, name = ""
 >> PID substitution detected (current PID=0, real = 644)
Masking process with PID=2108, name = ""
 >> PID substitution detected (current PID=0, real = 2108)
Masking process with PID=1260, name = ""
 >> PID substitution detected (current PID=0, real = 1260)
Masking process with PID=2944, name = ""
 >> PID substitution detected (current PID=0, real = 2944)
Masking process with PID=4780, name = ""
 >> PID substitution detected (current PID=0, real = 4780)
Masking process with PID=4952, name = ""
 >> PID substitution detected (current PID=0, real = 4952)
Masking process with PID=4964, name = ""
 >> PID substitution detected (current PID=0, real = 4964)
Masking process with PID=5024, name = ""
 >> PID substitution detected (current PID=0, real = 5024)
Masking process with PID=5316, name = ""
 >> PID substitution detected (current PID=0, real = 5316)
Masking process with PID=5332, name = ""
 >> PID substitution detected (current PID=0, real = 5332)
Masking process with PID=5376, name = ""
 >> PID substitution detected (current PID=0, real = 5376)
Masking process with PID=5396, name = ""
 >> PID substitution detected (current PID=0, real = 5396)
Masking process with PID=5644, name = ""
 >> PID substitution detected (current PID=0, real = 5644)
Masking process with PID=2568, name = ""
 >> PID substitution detected (current PID=0, real = 2568)
Masking process with PID=4320, name = ""
 >> PID substitution detected (current PID=0, real = 4320)
Masking process with PID=3880, name = ""
 >> PID substitution detected (current PID=0, real = 3880)
Masking process with PID=4572, name = ""
 >> PID substitution detected (current PID=0, real = 4572)
Masking process with PID=1888, name = ""
 >> PID substitution detected (current PID=0, real = 1888)
Masking process with PID=2992, name = ""
 >> PID substitution detected (current PID=0, real = 2992)
Masking process with PID=4896, name = ""
 >> PID substitution detected (current PID=0, real = 4896)
Masking process with PID=4844, name = ""
 >> PID substitution detected (current PID=0, real = 4844)
Masking process with PID=2224, name = ""
 >> PID substitution detected (current PID=0, real = 2224)
Masking process with PID=5568, name = ""
 >> PID substitution detected (current PID=0, real = 5568)
Masking process with PID=4480, name = ""
 >> PID substitution detected (current PID=0, real = 4480)
Masking process with PID=4808, name = ""
 >> PID substitution detected (current PID=0, real = 4808)
Masking process with PID=5220, name = ""
 >> PID substitution detected (current PID=0, real = 5220)
Masking process with PID=3780, name = ""
 >> PID substitution detected (current PID=0, real = 3780)
Masking process with PID=5632, name = ""
 >> PID substitution detected (current PID=0, real = 5632)
Masking process with PID=3524, name = ""
 >> PID substitution detected (current PID=0, real = 3524)
Masking process with PID=2484, name = ""
 >> PID substitution detected (current PID=0, real = 2484)
Masking process with PID=3720, name = ""
 >> PID substitution detected (current PID=0, real = 3720)
Masking process with PID=4932, name = ""
 >> PID substitution detected (current PID=0, real = 4932)
Masking process with PID=300, name = ""
 >> PID substitution detected (current PID=0, real = 300)
Masking process with PID=5352, name = ""
 >> PID substitution detected (current PID=0, real = 5352)
Masking process with PID=2148, name = ""
 >> PID substitution detected (current PID=0, real = 2148)
Masking process with PID=5448, name = ""
 >> PID substitution detected (current PID=0, real = 5448)
Masking process with PID=5400, name = ""
 >> PID substitution detected (current PID=0, real = 5400)
Masking process with PID=4240, name = ""
 >> PID substitution detected (current PID=0, real = 4240)
Masking process with PID=5656, name = ""
 >> PID substitution detected (current PID=0, real = 5656)
Masking process with PID=5144, name = ""
 >> PID substitution detected (current PID=0, real = 5144)
Masking process with PID=1448, name = ""
 >> PID substitution detected (current PID=0, real = 1448)
Masking process with PID=1936, name = ""
 >> PID substitution detected (current PID=0, real = 1936)
Masking process with PID=5348, name = ""
 >> PID substitution detected (current PID=0, real = 5348)
Masking process with PID=2096, name = ""
 >> PID substitution detected (current PID=0, real = 2096)
Masking process with PID=4364, name = ""
 >> PID substitution detected (current PID=0, real = 4364)
 Searching for masking processes and drivers - complete
1.5 Checking of IRP handlers
 Error loading driver - scan interrupted [C0000022]
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Process termination timeout is out of admissible values
 >>  Service termination timeout is out of admissible values
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Run command on the Start menu is blocked
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[976] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	0	[2272] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
8999	LISTENING	0.0.0.0	0	[2496] c:\program files\opencase\opencase media agent\mediaagent.exe Script: Quarantine, Delete, BC delete, Terminate
27015	ESTABLISHED	127.0.0.1	49156	[2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	0	[2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[652] c:\windows\system32\wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[1116] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[1180] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[708] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49156	ESTABLISHED	127.0.0.1	27015	[2660] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
49160	LISTENING	0.0.0.0	0	[696] c:\windows\system32\services.exe Script: Quarantine, Delete, BC delete, Terminate
49165	CLOSE_WAIT	96.127.132.181	80	[556] c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate
49174	ESTABLISHED	74.125.53.125	5222	[2588] c:\program files\google\google talk\googletalk.exe Script: Quarantine, Delete, BC delete, Terminate
49191	ESTABLISHED	127.0.0.1	49192	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49192	ESTABLISHED	127.0.0.1	49191	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49193	ESTABLISHED	127.0.0.1	49194	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49194	ESTABLISHED	127.0.0.1	49193	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49195	ESTABLISHED	127.0.0.1	49196	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49196	ESTABLISHED	127.0.0.1	49195	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49197	ESTABLISHED	127.0.0.1	49198	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49198	ESTABLISHED	127.0.0.1	49197	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49199	ESTABLISHED	127.0.0.1	49200	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49200	ESTABLISHED	127.0.0.1	49199	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49201	ESTABLISHED	127.0.0.1	49202	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49202	ESTABLISHED	127.0.0.1	49201	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
49309	ESTABLISHED	93.184.215.73	80	[5272] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
49311	CLOSE_WAIT	173.236.34.238	80	[5272] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
49312	CLOSE_WAIT	173.236.34.238	80	[5272] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
56135	LISTENING	0.0.0.0	0	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
60523	LISTENING	0.0.0.0	0	[5596] c:\program files\opencase\opencase media agent\pandobinaries\nbcpandorest.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123	LISTENING	--	--	[1332] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[1180] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1332] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1332] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[1180] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[2272] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[1608] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	--	--	[2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	--	--	[2152] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	--	--	[2272] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
51075	LISTENING	--	--	[5272] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
53907	LISTENING	--	--	[2660] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
53908	LISTENING	--	--	[2660] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
56718	LISTENING	--	--	[2732] c:\program files\windows sidebar\sidebar.exe Script: Quarantine, Delete, BC delete, Terminate
58776	LISTENING	--	--	[1332] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
58777	LISTENING	--	--	[1332] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate