Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 24/12/2011; 13:57)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate	1560	avast! Service	Copyright (c) 2011 AVAST Software	??	43.72 kb, rsAh, created: 10.12.2011 07:35:01, modified: 28.11.2011 12:01:23 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl.exe Script: Quarantine, Delete, BC delete, Terminate	1832	QLB Controller	© Copyright 2006 Hewlett-Packard Development Company, L.P.	??	156.00 kb, rsAh, created: 15.05.2007 07:39:34, modified: 06.11.2006 11:58:18 Command line: "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe" /Start
c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate	2116	Veoh Client	(c) Veoh Networks. All rights reserved.	??	3332.00 kb, rsAh, created: 13.11.2007 15:48:54, modified: 13.11.2007 15:48:54 Command line: "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
Detected:70, recognized as trusted 69

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\AVAST Software\Avast\defs\11122401\algo.dll Script: Quarantine, Delete, BC delete	1738407936			--	1560
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBSERVICE.dll Script: Quarantine, Delete, BC delete	268435456	QLB Database Handler	© Copyright 2006 Hewlett-Packard Development Company, L.P.	--	1832
Modules detected:554, recognized as trusted 552

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Program Files\VMLaunch\BuddyVM.sys Script: Quarantine, Delete, BC delete	B61D0000	004000 (16384)	BUDDY for Virtual-Mate Filter Driver for Windows 2000/XP	Copyright (C) 2004 Interlex Inc.
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, BC delete	88875000	00B000 (45056)
C:\Windows\System32\Drivers\dump_msahci.sys Script: Quarantine, Delete, BC delete	889C1000	009000 (36864)
C:\Windows\System32\Drivers\sppf.sys Script: Quarantine, Delete, BC delete	80700000	100000 (1048576)
Modules detected - 162, recognized as trusted - 158

Services

Service	Description	Status	File	Group	Dependencies
CLTNetCnService Service: Stop, Delete, Disable, BC delete	Symantec Lic NetConnect service	Not started	c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe Script: Quarantine, Delete, BC delete
LiveUpdate Notice Ex Service: Stop, Delete, Disable, BC delete	LiveUpdate Notice Service Ex	Not started	c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe Script: Quarantine, Delete, BC delete	Symantec Services
Detected - 139, recognized as trusted - 137

Drivers

Service	Description	Status	File	Group	Dependencies
sptd Driver: Unload, Delete, Disable, BC delete	sptd	Running	C:\Windows\System32\Drivers\sptd.sys Script: Quarantine, Delete, BC delete	Boot Bus Extender
{09BB444F-B2E2-4009-BAF2-7B727681223E} Driver: Unload, Delete, Disable, BC delete	BuddyVM	Running	C:\Program Files\VMLaunch\BuddyVM.sys Script: Quarantine, Delete, BC delete
blbdrive Driver: Unload, Delete, Disable, BC delete	blbdrive	Not started	C:\Windows\system32\drivers\blbdrive.sys Script: Quarantine, Delete, BC delete
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\Users\Ovenmitt\AppData\Local\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
EagleNT Driver: Unload, Delete, Disable, BC delete	EagleNT	Not started	C:\Windows\system32\drivers\EagleNT.sys Script: Quarantine, Delete, BC delete
EagleXNt Driver: Unload, Delete, Disable, BC delete	EagleXNt	Not started	C:\Windows\system32\drivers\EagleXNt.sys Script: Quarantine, Delete, BC delete
IpInIp Driver: Unload, Delete, Disable, BC delete	IP in IP Tunnel Driver	Not started	C:\Windows\system32\DRIVERS\ipinip.sys Script: Quarantine, Delete, BC delete		Tcpip
npkcrypt Driver: Unload, Delete, Disable, BC delete	npkcrypt	Not started	C:\Nexon\MapleStory\npkcrypt.sys Script: Quarantine, Delete, BC delete	Keyboard
NwlnkFlt Driver: Unload, Delete, Disable, BC delete	IPX Traffic Filter Driver	Not started	C:\Windows\system32\DRIVERS\nwlnkflt.sys Script: Quarantine, Delete, BC delete		NwlnkFwd
NwlnkFwd Driver: Unload, Delete, Disable, BC delete	IPX Traffic Forwarder Driver	Not started	C:\Windows\system32\DRIVERS\nwlnkfwd.sys Script: Quarantine, Delete, BC delete
Detected - 245, recognized as trusted - 235

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\msenv.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Visual Studio - VsTemplate, EventMessageFile
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-707605045-4109517109-592397696-1000\Software\Microsoft\Windows\CurrentVersion\Run, Veoh Delete
C:\Users\Ovenmitt\AppData\Local\temp\_uninst_80587260.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Ovenmitt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Ovenmitt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_80587260.lnk,
C:\Users\Ovenmitt\Desktop\VideoToMp3.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Ovenmitt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Ovenmitt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\FoxTab Video To MP3.lnk,
C:\WindowsSystem32\IoLogMsg.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner, EventMessageFile
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\System32\ws03res.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RasAuto, EventMessageFile
C:\Windows\System32\ws03res.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RasMan, EventMessageFile
C:\Windows\System32\ws03res.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RemoteAccess, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
rdpclip Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 678, recognized as trusted - 658

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll Script: Quarantine, Delete, BC delete	Toolbar			{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} Delete
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
Elements detected - 11, recognized as trusted - 8

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	lnkfile			{00020d75-0000-0000-c000-000000000046} Delete
	Color Control Panel Applet			{b2c761c6-29bc-4f19-9251-e6195265baf1} Delete
	Add New Hardware			{7A979262-40CE-46ff-AEEE-7884AC3B6136} Delete
	Get Programs Online			{3e7efb4c-faf1-453d-89eb-56026875ef90} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	ActiveDirectory Folder			{1b24a030-9b20-49bc-97ac-1be4426f9e59} Delete
	ActiveDirectory Folder			{34449847-FD14-4fc8-A75A-7432F5181EFB} Delete
	Sam Account Folder			{C8494E42-ACDD-4739-B0FB-217361E4894F} Delete
	Sam Account Folder			{E29F9716-5C08-4FCD-955A-119FDB5A522D} Delete
	Control Panel command object for Start menu			{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} Delete
	Default Programs command object for Start menu			{E44E5D18-0652-4508-A4E2-8A090067BCB0} Delete
	Folder Options			{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} Delete
	Explorer Query Band			{2C2577C2-63A7-40e3-9B7F-586602617ECB} Delete
	View Available Networks			{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} Delete
	Contacts folder			{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} Delete
	Windows Firewall			{4026492f-2f69-46b8-b9bf-5654fc07e423} Delete
	Problem Reports and Solutions			{fcfeecae-ee1b-4849-ae50-685dcf7717ec} Delete
	iSCSI Initiator			{a304259d-52b8-4526-8b1a-a1d6cecc8243} Delete
	.cab or .zip files			{911051fa-c21c-4246-b470-070cd8df6dc4} Delete
	Windows Search Shell Service			{da67b8ad-e81b-4c70-9b91b417b5e33527} Delete
	Microsoft.ScannersAndCameras			{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} Delete
	Windows Sidebar Properties			{37efd44d-ef8d-41b1-940d-96973a50e9e0} Delete
	Windows Features			{67718415-c450-4f3c-bf8a-b487642dc39b} Delete
	Windows Defender			{d8559eb9-20c0-410e-beda-7ed416aecc2a} Delete
	Mobility Center Control Panel			{5ea4f148-308c-46d7-98a9-49041b1dd468} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
Elements detected - 294, recognized as trusted - 268

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 7, recognized as trusted - 7

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 2, recognized as trusted - 2

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 18, recognized as trusted - 18
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [920] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3260 LISTENING 0.0.0.0 0 [3468] c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
Script: Quarantine, Delete, BC delete, Terminate
3261 LISTENING 0.0.0.0 0 [3468] c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 0 [2916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
8080 TIME_WAIT 127.0.0.1 56626 [0]
8080 TIME_WAIT 127.0.0.1 56636 [0]
8080 TIME_WAIT 127.0.0.1 56637 [0]
8080 TIME_WAIT 127.0.0.1 56638 [0]
8080 TIME_WAIT 127.0.0.1 56639 [0]
8080 TIME_WAIT 127.0.0.1 56640 [0]
8080 TIME_WAIT 127.0.0.1 56641 [0]
8080 TIME_WAIT 127.0.0.1 56642 [0]
8080 TIME_WAIT 127.0.0.1 56643 [0]
8080 TIME_WAIT 127.0.0.1 56645 [0]
8080 TIME_WAIT 127.0.0.1 56646 [0]
8080 TIME_WAIT 127.0.0.1 56647 [0]
8080 TIME_WAIT 127.0.0.1 56648 [0]
8080 TIME_WAIT 127.0.0.1 56649 [0]
8080 TIME_WAIT 127.0.0.1 56650 [0]
8080 TIME_WAIT 127.0.0.1 56651 [0]
8080 TIME_WAIT 127.0.0.1 56659 [0]
8080 TIME_WAIT 127.0.0.1 56660 [0]
8080 TIME_WAIT 127.0.0.1 56661 [0]
8080 TIME_WAIT 127.0.0.1 56662 [0]
8080 TIME_WAIT 127.0.0.1 56663 [0]
8080 TIME_WAIT 127.0.0.1 56664 [0]
8080 TIME_WAIT 127.0.0.1 56665 [0]
8080 TIME_WAIT 127.0.0.1 56666 [0]
8080 TIME_WAIT 127.0.0.1 56667 [0]
8080 TIME_WAIT 127.0.0.1 56668 [0]
8080 TIME_WAIT 127.0.0.1 56669 [0]
8080 TIME_WAIT 127.0.0.1 56670 [0]
8080 TIME_WAIT 127.0.0.1 56673 [0]
8080 TIME_WAIT 127.0.0.1 56674 [0]
8080 TIME_WAIT 127.0.0.1 56675 [0]
8080 TIME_WAIT 127.0.0.1 56676 [0]
8080 ESTABLISHED 127.0.0.1 56677 [3452] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate
8080 LISTENING 0.0.0.0 0 [3452] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate
12025 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12080 ESTABLISHED 127.0.0.1 56671 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12080 ESTABLISHED 127.0.0.1 56679 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12080 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12110 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12119 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12143 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12465 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12563 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12993 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12995 LISTENING 0.0.0.0 0 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 ESTABLISHED 127.0.0.1 49188 [2888] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 0 [2888] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [596] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [960] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [1056] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [652] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49167 LISTENING 0.0.0.0 0 [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
49188 ESTABLISHED 127.0.0.1 27015 [2008] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
49200 LISTENING 0.0.0.0 0 [640] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
54321 LISTENING 0.0.0.0 0 [1016] c:\program files\giraffic\veoh_giraffic.exe
Script: Quarantine, Delete, BC delete, Terminate
56632 TIME_WAIT 69.167.127.78 80 [0]
56638 TIME_WAIT 127.0.0.1 8080 [0]
56649 TIME_WAIT 127.0.0.1 8080 [0]
56660 TIME_WAIT 127.0.0.1 8080 [0]
56662 TIME_WAIT 127.0.0.1 8080 [0]
56671 ESTABLISHED 127.0.0.1 12080 [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
56672 SYN_SENT 69.167.127.68 80 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
56675 TIME_WAIT 127.0.0.1 8080 [0]
56677 ESTABLISHED 127.0.0.1 8080 [2248] c:\program files\safeconnect\scclient.exe
Script: Quarantine, Delete, BC delete, Terminate
56679 ESTABLISHED 127.0.0.1 12080 [3452] c:\program files\safeconnect\scmanager.sys
Script: Quarantine, Delete, BC delete, Terminate
56680 SYN_SENT 198.31.193.211 8008 [1560] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [2916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1432] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
7578 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
26561 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
26562 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
54176 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54178 LISTENING -- -- [2916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
55827 LISTENING -- -- [1036] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
56359 LISTENING -- -- [1016] c:\program files\giraffic\veoh_giraffic.exe
Script: Quarantine, Delete, BC delete, Terminate
57007 LISTENING -- -- [2956] c:\program files\giraffic\veoh_girafficwatchdog.exe
Script: Quarantine, Delete, BC delete, Terminate
57701 LISTENING -- -- [2916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
60171 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
60172 LISTENING -- -- [1248] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
61003 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
63121 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
63122 LISTENING -- -- [2116] c:\program files\veoh networks\veoh\veohclient.exe
Script: Quarantine, Delete, BC delete, Terminate
63816 LISTENING -- -- [1056] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
64173 LISTENING -- -- [1016] c:\program files\giraffic\veoh_giraffic.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\Windows\Downloaded Program Files\installer.ocx
Script: Quarantine, Delete, BC delete {82FFA573-38AA-482A-99AD-91F697B91631}
Delete http://218be9f87d4706db466c8cf973433aaa.impregnable.net/get.php/dl_applet.cab?t=1212685092&h=42a60d631256d92cf45380bf6f8cb26f&f=tfmb.cab&fn=/dl_applet.cab
Elements detected - 8, recognized as trusted - 7

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 19, recognized as trusted - 16

Suspicious objects

File Description Type
C:\Windows\System32\Drivers\aswSnx.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Windows\system32\DRIVERS\5205086drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Windows\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
\SystemRoot\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
G:\autorun.inf
Script: Quarantine, Delete, BC delete Suspicion by Heuristic analysis HSC: suspicion for hidden autorun (high degree of probability)

Main script of analysis
Windows version: Windows Vista (TM) Home Premium, Build=6000, SP=""
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00BF0010<>76821D5C
IAT modification detected: GetModuleFileNameA - 00BF0080<>7686B578
IAT modification detected: FreeLibrary - 00BF00F0<>76864597
IAT modification detected: GetModuleFileNameW - 00BF0160<>768699ED
IAT modification detected: CreateProcessW - 00BF01D0<>76821D27
IAT modification detected: LoadLibraryW - 00BF02B0<>7684971F
IAT modification detected: LoadLibraryA - 00BF0320<>76849A96
IAT modification detected: GetProcAddress - 00BF0390<>76864110
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (123) intercepted, method APICodeHijack.JmpTo[001501EE]
Function ntdll.dll:LdrUnloadDll (145) intercepted, method APICodeHijack.JmpTo[001503F2]
 Analysis: user32.dll, export table found in section .text
Function user32.dll:SetWinEventHook (675) intercepted, method APICodeHijack.JmpTo[001B01EE]
Function user32.dll:SetWindowsHookExA (688) intercepted, method APICodeHijack.JmpTo[001B05F6]
Function user32.dll:SetWindowsHookExW (689) intercepted, method APICodeHijack.JmpTo[001B07FA]
Function user32.dll:UnhookWinEvent (728) intercepted, method APICodeHijack.JmpTo[001B03F2]
Function user32.dll:UnhookWindowsHookEx (730) intercepted, method APICodeHijack.JmpTo[001B09FE]
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:ChangeServiceConfig2A (74) intercepted, method APICodeHijack.JmpTo[001A0C02]
Function advapi32.dll:ChangeServiceConfig2W (75) intercepted, method APICodeHijack.JmpTo[001A0E06]
Function advapi32.dll:ChangeServiceConfigA (76) intercepted, method APICodeHijack.JmpTo[001A07FA]
Function advapi32.dll:ChangeServiceConfigW (77) intercepted, method APICodeHijack.JmpTo[001A09FE]
Function advapi32.dll:CreateServiceA (126) intercepted, method APICodeHijack.JmpTo[001A01EE]
Function advapi32.dll:CreateServiceW (127) intercepted, method APICodeHijack.JmpTo[001A03F2]
Function advapi32.dll:DeleteService (216) intercepted, method APICodeHijack.JmpTo[001A05F6]
Function advapi32.dll:SetServiceObjectSecurity (698) intercepted, method APICodeHijack.JmpTo[001A100A]
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=131B00)
 Kernel ntkrnlpa.exe found in memory at address 81C00000
   SDT = 81D31B00
   KiST = 81C807B4 (398)
Function NtAddBootEntry (09) intercepted (81E8B27C->8DB25FC4), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAdjustPrivilegesToken (0C) intercepted (81E3ED19->B9464E36), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAllocateVirtualMemory (12) intercepted (81DD54AF->8EFBF510), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (15) intercepted (81DBFFE3->B9467074), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (16) intercepted (81DBF6F3->B94672EE), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (26) intercepted (81DC6307->B9467564), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (30) intercepted (81DF1A40->B946574A), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (36) intercepted (81DBE1CB->B946657E), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (3A) intercepted (81E87388->B9466AC8), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEventPair (3B) intercepted (81E8FD0F->8DB284AE), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (3C) intercepted (81D8EE0C->B9465A26), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateIoCompletion (3D) intercepted (81D8B454->8DB285C4), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (43) intercepted (81E9018A->B94669AE), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (44) intercepted (81D8EE4F->B9464A24), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (47) intercepted (81DBDCCD->B9466882), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateProcessEx (49) - machine code modification Method of JmpTo. jmp 8EFD37A6\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Function NtCreateSection (4B) intercepted (81DD7893->B9464BCC), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (4C) intercepted (81E8839B->B9466BE8), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (4E) intercepted (81E1217B->B94653D0), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateTimer (4F) intercepted (81E8F96F->8DB28572), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (73) intercepted (81DBDD37->B9466918), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (74) intercepted (81D76262->B94682D6), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteBootEntry (78) intercepted (81E8B2AD->8DB25FE8), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (7F) intercepted (81D8F00F->B9465EA8), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (81) intercepted (81DF2157->B94694E4), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFreeVirtualMemory (93) intercepted (81CBEC63->8EFBF5C0), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (96) intercepted (81D8F049->B9465CB6), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (A5) intercepted (81D9852A->B94683C8), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (B1) intercepted (81DD0396->B9468B30), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtModifyBootEntry (B2) intercepted (81E8B47F->8DB2600C), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeKey (B5) intercepted (81D3870E->8DB289BC), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeMultipleKeys (B6) intercepted (81D38749->8DB26AA4), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B8) intercepted (81E874B1->B9466B5E), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEventPair (B9) intercepted (81E8FE47->8DB284D6), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (BA) intercepted (81D90275->B94657CC), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenIoCompletion (BB) intercepted (81D8B563->8DB285EE), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BF) intercepted (81E9028F->B9466A3E), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (C2) intercepted (81E13AA7->B9465074), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C5) intercepted (81DDA71B->B94688CA), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C6) intercepted (81E884C5->B9466C7E), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C9) intercepted (81E13E07->B9464F64), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenTimer (CC) intercepted (81E8FABE->8DB2859C), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtProtectVirtualMemory (D2) intercepted (81DE890B->8EFBF658), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (DB) intercepted (81DEDD46->B9467868), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryObject (ED) intercepted (81DF7DC1->8DB2696A), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (F2) intercepted (81DE368A->B9468E6A), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (FF) intercepted (81E1A8C6->B946875C), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (10C) intercepted (81D3BD42->B94636DE), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (10D) intercepted (81DBE76B->B9466FE2), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (10E) intercepted (81DBE870->B9466EA8), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (113) intercepted (81DBE4C4->B9468070), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (117) intercepted (81D39BA6->B9463A56), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (119) intercepted (81E1D3A0->B9469386), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (11A) intercepted (81D39CC7->B9463676), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (122) intercepted (81DBDDA1->B94662C4), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootEntryOrder (123) intercepted (81E8BBA2->8DB26030), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootOptions (124) intercepted (81E8C0A4->8DB26054), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (125) intercepted (81E1AEBB->B94655EC), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (137) intercepted (81E507B3->B946790A), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (13E) intercepted (81DF4694->B9468566), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (141) intercepted (81E82CA3->B9468FBA), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemPowerState (142) intercepted (81EC7CC8->8DB25F48), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtShutdownSystem (14A) intercepted (81E7A309->8DB25F24), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (14E) intercepted (81E1D483->B94690AC), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (14F) intercepted (81E1D2B7->B94691E6), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (150) intercepted (81E90DD1->B94681FA), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (152) intercepted (81E1B2B3->B946521A), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (153) intercepted (81E1B707->B9465170), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (160) intercepted (81DE0D88->B9468D0E), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtVdmControl (161) intercepted (81E5CA14->8DB26078), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (16A) intercepted (81DD71AB->B9465306), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (184) intercepted (81E23FFC->B94654CE), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (185) intercepted (81E227DF->B94677AE), hook C:\Windows\system32\DRIVERS\5205086drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function ObInsertObject (81DF75F6) - machine code modification Method of JmpTo. jmp 8EFD215C \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Function ObMakeTemporaryObject (81DF1ADB) - machine code modification Method of JmpTo. jmp 8EFD069C \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 398, intercepted: 72, restored: 75
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 8EFD32C0 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8EFD3300 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = 8EFD33C8 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8EFD3408 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 840FD1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 840FD1F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 8EFD3448 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\FastFat[IRP_MJ_CLOSE] = 8EFD3488 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\FastFat[IRP_MJ_WRITE] = 8EFD3550 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8EFD3590 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8EC271F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 8EC271F8 -> hook not defined
 Checking - complete
>>> G:\autorun.inf HSC: suspicion for  hidden autorun (high degree of probability)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[920] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
3260	LISTENING	0.0.0.0	0	[3468] c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe Script: Quarantine, Delete, BC delete, Terminate
3261	LISTENING	0.0.0.0	0	[3468] c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	0	[2916] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
8080	TIME_WAIT	127.0.0.1	56626	[0]
8080	TIME_WAIT	127.0.0.1	56636	[0]
8080	TIME_WAIT	127.0.0.1	56637	[0]
8080	TIME_WAIT	127.0.0.1	56638	[0]
8080	TIME_WAIT	127.0.0.1	56639	[0]
8080	TIME_WAIT	127.0.0.1	56640	[0]
8080	TIME_WAIT	127.0.0.1	56641	[0]
8080	TIME_WAIT	127.0.0.1	56642	[0]
8080	TIME_WAIT	127.0.0.1	56643	[0]
8080	TIME_WAIT	127.0.0.1	56645	[0]
8080	TIME_WAIT	127.0.0.1	56646	[0]
8080	TIME_WAIT	127.0.0.1	56647	[0]
8080	TIME_WAIT	127.0.0.1	56648	[0]
8080	TIME_WAIT	127.0.0.1	56649	[0]
8080	TIME_WAIT	127.0.0.1	56650	[0]
8080	TIME_WAIT	127.0.0.1	56651	[0]
8080	TIME_WAIT	127.0.0.1	56659	[0]
8080	TIME_WAIT	127.0.0.1	56660	[0]
8080	TIME_WAIT	127.0.0.1	56661	[0]
8080	TIME_WAIT	127.0.0.1	56662	[0]
8080	TIME_WAIT	127.0.0.1	56663	[0]
8080	TIME_WAIT	127.0.0.1	56664	[0]
8080	TIME_WAIT	127.0.0.1	56665	[0]
8080	TIME_WAIT	127.0.0.1	56666	[0]
8080	TIME_WAIT	127.0.0.1	56667	[0]
8080	TIME_WAIT	127.0.0.1	56668	[0]
8080	TIME_WAIT	127.0.0.1	56669	[0]
8080	TIME_WAIT	127.0.0.1	56670	[0]
8080	TIME_WAIT	127.0.0.1	56673	[0]
8080	TIME_WAIT	127.0.0.1	56674	[0]
8080	TIME_WAIT	127.0.0.1	56675	[0]
8080	TIME_WAIT	127.0.0.1	56676	[0]
8080	ESTABLISHED	127.0.0.1	56677	[3452] c:\program files\safeconnect\scmanager.sys Script: Quarantine, Delete, BC delete, Terminate
8080	LISTENING	0.0.0.0	0	[3452] c:\program files\safeconnect\scmanager.sys Script: Quarantine, Delete, BC delete, Terminate
12025	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12080	ESTABLISHED	127.0.0.1	56671	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12080	ESTABLISHED	127.0.0.1	56679	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12080	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12110	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12119	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12143	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12465	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12563	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12993	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12995	LISTENING	0.0.0.0	0	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
27015	ESTABLISHED	127.0.0.1	49188	[2888] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	0	[2888] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[596] c:\windows\system32\wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[960] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[1056] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49156	LISTENING	0.0.0.0	0	[652] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49167	LISTENING	0.0.0.0	0	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
49188	ESTABLISHED	127.0.0.1	27015	[2008] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
49200	LISTENING	0.0.0.0	0	[640] c:\windows\system32\services.exe Script: Quarantine, Delete, BC delete, Terminate
54321	LISTENING	0.0.0.0	0	[1016] c:\program files\giraffic\veoh_giraffic.exe Script: Quarantine, Delete, BC delete, Terminate
56632	TIME_WAIT	69.167.127.78	80	[0]
56638	TIME_WAIT	127.0.0.1	8080	[0]
56649	TIME_WAIT	127.0.0.1	8080	[0]
56660	TIME_WAIT	127.0.0.1	8080	[0]
56662	TIME_WAIT	127.0.0.1	8080	[0]
56671	ESTABLISHED	127.0.0.1	12080	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
56672	SYN_SENT	69.167.127.68	80	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
56675	TIME_WAIT	127.0.0.1	8080	[0]
56677	ESTABLISHED	127.0.0.1	8080	[2248] c:\program files\safeconnect\scclient.exe Script: Quarantine, Delete, BC delete, Terminate
56679	ESTABLISHED	127.0.0.1	12080	[3452] c:\program files\safeconnect\scmanager.sys Script: Quarantine, Delete, BC delete, Terminate
56680	SYN_SENT	198.31.193.211	8008	[1560] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[2916] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[1432] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
7578	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
26561	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
26562	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
54176	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
54178	LISTENING	--	--	[2916] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
55827	LISTENING	--	--	[1036] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
56359	LISTENING	--	--	[1016] c:\program files\giraffic\veoh_giraffic.exe Script: Quarantine, Delete, BC delete, Terminate
57007	LISTENING	--	--	[2956] c:\program files\giraffic\veoh_girafficwatchdog.exe Script: Quarantine, Delete, BC delete, Terminate
57701	LISTENING	--	--	[2916] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
60171	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
60172	LISTENING	--	--	[1248] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
61003	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
63121	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
63122	LISTENING	--	--	[2116] c:\program files\veoh networks\veoh\veohclient.exe Script: Quarantine, Delete, BC delete, Terminate
63816	LISTENING	--	--	[1056] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
64173	LISTENING	--	--	[1016] c:\program files\giraffic\veoh_giraffic.exe Script: Quarantine, Delete, BC delete, Terminate