Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 28/05/2012; 10:22)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate	1644	avast! Service	Copyright (c) 2012 AVAST Software	??	43.72 kb, rsAh, created: 26.05.2012 09:35:49, modified: 06.03.2012 18:15:14 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Detected:73, recognized as trusted 73

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\AVAST Software\Avast\defs\12052801\algo.dll Script: Quarantine, Delete, BC delete	1645346816			--	1644
Modules detected:709, recognized as trusted 708

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, BC delete	8F7EF000	00B000 (45056)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	8AA00000	011000 (69632)
C:\Windows\System32\Drivers\dump_msahci.sys Script: Quarantine, Delete, BC delete	905F6000	00A000 (40960)
Modules detected - 225, recognized as trusted - 222

Services

Service	Description	Status	File	Group	Dependencies
McMPFSvc Service: Stop, Delete, Disable, BC delete	McAfee Personal Firewall Service	Not started	C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe Script: Quarantine, Delete, BC delete		RpcSs
Detected - 189, recognized as trusted - 188

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\Users\Lexy\AppData\Local\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
EagleXNt Driver: Unload, Delete, Disable, BC delete	EagleXNt	Not started	C:\Windows\system32\drivers\EagleXNt.sys Script: Quarantine, Delete, BC delete
LMIRfsClientNP Driver: Unload, Delete, Disable, BC delete	LMIRfsClientNP	Not started	LMIRfsClientNP.sys Script: Quarantine, Delete, BC delete	NetworkProvider
Detected - 295, recognized as trusted - 292

Autoruns

File name	Status	Startup method	Description
C:\3d39f24c72a8e5c873e6679c7068\DW\DW20.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
C:\Program Files\SanrioTown\Hello Kitty Online\autoupdate.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Lexy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Lexy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hello Kitty Online.lnk,
C:\Users\Lexy\AppData\Local\temp\_uninst_01151137.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Lexy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Lexy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_01151137.lnk,
C:\Windows\system32\AlKernel.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\quickhealfirewall\Parameters, ServiceDll Delete
C:\Windows\system32\BCM43XV.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MTDVC2_ENUM\Parameters, ServiceDll Delete
C:\Windows\system32\Blfp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\se44mdfl\Parameters, ServiceDll Delete
C:\Windows\system32\SQTECH9080.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\ftpqueue\Parameters, ServiceDll Delete
C:\Windows\system32\SeaPort.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\GBFSHook\Parameters, ServiceDll Delete
C:\Windows\system32\USBCCID.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\pdrframe\Parameters, ServiceDll Delete
C:\Windows\system32\a016mdm.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\U81xobex\Parameters, ServiceDll Delete
C:\Windows\system32\armoucfltr.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\mcstrm\Parameters, ServiceDll Delete
C:\Windows\system32\awhost32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lxcf_device\Parameters, ServiceDll Delete
C:\Windows\system32\bgs_sdservice.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\scarddrv\Parameters, ServiceDll Delete
C:\Windows\system32\nmsaccess.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CTEDSPIO.DLL\Parameters, ServiceDll Delete
C:\Windows\system32\pdrframe.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\tabletservice\Parameters, ServiceDll Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\Windows\system32\s716nd5.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\cxpt_service\Parameters, ServiceDll Delete
C:\Windows\system32\snapman380.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\personalsecuredriveservice\Parameters, ServiceDll Delete
C:\Windows\system32\ssm_mdfl.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\incdsrv\Parameters, ServiceDll Delete
C:\Windows\system32\w200mdfl.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\cpntsrv\Parameters, ServiceDll Delete
C:\Windows\system32\wudfpf.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\avgems\Parameters, ServiceDll Delete
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 703, recognized as trusted - 678

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
	URLSearchHook			{D3D233D5-9F6D-436C-B6C7-E63F77503B30} Delete
Elements detected - 14, recognized as trusted - 11

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
Elements detected - 33, recognized as trusted - 33

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 8, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 4, recognized as trusted - 4

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 8, recognized as trusted - 8

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 34, recognized as trusted - 34
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [956] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [3520] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2002 ESTABLISHED 127.0.0.1 49209 [2456] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
2002 LISTENING 0.0.0.0 0 [2456] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5354 ESTABLISHED 127.0.0.1 49162 [2212] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 0 [2212] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
12025 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12080 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12110 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12119 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12143 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12465 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12563 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12993 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
12995 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 0 [2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27275 LISTENING 0.0.0.0 0 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [596] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1008] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [668] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49161 LISTENING 0.0.0.0 0 [1792] c:\windows\system32\spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
49162 ESTABLISHED 127.0.0.1 5354 [2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49174 ESTABLISHED 216.52.233.164 443 [2456] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
49176 LISTENING 0.0.0.0 0 [652] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
49209 ESTABLISHED 127.0.0.1 2002 [3532] c:\program files\logmein\x86\logmeinsystray.exe
Script: Quarantine, Delete, BC delete, Terminate
51716 ESTABLISHED 72.5.58.47 80 [1644] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
51723 TIME_WAIT 192.168.2.1 1780 [0]
51724 TIME_WAIT 192.168.2.1 1780 [0]
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1276] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1276] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [3520] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [3520] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [2212] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1516] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52848 LISTENING -- -- [5012] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
55702 LISTENING -- -- [2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
55703 LISTENING -- -- [2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
55704 LISTENING -- -- [2212] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
55706 LISTENING -- -- [1792] c:\windows\system32\spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
55749 LISTENING -- -- [4080] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
61035 LISTENING -- -- [4600] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
61054 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
61056 LISTENING -- -- [1276] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
65061 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
65062 LISTENING -- -- [2996] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
65388 LISTENING -- -- [1276] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 16, recognized as trusted - 13

Suspicious objects

File Description Type
C:\Windows\System32\Drivers\aswSnx.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Windows\system32\DRIVERS\2785567drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Windows\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
\SystemRoot\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis
Windows version: Windows 7 Professional, Build=7601, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00550010<>754E2082
IAT modification detected: GetModuleFileNameA - 00550080<>7552D75A
IAT modification detected: FreeLibrary - 005500F0<>7552EF67
IAT modification detected: GetModuleFileNameW - 00550160<>7552EF35
IAT modification detected: CreateProcessW - 005501D0<>754E204D
IAT modification detected: LoadLibraryW - 005502B0<>7552EF42
IAT modification detected: LoadLibraryA - 00550320<>7552DC65
IAT modification detected: GetProcAddress - 00550390<>7552CC94
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (137) intercepted, method APICodeHijack.JmpTo[001601EE]
Function ntdll.dll:LdrUnloadDll (161) intercepted, method APICodeHijack.JmpTo[001603F2]
 Analysis: user32.dll, export table found in section .text
Function user32.dll:SetWinEventHook (2216) intercepted, method APICodeHijack.JmpTo[002201EE]
Function user32.dll:SetWindowsHookExA (2231) intercepted, method APICodeHijack.JmpTo[002205F6]
Function user32.dll:SetWindowsHookExW (2232) intercepted, method APICodeHijack.JmpTo[002207FA]
Function user32.dll:UnhookWinEvent (2279) intercepted, method APICodeHijack.JmpTo[002203F2]
Function user32.dll:UnhookWindowsHookEx (2281) intercepted, method APICodeHijack.JmpTo[002209FE]
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=169B00)
 Kernel ntkrnlpa.exe found in memory at address 83018000
   SDT = 83181B00
   KiST = 83096D5C (401)
Function NtAddBootEntry (09) intercepted (8331D7C2->8EA2DDF8), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAdjustPrivilegesToken (0C) intercepted (8329DD8D->BC2B8E36), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAllocateVirtualMemory (13) intercepted (83242BCC->8F6CEA5A), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (16) intercepted (8328E44E->BC2BB074), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (17) intercepted (8320DCFE->BC2BB2EE), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (27) intercepted (8326B0BE->BC2BB564), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAssignProcessToJobObject (2B) intercepted (83217FCA->8EA2E85E), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (32) intercepted (8325D4F8->BC2B974A), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (3B) intercepted (83290F59->BC2BA57E), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (40) intercepted (832597EF->BC2BAAC8), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEventPair (41) intercepted (833234D0->8EA33330), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (42) intercepted (83268362->BC2B9A26), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateIoCompletion (43) intercepted (83273875->8EA33422), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (4A) intercepted (8322928E->BC2BA9AE), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (4B) intercepted (83299749->BC2B8A24), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (4D) intercepted (8320A851->BC2BA882), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateProcessEx (50) - machine code modification Method of JmpTo. jmp 8F6E4D96\SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Function NtCreateSection (54) intercepted (8323C04D->BC2B8BCC), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (55) intercepted (8321EA85->BC2BABE8), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (57) intercepted (832F4ED6->BC2B93D0), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (58) intercepted (8328934B->BC2B94CE), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateTimer (59) intercepted (832173FD->8EA333DC), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (5D) intercepted (8328727D->BC2BB7AE), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (5E) intercepted (831BD1B8->BC2BA918), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (60) intercepted (832C6DB0->BC2BC2D6), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteBootEntry (64) intercepted (8331D7F3->8EA2DE44), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (6B) intercepted (8328C5F1->BC2B9EA8), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (6F) intercepted (8324A65A->BC2BD4E4), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFreeVirtualMemory (83) intercepted (830D247A->8F6CEB34), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (86) intercepted (8326E8B0->BC2B9CB6), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (9B) intercepted (831DEBFC->BC2BC3C8), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (A8) intercepted (8325F512->BC2BCB30), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtModifyBootEntry (A9) intercepted (8331D9C4->8EA2DE90), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeKey (AC) intercepted (83212F09->8EA30D1C), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeMultipleKeys (AD) intercepted (8321202B->8EA2EB02), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B1) intercepted (83228C8A->BC2BAB5E), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEventPair (B2) intercepted (833235D1->8EA33352), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (B3) intercepted (8324AC7A->BC2B97CC), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenIoCompletion (B4) intercepted (832CFF53->8EA33446), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BB) intercepted (8327A2F0->BC2BAA3E), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (BE) intercepted (8322AAD4->BC2B9074), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C2) intercepted (8328289B->BC2BC8CA), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C3) intercepted (831FE1B8->BC2BAC7E), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C6) intercepted (83276F95->BC2B8F64), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenTimer (C9) intercepted (83323277->8EA33400), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtProtectVirtualMemory (D7) intercepted (8325B581->8F6CECA0), hook C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (E0) intercepted (83271BFE->BC2BB868), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryObject (F8) intercepted (83219FCE->8EA2E9CE), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (FE) intercepted (8328FC36->BC2BCE6A), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (10D) intercepted (83214D9C->BC2BC75C), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (124) intercepted (832B4B18->BC2B76DE), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (126) intercepted (83209B2F->BC2BAFE2), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (127) intercepted (8325174C->BC2BAEA8), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (12B) intercepted (83256A43->BC2BC070), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (12E) intercepted (832AAB5C->BC2B7A56), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (130) intercepted (83289572->BC2BD386), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (135) intercepted (832AC3CE->BC2B7676), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (138) intercepted (83276FCA->BC2BA2C4), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootEntryOrder (13A) intercepted (8331E0D5->8EA2DEDC), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetBootOptions (13B) intercepted (8331E5C1->8EA2DF28), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (13C) intercepted (832F6755->BC2B95EC), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (150) intercepted (8321C878->BC2BB90A), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (15B) intercepted (8321A71E->BC2BC566), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (15E) intercepted (8326726C->BC2BCFBA), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemPowerState (15F) intercepted (8333AE4A->8EA2DCEA), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtShutdownSystem (168) intercepted (8331B9F7->8EA2DC92), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (16E) intercepted (832F6BE3->BC2BD0AC), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (16F) intercepted (832AE085->BC2BD1E6), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (170) intercepted (8329E6BC->BC2BC1FA), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (172) intercepted (83273BCD->BC2B921A), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (173) intercepted (83291584->BC2B9170), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (181) intercepted (8327D85A->BC2BCD0E), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtVdmControl (182) intercepted (83310BAF->8EA2DF74), hook C:\Windows\System32\Drivers\aswSnx.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (18F) intercepted (8327892A->BC2B9306), hook C:\Windows\system32\DRIVERS\2785567drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function ObMakeTemporaryObject (83223C64) - machine code modification Method of JmpTo. jmp 8F6E1C8C \SystemRoot\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 401, intercepted: 73, restored: 75
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 8F6E48B0 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8F6E48F0 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = 8F6E49B8 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8F6E49F8 -> C:\Windows\System32\Drivers\aswSP.SYS, driver recognized as trusted
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Service termination timeout is out of admissible values
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[956] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
554	LISTENING	0.0.0.0	0	[3520] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
2002	ESTABLISHED	127.0.0.1	49209	[2456] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
2002	LISTENING	0.0.0.0	0	[2456] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5354	ESTABLISHED	127.0.0.1	49162	[2212] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	0	[2212] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
10243	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
12025	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12080	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12110	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12119	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12143	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12465	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12563	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12993	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
12995	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	0	[2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
27275	LISTENING	0.0.0.0	0	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[596] c:\windows\system32\wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[1008] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[668] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49161	LISTENING	0.0.0.0	0	[1792] c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate
49162	ESTABLISHED	127.0.0.1	5354	[2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
49174	ESTABLISHED	216.52.233.164	443	[2456] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
49176	LISTENING	0.0.0.0	0	[652] c:\windows\system32\services.exe Script: Quarantine, Delete, BC delete, Terminate
49209	ESTABLISHED	127.0.0.1	2002	[3532] c:\program files\logmein\x86\logmeinsystray.exe Script: Quarantine, Delete, BC delete, Terminate
51716	ESTABLISHED	72.5.58.47	80	[1644] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, BC delete, Terminate
51723	TIME_WAIT	192.168.2.1	1780	[0]
51724	TIME_WAIT	192.168.2.1	1780	[0]
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1276] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1276] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5004	LISTENING	--	--	[3520] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5005	LISTENING	--	--	[3520] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[2212] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[1516] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
52848	LISTENING	--	--	[5012] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
55702	LISTENING	--	--	[2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
55703	LISTENING	--	--	[2184] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
55704	LISTENING	--	--	[2212] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
55706	LISTENING	--	--	[1792] c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate
55749	LISTENING	--	--	[4080] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
61035	LISTENING	--	--	[4600] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
61054	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
61056	LISTENING	--	--	[1276] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
65061	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
65062	LISTENING	--	--	[2996] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
65388	LISTENING	--	--	[1276] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate