Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\windows\system32\ctfmon.exe Script: Quarantine, Delete, Delete via BC, Terminate	3392	CTF Loader	© Microsoft Corporation. All rights reserved.	5F1D5F88303D4A4DBC8E5F97BA967CC3	15.00 kb, rsAh, created: 14.04.2008 15:00:00, modified: 14.04.2008 15:00:00 Command line: "C:\WINDOWS\system32\ctfmon.exe"
c:\windows\explorer.exe Script: Quarantine, Delete, Delete via BC, Terminate	2416	Windows Explorer	© Microsoft Corporation. All rights reserved.	12896823FB95BFB3DC9B46BCAEDC9923	1009.50 kb, rsAh, created: 14.04.2008 15:00:00, modified: 14.04.2008 15:00:00 Command line: C:\WINDOWS\Explorer.EXE
c:\windows\datecs\flex2k.exe Script: Quarantine, Delete, Delete via BC, Terminate	2780			B538660258454ABB4BD2412170EC67EF	148.00 kb, rsAh, created: 29.07.2012 03:05:57, modified: 30.12.2000 12:39:58 Command line: "C:\WINDOWS\Datecs\Flex2K.exe"
c:\windows\datecs\flexword2k\flexword2k.exe Script: Quarantine, Delete, Delete via BC, Terminate	3624			1C83CC205CD7725B77C068D67D349234	58.50 kb, rsAh, created: 25.07.2012 13:24:06, modified: 22.10.2001 15:50:34 Command line: "C:\WINDOWS\Datecs\FlexWord2K\FlexWord2K.exe"
c:\program files\intel\intel matrix storage manager\iaanotif.exe Script: Quarantine, Delete, Delete via BC, Terminate	3344	Event Monitor User Notification Tool	Copyright(C) Intel Corporation 2003-2009	5AF1E9600E3FF841E522703A4993ED0C	182.52 kb, rsAh, created: 25.07.2012 02:21:54, modified: 04.06.2009 19:03:32 Command line: "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
c:\program files\common files\java\java update\jusched.exe Script: Quarantine, Delete, Delete via BC, Terminate	3368	Java Update Scheduler	Copyright © 2014	887CAA31048EB8ED09A0CBD0E6F46F09	495.88 kb, rsAh, created: 07.10.2014 15:39:42, modified: 07.10.2014 15:39:42 Command line: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
c:\program files\lexmark 1200 series\lxczbmgr.exe Script: Quarantine, Delete, Delete via BC, Terminate	3352	Lexmark 1200 Series Button Manager	(C) 2006 Lexmark International, Inc.	CBDA2D5F8338812923B92D80F410AD5E	56.00 kb, rsAh, created: 11.02.2014 14:06:48, modified: 13.07.2006 14:22:50 Command line: "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
c:\program files\lexmark 1200 series\lxczbmon.exe Script: Quarantine, Delete, Delete via BC, Terminate	3428	Lexmark 1200 Series Button Monitor	(C) 2006 Lexmark International, Inc.	6041683BD131110B462D41263DCDB4F9	52.00 kb, rsAh, created: 11.02.2014 14:06:48, modified: 13.07.2006 14:33:14 Command line: "C:\Program Files\Lexmark 1200 Series\lxczbmon.exe"
c:\program files\nvidia corporation\ntune\ntunecmd.exe Script: Quarantine, Delete, Delete via BC, Terminate	3712	NVIDIA nTune Command	(c) NVIDIA Corp. All rights reserved.	E3F919DE4F54050E4069F6B3C91AC7C2	132.31 kb, rsAh, created: 19.09.2011 16:59:36, modified: 19.09.2011 16:59:36 Command line: "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" gpureading
c:\windows\rthdcpl.exe Script: Quarantine, Delete, Delete via BC, Terminate	3308	Realtek HD Audio Control Panel	Copyright (c) 2004 Realtek Semiconductor Corp.	3808A7DB5B3784C88B07DCF88258A27F	16480.50 kb, rsAh, created: 25.07.2012 02:14:35, modified: 03.07.2008 16:51:00 Command line: "C:\WINDOWS\RTHDCPL.EXE"
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, Delete via BC, Terminate	1820	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	D8E14A61ACC1D4A6CD0D38AEBAC7FA3B	56.50 kb, rsAh, created: 14.04.2008 15:00:00, modified: 14.04.2008 15:00:00 Command line: C:\WINDOWS\system32\spoolsv.exe
c:\program files\teamviewer\version9\teamviewer.exe Script: Quarantine, Delete, Delete via BC, Terminate	4032	TeamViewer 9	TeamViewer GmbH	12220BA871C6D7BAE08FFDD137BAB697	13241.27 kb, rsAh, created: 09.02.2014 12:06:22, modified: 12.09.2014 21:14:55 Command line: "C:\Program Files\TeamViewer\Version9\TeamViewer.exe"
c:\program files\teamviewer\version9\teamviewer_service.exe Script: Quarantine, Delete, Delete via BC, Terminate	2932	TeamViewer 9	TeamViewer GmbH	4ACFC5853A3F0C6C2F54E537C23EE90F	4687.27 kb, rsAh, created: 09.02.2014 12:06:23, modified: 12.09.2014 21:14:55 Command line: "C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe"
c:\program files\teamviewer\version9\tv_w32.exe Script: Quarantine, Delete, Delete via BC, Terminate	3208	TeamViewer 9	TeamViewer GmbH	83DE0CC30F2E7F7108F550AEBDDCE4C7	224.27 kb, rsAh, created: 09.02.2014 12:06:24, modified: 12.09.2014 21:00:53 Command line: "C:\Program Files\TeamViewer\Version9\tv_w32.exe" --action hooks --log C:\Program Files\TeamViewer\Version9\TeamViewer9_Logfile.log
Detected:40, recognized as trusted 33

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\DoroPDFWriter\Doro.dll Script: Quarantine, Delete, Delete via BC	268435456	Doro	Copyright © 2002-2008	2312DDA28ADFF1F4689690FBD90B2EA3	1820
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmdENU.dll Script: Quarantine, Delete, Delete via BC	268435456	NVIDIA nTune Library	(c) NVIDIA Corp. All rights reserved.	C580B6F795814BE41BC0E4B426429CCB	3712
C:\Program Files\TeamViewer\Version9\tv_w32.dll Script: Quarantine, Delete, Delete via BC	425721856	TeamViewer 9	TeamViewer GmbH	4CED559981E38EB824B4281FB32118CB	4032, 3208
C:\WINDOWS\system32\newdll.dll Script: Quarantine, Delete, Delete via BC	268435456			4844FE58EC2A76233271EDDD0003C108	3392, 2416, 2780, 3624, 3344, 3352, 3428, 3712, 3308, 4032
Modules found:335, recognized as trusted 330

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\system32\ckldrv.sys Script: Quarantine, Delete, Delete via BC	B1D19000	005000 (20480)
C:\WINDOWS\System32\Drivers\dump_diskdump.sys Script: Quarantine, Delete, Delete via BC	A8CFE000	004000 (16384)
C:\WINDOWS\System32\Drivers\dump_mv61xx.sys Script: Quarantine, Delete, Delete via BC	A7EED000	040000 (262144)
Modules found - 124, recognized as trusted - 121

Services

Service	Description	Status	File	Group	Dependencies
TeamViewer9 Service: Stop, Delete, Disable, Delete via BC	TeamViewer 9	Running	C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe Script: Quarantine, Delete, Delete via BC
MozillaMaintenance Service: Stop, Delete, Disable, Delete via BC	Mozilla Maintenance Service	Not started	C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe Script: Quarantine, Delete, Delete via BC
rpcapd Service: Stop, Delete, Disable, Delete via BC	Remote Packet Capture Protocol v.0 (experimental)	Not started	C:\Program Files\WinPcap\rpcapd.exe Script: Quarantine, Delete, Delete via BC
SkypeUpdate Service: Stop, Delete, Disable, Delete via BC	Skype Updater	Not started	C:\Program Files\Skype\Updater\Updater.exe Script: Quarantine, Delete, Delete via BC		RpcSs
SpyHunter 4 Service Service: Stop, Delete, Disable, Delete via BC	SpyHunter 4 Service	Not started	C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE Script: Quarantine, Delete, Delete via BC	Base
Detected - 106, recognized as trusted - 101

Drivers

Service	Description	Status	File	Group	Dependencies
NetworkX Driver: Unload, Delete, Disable, Delete via BC	NetworkX	Running	C:\WINDOWS\system32\ckldrv.sys Script: Quarantine, Delete, Delete via BC
69512100 Driver: Unload, Delete, Disable, Delete via BC	69512100	Not started	C:\WINDOWS\system32\DRIVERS\69512100.sys Script: Quarantine, Delete, Delete via BC	69512100
Abiosdsk Driver: Unload, Delete, Disable, Delete via BC	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
abp480n5 Driver: Unload, Delete, Disable, Delete via BC	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
adpu160m Driver: Unload, Delete, Disable, Delete via BC	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Aha154x Driver: Unload, Delete, Disable, Delete via BC	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable, Delete via BC	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78xx Driver: Unload, Delete, Disable, Delete via BC	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
AliIde Driver: Unload, Delete, Disable, Delete via BC	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
amsint Driver: Unload, Delete, Disable, Delete via BC	amsint	Not started	amsint.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc Driver: Unload, Delete, Disable, Delete via BC	asc	Not started	asc.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3350p Driver: Unload, Delete, Disable, Delete via BC	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3550 Driver: Unload, Delete, Disable, Delete via BC	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Atdisk Driver: Unload, Delete, Disable, Delete via BC	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
BT848 Driver: Unload, Delete, Disable, Delete via BC	BtCap, WDM Video Capture	Not started	C:\WINDOWS\system32\drivers\BT848.SYS Script: Quarantine, Delete, Delete via BC
BTTUNER Driver: Unload, Delete, Disable, Delete via BC	BtTuner, WDM TV Tuner	Not started	C:\WINDOWS\system32\drivers\BTTUNER.SYS Script: Quarantine, Delete, Delete via BC
BTXBAR Driver: Unload, Delete, Disable, Delete via BC	BtXBar, WDM Crossbar	Not started	C:\WINDOWS\system32\drivers\BTXBAR.SYS Script: Quarantine, Delete, Delete via BC
catchme Driver: Unload, Delete, Disable, Delete via BC	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
cd20xrnt Driver: Unload, Delete, Disable, Delete via BC	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Changer Driver: Unload, Delete, Disable, Delete via BC	Changer	Not started	Changer.sys Script: Quarantine, Delete, Delete via BC	Filter
CmdIde Driver: Unload, Delete, Disable, Delete via BC	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
Cpqarray Driver: Unload, Delete, Disable, Delete via BC	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dac960nt Driver: Unload, Delete, Disable, Delete via BC	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dpti2o Driver: Unload, Delete, Disable, Delete via BC	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
EsgScanner Driver: Unload, Delete, Disable, Delete via BC	EsgScanner	Not started	C:\WINDOWS\system32\DRIVERS\EsgScanner.sys Script: Quarantine, Delete, Delete via BC	FSFilter Activity Monitor	FltMgr
hpn Driver: Unload, Delete, Disable, Delete via BC	hpn	Not started	hpn.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable, Delete via BC	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, Delete via BC	SCSI Class
i2omp Driver: Unload, Delete, Disable, Delete via BC	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ini910u Driver: Unload, Delete, Disable, Delete via BC	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
IntelIde Driver: Unload, Delete, Disable, Delete via BC	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
lbrtfdc Driver: Unload, Delete, Disable, Delete via BC	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
mraid35x Driver: Unload, Delete, Disable, Delete via BC	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
PCIDump Driver: Unload, Delete, Disable, Delete via BC	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, Delete via BC	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable, Delete via BC	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, Delete via BC
PDFRAME Driver: Unload, Delete, Disable, Delete via BC	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, Delete via BC
PDRELI Driver: Unload, Delete, Disable, Delete via BC	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, Delete via BC
PDRFRAME Driver: Unload, Delete, Disable, Delete via BC	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, Delete via BC
perc2 Driver: Unload, Delete, Disable, Delete via BC	perc2	Not started	perc2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
perc2hib Driver: Unload, Delete, Disable, Delete via BC	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, Delete via BC	Filter
pwdrvio Driver: Unload, Delete, Disable, Delete via BC	pwdrvio	Not started	C:\WINDOWS\system32\pwdrvio.sys Script: Quarantine, Delete, Delete via BC
pwdspio Driver: Unload, Delete, Disable, Delete via BC	pwdspio	Not started	C:\WINDOWS\system32\pwdspio.sys Script: Quarantine, Delete, Delete via BC
ql1080 Driver: Unload, Delete, Disable, Delete via BC	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable, Delete via BC	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql12160 Driver: Unload, Delete, Disable, Delete via BC	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1240 Driver: Unload, Delete, Disable, Delete via BC	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1280 Driver: Unload, Delete, Disable, Delete via BC	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Simbad Driver: Unload, Delete, Disable, Delete via BC	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, Delete via BC	Filter
Sparrow Driver: Unload, Delete, Disable, Delete via BC	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sym_hi Driver: Unload, Delete, Disable, Delete via BC	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable, Delete via BC	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc810 Driver: Unload, Delete, Disable, Delete via BC	symc810	Not started	symc810.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc8xx Driver: Unload, Delete, Disable, Delete via BC	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
TosIde Driver: Unload, Delete, Disable, Delete via BC	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
ultra Driver: Unload, Delete, Disable, Delete via BC	ultra	Not started	ultra.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ViaIde Driver: Unload, Delete, Disable, Delete via BC	ViaIde	Not started	ViaIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
WDICA Driver: Unload, Delete, Disable, Delete via BC	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, Delete via BC
Detected - 213, recognized as trusted - 157

Autoruns

File name	Status	Startup method	Description
2013\TuneUpUtilitiesService32.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\TuneUp\TuneUp.UtilitiesSvc, EventMessageFile
C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\chrome.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk,
C:\Program Files\Avant Browser\avant.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Avant Browser.lnk,
C:\Program Files\Common Files\Java\Java Update\jusched.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SunJavaUpdateSched Delete
C:\Program Files\Java\jre7\bin\jqs.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\JavaQuickStarterService, EventMessageFile
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Lexmark 1200 Series Delete
C:\Program Files\Mozilla Firefox\firefox.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk,
C:\Program Files\Opera\opera.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk,
C:\Program Files\SA Dictionary 2010 Alpha 3\Diction.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Diction.exe.lnk,
C:\Program Files\Skype\Updater\Updater.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SkypeUpdate, EventMessageFile
C:\Program Files\TightVNC\tvnserver.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\tvnserver, EventMessageFile
C:\Program Files\TuneUp Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\TuneUp\TuneUp.UtilitiesSvc, EventMessageFile
C:\WINDOWS\System32\Drivers\AliIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
C:\WINDOWS\System32\Drivers\CmdIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
C:\WINDOWS\System32\Drivers\IntelIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
C:\WINDOWS\System32\Drivers\TosIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
C:\WINDOWS\System32\Drivers\ViaIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\viaide, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\Desktop.scf Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\SomeNewUser\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut (2) to Desktop.lnk,
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\drivers\mbamchameleon.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mbamchameleon, EventMessageFile
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
deskpan.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
donotload_mscoree.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\.NETFramework\Performance, Library Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-21-1957994488-1177238915-1801674531-1003\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
Autoruns items found - 840, recognized as trusted - 799

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll Script: Quarantine, Delete, Delete via BC	BHO	Java(TM) Platform SE binary	Copyright © 2014	{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Delete
C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll Script: Quarantine, Delete, Delete via BC	BHO	Java(TM) Platform SE binary	Copyright © 2014	{DBC80044-A445-435b-BC74-9C25C1C588A9} Delete
Items found - 9, recognized as trusted - 6

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, Delete via BC	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
	Find and Recover deleted files on you Computer			{0AF221E8-29B6-46EB-B420-DC696F042596} Delete
	Foxit PDF Preview Provider (XP)			{1B96FAD8-1C10-416E-8027-6EFF94045F6F} Delete
Items found - 206, recognized as trusted - 199

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
C:\Program Files\DoroPDFWriter\Doro.dll Script: Quarantine, Delete, Delete via BC	Monitor	Doro PDF Writer Port	Doro	Copyright © 2002-2008
Items found - 10, recognized as trusted - 9

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line
Items found - 2, recognized as trusted - 2

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 21, recognized as trusted - 21
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
445 LISTENING 0.0.0.0 32858 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1029 ESTABLISHED 127.0.0.1 5939 [4032] c:\program files\teamviewer\version9\teamviewer.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1059 ESTABLISHED 178.255.153.11 443 [2932] c:\program files\teamviewer\version9\teamviewer_service.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5939 ESTABLISHED 127.0.0.1 1029 [2932] c:\program files\teamviewer\version9\teamviewer_service.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5939 LISTENING 0.0.0.0 2112 [2932] c:\program files\teamviewer\version9\teamviewer_service.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
445 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx
Script: Quarantine, Delete, Delete via BC {D27CDB6E-AE6D-11CF-96B8-444553540000}
Delete http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Items found - 1, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\WINDOWS\system32\javacpl.cpl
Script: Quarantine, Delete, Delete via BC Java Control Panel Copyright © 2014
Items found - 28, recognized as trusted - 27

Active Setup

File name Description Manufacturer CLSID
Items found - 14, recognized as trusted - 14

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 32, recognized as trusted - 29

Shared resources

Network name Path Notes
ADMIN$ C:\WINDOWS Remote Admin
C$ C:\ Default share
D$ D:\ Default share
E$ E:\ Default share
IPC$ Remote IPC
K$ K:\ Default share
L$ L:\ Default share
O$ O:\ Default share
P$ P:\ Default share

Suspicious objects

File Description Type

Attention !!! Database was last updated 23.02.2014 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 25.10.2014 21:10:51
Database loaded: signatures - 297613, NN profile(s) - 2, malware removal microprograms - 56, signature database released 23.02.2014 17:04
Heuristic microprograms loaded: 405
PVS microprograms loaded: 9
Digital signatures of system files loaded: 649447
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 3 "Microsoft Windows XP" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504450 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
CmpCallCallBacks = 00093D84
Disable callback - уже нейтирализованы
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 40
 Number of modules loaded: 360
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\AdwCleaner\Backup\C\Documents and Settings\SomeNewUser\Application Data\Mozilla\Firefox\Profiles\simr37uq.default\prefs_10_10_2014_23_44_45.js
Direct reading: C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdm.dll
Direct reading: C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll
Direct reading: C:\Qoobox\BackEnv\SetPath.bat
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Hidden startup suspected:  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon="RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Messenger (Messenger)
>> Services: potentially dangerous service allowed: Alerter (Alerter)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 92652, extracted from archives: 73610, malicious software found 0, suspicions - 0
Scanning finished at 25.10.2014 21:17:16
Time of scanning: 00:06:26
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
Network diagnostics
 DNS & Ping
  Host "yandex.ru", IP="93.158.134.11,213.180.204.11,213.180.193.11", Ping=OK (0,84,93.158.134.11)
  Host "google.ru", IP="94.156.188.35,94.156.188.54,94.156.188.55,94.156.188.25,94.156.188.29,94.156.188.34,94.156.188.20,94.156.188.40,94.156.188.24,94.156.188.44,94.156.188.30,94.156.188.50,94.156.188.45,94.156.188.39,94.156.188.59,94.156.188.49", Ping=OK (0,12,94.156.188.35)
  Host "google.com", IP="94.156.188.29,94.156.188.39,94.156.188.40,94.156.188.44,94.156.188.30,94.156.188.34,94.156.188.59,94.156.188.55,94.156.188.50,94.156.188.35,94.156.188.20,94.156.188.54,94.156.188.24,94.156.188.25,94.156.188.49,94.156.188.45", Ping=OK (0,24,94.156.188.29)
  Host "www.kaspersky.com", IP="195.27.252.18", Ping=OK (0,50,195.27.252.18)
  Host "www.kaspersky.ru", IP="195.27.252.110", Ping=OK (0,47,195.27.252.110)
  Host "dnl-03.geo.kaspersky.com", IP="212.73.221.199", Ping=OK (0,64,212.73.221.199)
  Host "dnl-11.geo.kaspersky.com", IP="80.239.197.100", Ping=OK (0,53,80.239.197.100)
  Host "activation-v2.kaspersky.com", IP="195.27.252.50", Ping=Error (11010,2097172,195.27.252.50)
  Host "odnoklassniki.ru", IP="217.20.147.94", Ping=OK (0,100,217.20.147.94)
  Host "vk.com", IP="87.240.131.118,87.240.131.119,87.240.131.120", Ping=OK (0,93,87.240.131.118)
  Host "vkontakte.ru", IP="95.213.4.244,95.213.4.245,95.213.4.246", Ping=OK (0,96,95.213.4.244)
  Host "twitter.com", IP="199.16.156.6,199.16.156.230,199.16.156.70,199.16.156.102", Ping=OK (0,155,199.16.156.6)
  Host "facebook.com", IP="173.252.120.6", Ping=OK (0,149,173.252.120.6)
  Host "ru-ru.facebook.com", IP="31.13.93.193", Ping=OK (0,49,31.13.93.193)
 IE Setup
  AutoConfigURL=""
  AutoConfigProxy="wininet.dll"
  ProxyOverride=""
  ProxyServer=""
Network TCP/IP settings
  Interface: "Local Area Connection"


 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Messenger (Messenger)
Performance tweaking: disable service Alerter (Alerter)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
445	LISTENING	0.0.0.0	32858	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
1029	ESTABLISHED	127.0.0.1	5939	[4032] c:\program files\teamviewer\version9\teamviewer.exe Script: Quarantine, Delete, Delete via BC, Terminate
1059	ESTABLISHED	178.255.153.11	443	[2932] c:\program files\teamviewer\version9\teamviewer_service.exe Script: Quarantine, Delete, Delete via BC, Terminate
5939	ESTABLISHED	127.0.0.1	1029	[2932] c:\program files\teamviewer\version9\teamviewer_service.exe Script: Quarantine, Delete, Delete via BC, Terminate
5939	LISTENING	0.0.0.0	2112	[2932] c:\program files\teamviewer\version9\teamviewer_service.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
445	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate

Network name	Path	Notes
ADMIN$	C:\WINDOWS	Remote Admin
C$	C:\	Default share
D$	D:\	Default share
E$	E:\	Default share
IPC$		Remote IPC
K$	K:\	Default share
L$	L:\	Default share
O$	O:\	Default share
P$	P:\	Default share