Results of system analysis

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\progra~1\mcafee.com\agent\mcagent.exe Script: Quarantine, Delete, BC delete, Terminate	1836	McAfee Integrated Security Platform	Copyright © 2008 McAfee, Inc.	??	630.20 kb, rsAh, created: 12/16/2005 4:55:07 PM, modified: 1/8/2009 8:30:26 PM Command line: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
c:\progra~1\mcafee\msc\mcmscsvc.exe Script: Quarantine, Delete, BC delete, Terminate	400	McAfee Services	Copyright © 2008 McAfee, Inc.	??	779.16 kb, rsAh, created: 3/23/2007 5:19:41 AM, modified: 1/8/2009 8:30:26 PM Command line: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\mcafee\mpf\mpfsrv.exe Script: Quarantine, Delete, BC delete, Terminate	476	McAfee Personal Firewall Service	Copyright © 2008 McAfee, Inc. All Rights Reserved.	??	863.63 kb, rsAh, created: 3/23/2007 5:21:20 AM, modified: 3/19/2009 11:42:02 AM Command line: "C:\Program Files\McAfee\MPF\MPFSrv.exe"
c:\windows\system32\winlogon.exe Script: Quarantine, Delete, BC delete, Terminate	876	Windows NT Logon Application	© Microsoft Corporation. All rights reserved.	??	496.00 kb, rsAh, created: 8/10/2004 2:51:29 PM, modified: 4/13/2008 8:12:39 PM Command line: winlogon.exe
Detected:17, recognized as trusted 17

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\McAfee\MPF\1033\L10N.DLL Script: Quarantine, Delete, BC delete	1660944384	McAfee Personal Firewall Plus L10N	Copyright © 2008 McAfee, Inc. All Rights Reserved.	--	400, 476
C:\Program Files\McAfee\MSC\oem\105-72\Mccobres.dll Script: Quarantine, Delete, BC delete	1715470336	McAfee Co-Branded Resource DLL	Copyright © 2006 McAfee, Inc.	--	1836, 400
C:\Program Files\SiteAdvisor\6172\SiteAdv.dll Script: Quarantine, Delete, BC delete	268435456			--	400
C:\PROGRA~1\McAfee\MPS\1033\MpsRes.DLL Script: Quarantine, Delete, BC delete	1685061632	McAfee Parental Controls 11.0	Copyright © 2008 McAfee, Inc.	--	400
C:\PROGRA~1\McAfee\MSC\1033\McLocRes.dll Script: Quarantine, Delete, BC delete	1716518912	McAfee Localized Resource DLL	Copyright © 2008 McAfee, Inc.	--	1836, 400
C:\PROGRA~1\McAfee\MSC\Mccobres.dll Script: Quarantine, Delete, BC delete	13303808	McAfee Co-Branded Resource DLL	Copyright © 2008 McAfee, Inc.	--	1836, 400
C:\PROGRA~1\McAfee\VIRUSS~1\1033\vscobres.dll Script: Quarantine, Delete, BC delete	1812987904	McAfee Application Information Provider	Copyright © 2008 McAfee, Inc.	--	400
C:\WINDOWS\System32\BCMLogon.dll Script: Quarantine, Delete, BC delete	18022400	Wireless Network Logon Provider	1998-2005, Broadcom Corporation All Rights Reserved.	--	876
Modules detected:258, recognized as trusted 250

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\dump_iastor.sys Script: Quarantine, Delete, BC delete	B9FC5000	0D5000 (872448)
Modules detected - 99, recognized as trusted - 98

Services

Service	Description	Status	File	Group	Dependencies
Creative Labs Licensing Service Service: Stop, Delete, Disable	Creative Labs Licensing Service	Not started	C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe Script: Quarantine, Delete, BC delete
CVPND Service: Stop, Delete, Disable	Cisco Systems, Inc. VPN Service	Not started	C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe Script: Quarantine, Delete, BC delete		Tcpip
DSBrokerService Service: Stop, Delete, Disable	DSBrokerService	Not started	C:\Program Files\DellSupport\brkrsvc.exe Script: Quarantine, Delete, BC delete
IAANTMon Service: Stop, Delete, Disable	Intel(R) Matrix Storage Event Monitor	Not started	C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe Script: Quarantine, Delete, BC delete
Maxtor Sync Service Service: Stop, Delete, Disable	Maxtor Service	Not started	C:\Program Files\Maxtor\Sync\SyncServices.exe Script: Quarantine, Delete, BC delete
McODS Service: Stop, Delete, Disable	McAfee Scanner	Not started	C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe Script: Quarantine, Delete, BC delete
McSysmon Service: Stop, Delete, Disable	McAfee SystemGuards	Not started	C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe Script: Quarantine, Delete, BC delete
MrHealthyService Service: Stop, Delete, Disable	MrHealthy	Not started	C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe Script: Quarantine, Delete, BC delete
WebUpdate4 Service: Stop, Delete, Disable	Web Update Wizard Service V4	Not started	C:\WINDOWS\system32\WebUpdateSvc4.exe Script: Quarantine, Delete, BC delete
wltrysvc Service: Stop, Delete, Disable	Broadcom Wireless LAN Tray Service	Not started	C:\WINDOWS\System32\wltrysvc.exe Script: Quarantine, Delete, BC delete	wltrysvc
Detected - 116, recognized as trusted - 106

Drivers

Service	Description	Status	File	Group	Dependencies
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
bvrp_pci Driver: Unload, Delete, Disable	bvrp_pci	Not started	bvrp_pci.sys Script: Quarantine, Delete, BC delete
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
CVPNDRVA Driver: Unload, Delete, Disable	Cisco Systems IPsec Driver	Not started	C:\WINDOWS\system32\Drivers\CVPNDRVA.sys Script: Quarantine, Delete, BC delete		DNE
DSproct Driver: Unload, Delete, Disable	DSproct	Not started	C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys Script: Quarantine, Delete, BC delete
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
wanatw Driver: Unload, Delete, Disable	WAN Miniport (ATW)	Not started	C:\WINDOWS\system32\DRIVERS\wanatw4.sys Script: Quarantine, Delete, BC delete	NDIS
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 215, recognized as trusted - 200

Autoruns

File name	Status	Startup method	Description
C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Creative MediaSource Go
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, CTSysVol
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, VoiceCenter
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, dlbxmon.exe
C:\Program Files\DellSupport\DSAgnt.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, DellSupport
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IAAnotif
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, mxomssmenu
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, MMTray
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SiteAdvisor
C:\WINDOWS\MIDIDef.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SetDefaultMIDI
C:\WINDOWS\stsystra.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SigmatelSysTrayApp
C:\WINDOWS\system32\CTMBHA.DLL Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, MBMon
appmgmts.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}, DLLName
Autoruns items detected - 86, recognized as trusted - 72

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\SiteAdvisor\6172\SiteAdv.dll Script: Quarantine, Delete, BC delete	BHO			{089FD14D-132B-48FC-8861-0048AE113215} Delete
C:\Program Files\IE7pro\IE7pro.dll Script: Quarantine, Delete, BC delete	BHO	IE7pro Module	Copyright 2006	{68C55168-E188-40DF-A514-835FCD78B1BF} Delete
C:\Program Files\SiteAdvisor\6172\SiteAdv.dll Script: Quarantine, Delete, BC delete	Toolbar			{0BF43445-2F28-4351-9252-17FE6E806AA0} Delete
	Extension module			{0026439F-A980-4f18-8C95-4F1CBBF9C1D8} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
	Extension module			{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} Delete
Elements detected - 21, recognized as trusted - 15

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, BC delete	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3}
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56}
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Script: Quarantine, Delete, BC delete	Autoplay for SlideShow			{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153}
C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll Script: Quarantine, Delete, BC delete	QBVersionTool	QBVersionTool	Copyright © Intuit, Inc. 1993-2004.	{7D5C4BDD-B015-4401-8731-1507B87DE297}
Elements detected - 202, recognized as trusted - 195

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 10, recognized as trusted - 10

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
c:\program files\mcafee.com\vso\mcmnhdlr.exe Script: Quarantine, Delete, BC delete	McAfee.com Scan for Viruses - My Computer (HOME2-Nicholas Migneault).job	The task has not yet run.
C:\Program Files\Norton PC Checkup\PC_Checkup.exe Script: Quarantine, Delete, BC delete	Norton PC Checkup Weekday Scanner.job	The task is ready to run at its next scheduled time.	Norton PC Checkup Application	Copyright (C) 2008
C:\Program Files\Norton PC Checkup\PC_Checkup.exe Script: Quarantine, Delete, BC delete	Norton PC Checkup Weekend Scanner.job	The task is ready to run at its next scheduled time.	Norton PC Checkup Application	Copyright (C) 2008
C:\Program Files\Norton Security Scan\Nss.exe Script: Quarantine, Delete, BC delete	Norton Security Scan.job	The task is ready to run at its next scheduled time.	Norton Security Scan	Copyright (c) 2008 Symantec Corporation
C:\WINDOWS\TEMP\tempo-94653984.tmp Script: Quarantine, Delete, BC delete	{7B02EF0B-A410-4938-8480-9BA26420A627}.job	The task has not yet run.
Elements detected - 11, recognized as trusted - 6

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 4, recognized as trusted - 4

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 19, recognized as trusted - 19
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 39134 [1212] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 39038 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 45161 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1051 TIME_WAIT 192.168.1.5 139 [0]
1052 TIME_WAIT 192.168.1.5 139 [0]
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\Program Files\Common Files\supportsoft\bin\tgctlcm.dll
Script: Quarantine, Delete, BC delete tgctlcm Module Copyright 1997-2008 SupportSoft {01113300-3E00-11D2-8470-0060089874ED}
Delete https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
C:\WINDOWS\Downloaded Program Files\mnviewer.dll
Script: Quarantine, Delete, BC delete Musicnotes Viewer plugin 1.15.4 Copyright © 1997,1998,1999,2000,2001,2002,2003 MUSICNOTES, INC. {1239CC52-59EF-4DFA-8C61-90FFA846DF7E}
Delete http://www.musicnotes.com/download/mnviewer.cab
C:\WINDOWS\DOWNLO~1\CHATRE~1.OCX
Script: Quarantine, Delete, BC delete Chat Republic Games Internet Player (c) Chat Republic Games Oy. All rights reserved. {127E0308-CF06-446D-88B8-2971DB94C179}
Delete http://www.superstarracing.net/miniclip/ChatRepublicPlayer.cab
{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Delete http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
C:\WINDOWS\DOWNLO~1\GAMELA~1.OCX
Script: Quarantine, Delete, BC delete Acclaim GameLauncher ActiveX Control Module Copyright (C) 2006 {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A}
Delete http://www.acclaim.com/cabs/acclaim_v5.cab
C:\WINDOWS\Downloaded Program Files\OTOYAX.dll
Script: Quarantine, Delete, BC delete OTOY ActiveX Control Copyright © 2000 - 2004 {77E32299-629F-43C6-AB77-6A1E6D7663F6}
Delete http://download.shockwave.com/pub/otoy/OTOYAX.cab
C:\WINDOWS\system32\igloader.dll
Script: Quarantine, Delete, BC delete igLoader Copyright 2005-2007 {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A}
Delete http://www.miniclip.com/igloader/igloader.CAB
Elements detected - 26, recognized as trusted - 19

Control Panel Applets (CPL)

File name Description Manufacturer
C:\WINDOWS\system32\stac97.cpl
Script: Quarantine, Delete, BC delete Sigmatel Audio Control Panel Copyright (c) 2004-2005, SigmaTel, Inc.
Elements detected - 27, recognized as trusted - 26

Active Setup

File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
Script: Quarantine, Delete, BC delete Handler () {3A5DC592-7723-4EAA-9EE6-AF4222BCF879}
Elements detected - 33, recognized as trusted - 32

Suspicious objects

File Description Type
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000380.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.Kyjak
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000583.msg
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.cxn ( 0ACB8D93 03DDCB32 000A2A8A 00213DC7 32256)
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000664.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.Kyjak
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000911.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.Kyjak
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000256.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.Kyjak
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000446.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.EraseA
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000547.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.Kyjak
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000597.msg
Script: Quarantine, Delete, BC delete Malicious object Trojan.BAT.KillFiles.jd

AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 8/7/2009 8:33:26 AM Database loaded: signatures - 235439, NN profile(s) - 2, microprograms of healing - 56, signature database released 07.08.2009 00:14 Heuristic microprograms loaded: 374 SPV microprograms loaded: 9 Digital signatures of system files loaded: 129825 Heuristic analyzer mode: Maximum heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: enabled System booted in Safe Mode with Networking 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully Driver communication failure [00000002] - [1] 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully Driver communication failure [00000002] - [1] 2. Scanning memory Number of processes found: 16 Number of modules loaded: 251 Scanning memory - complete 3. Scanning disks C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000380.msg/{MS-OLE}/\__recip_version1.0_#00000000\__substg1.0_0FF60102 >>>>> Trojan.Kyjak C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000583.msg >>> suspicion for Trojan-PSW.Win32.OnLineGames.cxn ( 0ACB8D93 03DDCB32 000A2A8A 00213DC7 32256) File quarantined succesfully (C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000583.msg) C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000664.msg/{MS-OLE}/\__recip_version1.0_#00000000\__substg1.0_0FF60102 >>>>> Trojan.Kyjak C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\3\Front\2\M0000000911.msg/{MS-OLE}/\__recip_version1.0_#00000003\__substg1.0_0FF60102 >>>>> Trojan.Kyjak C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000256.msg/{MS-OLE}/\__recip_version1.0_#0000001A\__substg1.0_0FF60102 >>>>> Trojan.Kyjak C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000446.msg/{MS-OLE}/\__recip_version1.0_#00000000\__substg1.0_3001001E >>>>> Trojan.EraseA C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000547.msg/{MS-OLE}/\__recip_version1.0_#00000015\__substg1.0_0FF60102 >>>>> Trojan.Kyjak C:\Documents and Settings\All Users\Application Data\McAfee\MSK\Users\5\Front\1\M0000000597.msg/{MS-OLE}/\__substg1.0_300B0102 >>>>> Trojan.BAT.KillFiles.jd File quarantined succesfully (C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf) C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf >>>>> Spy.MyWebSearch deleted successfully Removing traces of deleted files... 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL" >>> Suspicion on trojan DNS ({4DA27B96-EA3D-42B1-BE4B-3FD336334422} "Local Area Connection") Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> Abnormal COM files association >> Abnormal PIF files association >> Abnormal BAT files association >> Abnormal SCR files association >> Abnormal REG files association >> HDD autorun are allowed >> Autorun from network drives are allowed >> Removable media autorun are allowed Checking - complete Files scanned: 384170, extracted from archives: 297045, malicious software found 8, suspicions - 1 Scanning finished at 8/7/2009 9:23:43 AM Time of scanning: 00:50:19 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	39134	[1212] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	39038	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	45161	[4] System Script: Quarantine, Delete, BC delete, Terminate
1051	TIME_WAIT	192.168.1.5	139	[0]
1052	TIME_WAIT	192.168.1.5	139	[0]
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate