Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\program files\common files\aol\acs\aolacsd.exe Script: Quarantine, Delete, Delete via BC, Terminate	396	AOL Connectivity Service	Copyright © 2001-2006 AOL LLC	??	45.55 kb, rsAh, created: 10/23/2006 7:50:35 AM, modified: 10/23/2006 7:50:35 AM Command line: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate	2724	Firefox	©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable.	??	888.96 kb, rsAh, created: 1/24/2008 9:38:59 PM, modified: 1/15/2010 10:09:37 PM Command line: "C:\Program Files\Mozilla Firefox\firefox.exe"
c:\program files\quicknote\quicknote.exe Script: Quarantine, Delete, Delete via BC, Terminate	1992	JC&MB Quicknote	Copyright © Jens Mьller 2007. All rights reserved.	??	1156.00 kb, rsAh, created: 1/23/2008 8:40:28 PM, modified: 12/2/2007 8:20:20 AM Command line: "C:\Program Files\Quicknote\quicknote.exe"
c:\program files\screenprint32 v3\screenprint32.exe Script: Quarantine, Delete, Delete via BC, Terminate	1960	Main Executable	Copyright 1997-2003 Provtech Limited	??	436.00 kb, rsAh, created: 5/15/2003 7:36:40 PM, modified: 5/15/2003 7:36:40 PM Command line: "C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" -startup
Detected:36, recognized as trusted 33

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Common Files\AOL\ACS\ACSMDiag.dll Script: Quarantine, Delete, Delete via BC	2883584	AOL Connectivity Service Diagnostics	Copyright © 2001-2006 AOL LLC	--	396
C:\Program Files\Common Files\AOL\ACS\AOLacsd.dll Script: Quarantine, Delete, Delete via BC	268435456	AOL Connectivity Service	Copyright © 2001-2006 AOL LLC	--	396
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe Script: Quarantine, Delete, Delete via BC	4194304	AOL Connectivity Service	Copyright © 2001-2006 AOL LLC	??	396
C:\Program Files\Common Files\AOL\ACS\xpat.dll Script: Quarantine, Delete, Delete via BC	1310720	AOL Connectivity Service XML Parser	Copyright © 2001-2006 AOL LLC	--	396
C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll Script: Quarantine, Delete, Delete via BC	1811546112	AOL Diagnostics	Copyright © 1998-2005 - SupportSoft Software, Inc. All Rights Reserved.	--	396
C:\Program Files\Light Downloader\Firefox\Extension\components\ldmff.dll Script: Quarantine, Delete, Delete via BC	12910592			--	2724
C:\Program Files\Quicknote\quicknote.exe Script: Quarantine, Delete, Delete via BC	4194304	JC&MB Quicknote	Copyright © Jens Mьller 2007. All rights reserved.	??	1992
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe Script: Quarantine, Delete, Delete via BC	4194304	Main Executable	Copyright 1997-2003 Provtech Limited	??	1960
C:\Windows\System32\xwpdlx20.ocx Script: Quarantine, Delete, Delete via BC	22937600	Image processing utility	1999-2002 Softuarium	--	1960
Modules found:403, recognized as trusted 394

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\kernel.sys Script: Quarantine, Delete, Delete via BC	831EA000	016000 (90112)	Hypersight Kernel Module	Copyright (C) North Security Labs 2008
Modules found - 140, recognized as trusted - 139

Services

Service	Description	Status	File	Group	Dependencies
AOL ACS Service: Stop, Delete, Disable	AOL Connectivity Service	Running	C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe Script: Quarantine, Delete, Delete via BC
IPTools Service: Stop, Delete, Disable	IPTools	Not started	C:\Documents and Settings\Nichole\Desktop\DOWNLOADS FOLDER\IP Tools 10-19-2008\sniffer\iptools.exe Script: Quarantine, Delete, Delete via BC
Symantec Core LC Service: Stop, Delete, Disable	Symantec Core LC	Not started	C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe Script: Quarantine, Delete, Delete via BC	Symantec Services	RPCSS
WLSetupSvc Service: Stop, Delete, Disable	Windows Live Setup Service	Not started	C:\Program Files\Windows Live\installer\WLSetupSvc.exe Script: Quarantine, Delete, Delete via BC
Detected - 129, recognized as trusted - 125

Drivers

Service	Description	Status	File	Group	Dependencies
kernel Driver: Unload, Delete, Disable	Hypersight Kernel	Running	C:\Windows\system32\Drivers\kernel.sys Script: Quarantine, Delete, Delete via BC	HSRD
catchme Driver: Unload, Delete, Disable	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
DrvAgent32 Driver: Unload, Delete, Disable	DrvAgent32	Not started	C:\Windows\system32\Drivers\DrvAgent32.sys Script: Quarantine, Delete, Delete via BC
IKFileSec Driver: Unload, Delete, Disable	File Security Driver	Not started	C:\Windows\system32\drivers\ikfilesec.sys Script: Quarantine, Delete, Delete via BC	FSFilter Anti-Virus	FltMgr
IntcAzAudAddService Driver: Unload, Delete, Disable	Service for Realtek HD Audio (WDM)	Not started	C:\Windows\system32\drivers\RTKVHDA.sys Script: Quarantine, Delete, Delete via BC
PCD5SRVC{BD6912E3-AC9D80E8-05040000} Driver: Unload, Delete, Disable	PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver	Not started	C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms Script: Quarantine, Delete, Delete via BC
SANDRA Driver: Unload, Delete, Disable	SANDRA	Not started	C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP3\WNt500x86\Sandra.sys Script: Quarantine, Delete, Delete via BC
SymIM Driver: Unload, Delete, Disable	Symantec Network Security Intermediate Filter Service	Not started	C:\Windows\system32\DRIVERS\SymIM.sys Script: Quarantine, Delete, Delete via BC
Detected - 228, recognized as trusted - 220

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Audacity\audacity.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\audacity - Shortcut.lnk,
C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Paint Shop Pro.lnk,
C:\Program Files\Quicknote\quicknote.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Quicknote Delete
C:\Program Files\Quicknote\quicknote.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quicknote.lnk,
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ScreenPrint32 Delete
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\Events.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SandraAgentSrv, EventMessageFile Delete
C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\Events.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SandraTheSrv, EventMessageFile Delete
C:\Program Files\coolpro2\coolpro2.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\coolpro2 - Shortcut.lnk,
C:\Program Files\hnFAPMon\Message.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\hnFAPMon Service, EventMessageFile Delete
C:\Users\Nichole\AppData\Local\Temp\OnlineScanner\Anti-Virus\fsgk.sys Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\F-Secure Gatekeeper, EventMessageFile Delete
C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\E-mail - Shortcut.lnk Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\E-mail - Shortcut.lnk,
C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Nichole\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
C:\WindowsSystem32\IoLogMsg.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile Delete
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\System32\igmpv2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile Delete
C:\Windows\System32\ipbootp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile Delete
C:\Windows\System32\iprip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
Drwtsn32 -p %ld -e %ld Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
SDEvents.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile Delete
c:\Program Files\Common Files\LightScribe\LSSMsg.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\LightScribeService, EventMessageFile Delete
divxa32.acm Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, msacm.divxa32 Delete
progman.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
rdpclip Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items found - 443, recognized as trusted - 415

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} Delete
C:\Program Files\Light Downloader\ldmie2.dll Script: Quarantine, Delete, Delete via BC	BHO			{7A780B7B-DCF1-4ec4-BB13-2DF92CAD27DB} Delete
C:\Program Files\Moyea\YouTube FLV Downloader\MoyeaCatcher.dll Script: Quarantine, Delete, Delete via BC	BHO			{9B4DF450-DCC7-4B07-935D-0CD757A64583} Delete
	Toolbar			{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} Delete
res:\C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 Script: Quarantine, Delete, Delete via BC	Extension module			{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} Delete
	URLSearchHook			{EF99BD32-C1FB-11D2-892F-0090271D4F88} Delete
Items found - 10, recognized as trusted - 4

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	lnkfile			{00020d75-0000-0000-c000-000000000046} Delete
	Color Control Panel Applet			{b2c761c6-29bc-4f19-9251-e6195265baf1} Delete
	Add New Hardware			{7A979262-40CE-46ff-AEEE-7884AC3B6136} Delete
	Get Programs Online			{3e7efb4c-faf1-453d-89eb-56026875ef90} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	ActiveDirectory Folder			{1b24a030-9b20-49bc-97ac-1be4426f9e59} Delete
	ActiveDirectory Folder			{34449847-FD14-4fc8-A75A-7432F5181EFB} Delete
	Sam Account Folder			{C8494E42-ACDD-4739-B0FB-217361E4894F} Delete
	Sam Account Folder			{E29F9716-5C08-4FCD-955A-119FDB5A522D} Delete
	Control Panel command object for Start menu			{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} Delete
	Default Programs command object for Start menu			{E44E5D18-0652-4508-A4E2-8A090067BCB0} Delete
	Folder Options			{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} Delete
	Explorer Query Band			{2C2577C2-63A7-40e3-9B7F-586602617ECB} Delete
	View Available Networks			{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} Delete
	Contacts folder			{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} Delete
	Windows Firewall			{4026492f-2f69-46b8-b9bf-5654fc07e423} Delete
	Problem Reports and Solutions			{fcfeecae-ee1b-4849-ae50-685dcf7717ec} Delete
	iSCSI Initiator			{a304259d-52b8-4526-8b1a-a1d6cecc8243} Delete
	.cab or .zip files			{911051fa-c21c-4246-b470-070cd8df6dc4} Delete
	Windows Search Shell Service			{da67b8ad-e81b-4c70-9b91b417b5e33527} Delete
	Microsoft.ScannersAndCameras			{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} Delete
"C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6} Script: Quarantine, Delete, Delete via BC	Windows Photo Gallery Viewer Autoplay Handler			{9D687A4C-1404-41ef-A089-883B6FBECDE6} Delete
	Windows Sidebar Properties			{37efd44d-ef8d-41b1-940d-96973a50e9e0} Delete
	Windows Features			{67718415-c450-4f3c-bf8a-b487642dc39b} Delete
	Windows Defender			{d8559eb9-20c0-410e-beda-7ed416aecc2a} Delete
	Mobility Center Control Panel			{5ea4f148-308c-46d7-98a9-49041b1dd468} Delete
"C:\Program Files\\Windows Media Player\wmprph.exe" Script: Quarantine, Delete, Delete via BC	Windows Media Player Rich Preview Handler			{031EE060-67BC-460d-8847-E4A7C5E45A27} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
C:\Windows\System32\ShellvRTF.dll Script: Quarantine, Delete, Delete via BC	ShellViewRTF	ShellvRTF	Copyright © 2002-2006	{7F67036B-66F1-411A-AD85-759FB9C5B0DB} Delete
C:\PROGRA~1\ZIPGEN~1\DROPHA~1.DLL Script: Quarantine, Delete, Delete via BC	ZipGenius Drop handler	ZG Drop Handler		{310A0C95-EA11-42AE-A8E4-53E69E650310} Delete
	ZipGenius DnD Extract handler			{FE8D01BF-610A-4261-9C6E-32D65A42C907} Delete
	FileMenuTools			{C1B2C38F-3DCA-4E3D-BC34-D5B87B636543} Delete
	Shell Extension for Malware scanning			{45AC2688-0253-4ED8-97DE-B5370FA7D48A} Delete
	Malware Defense extension			{5E2121EE-0300-11D4-8D3B-444553540000} Delete
Items found - 297, recognized as trusted - 263

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 6, recognized as trusted - 6

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
Items found - 1, recognized as trusted - 1

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 14, recognized as trusted - 14
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [808] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
49152 LISTENING 0.0.0.0 0 [496] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49153 LISTENING 0.0.0.0 0 [872] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49154 LISTENING 0.0.0.0 0 [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49155 LISTENING 0.0.0.0 0 [928] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49156 LISTENING 0.0.0.0 0 [552] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49158 ESTABLISHED 127.0.0.1 49159 [2724] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49159 ESTABLISHED 127.0.0.1 49158 [2724] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49160 ESTABLISHED 127.0.0.1 49161 [2724] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49161 ESTABLISHED 127.0.0.1 49160 [2724] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49165 TIME_WAIT 74.125.45.100 80 [0]
49168 LISTENING 0.0.0.0 0 [540] c:\windows\system32\services.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [928] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [928] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5355 LISTENING -- -- [1264] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49178 LISTENING -- -- [1748] c:\program files\iobit\advanced systemcare 3\awc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49205 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49206 LISTENING -- -- [1140] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\Windows\Downloaded Program Files\PCPitstop.dll
Script: Quarantine, Delete, Delete via BC PCPitstop Module Copyright (c) 2000-2009 PC Pitstop, LLC {0E5F0222-96B9-11D3-8997-00104BD12D94}
Delete http://pcpitstop.com/betapit/PCPitStop.CAB
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
{E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Delete http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Items found - 9, recognized as trusted - 6

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 21, recognized as trusted - 21

Active Setup

File name Description Manufacturer CLSID
Items found - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
Script: Quarantine, Delete, Delete via BC Handler Belarc VoilaX Control (Belarc Pluggable Protocol) Copyright © 1997-2009 Belarc, Inc. {6318E0AB-2E93-11D1-B8ED-00608CC9A71F}
Items found - 19, recognized as trusted - 15

Suspicious objects

File Description Type
C:\Windows\System32\Drivers\kernel.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit >>> Kernel-mode hook - CPU[1].IDT[FF]

AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 2/22/2010 3:41:18 AM Database loaded: signatures - 263977, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.02.2010 12:37 Heuristic microprograms loaded: 379 PVS microprograms loaded: 9 Digital signatures of system files loaded: 177756 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: disabled Windows version is: 6.0.6000, ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=131B00) Kernel ntkrnlpa.exe found in memory at address 82400000 SDT = 82531B00 KiST = 824807D0 (398) Functions checked: 398, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 >>> Danger - possible CPU address substitution[1].IDT[FF] = [831F26E4] C:\Windows\System32\Drivers\kernel.sys Analyzing CPU 2 >>> Danger - possible CPU address substitution[2].IDT[FF] = [831F26E4] C:\Windows\System32\Drivers\kernel.sys Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers Checking - complete 2. Scanning RAM Number of processes found: 34 Extended process analysis: 1960 C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe [ES]:Registered for automatic startup !! Extended process analysis: 396 C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Loads RASAPI DLL - may use dialing ? Number of modules loaded: 357 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268) >> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100) >> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 391, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 2/22/2010 3:42:27 AM Time of scanning: 00:01:10 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Remove traces of deleted files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)
Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[808] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
49152	LISTENING	0.0.0.0	0	[496] c:\windows\system32\wininit.exe Script: Quarantine, Delete, Delete via BC, Terminate
49153	LISTENING	0.0.0.0	0	[872] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49154	LISTENING	0.0.0.0	0	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49155	LISTENING	0.0.0.0	0	[928] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49156	LISTENING	0.0.0.0	0	[552] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
49158	ESTABLISHED	127.0.0.1	49159	[2724] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49159	ESTABLISHED	127.0.0.1	49158	[2724] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49160	ESTABLISHED	127.0.0.1	49161	[2724] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49161	ESTABLISHED	127.0.0.1	49160	[2724] c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49165	TIME_WAIT	74.125.45.100	80	[0]
49168	LISTENING	0.0.0.0	0	[540] c:\windows\system32\services.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[928] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[928] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
5355	LISTENING	--	--	[1264] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49178	LISTENING	--	--	[1748] c:\program files\iobit\advanced systemcare 3\awc.exe Script: Quarantine, Delete, Delete via BC, Terminate
49205	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49206	LISTENING	--	--	[1140] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate