Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	700	Apple Mobile Device Service	© 2010 Apple Inc. All rights reserved.	??	141.28 kb, rsAh, created: 3/19/2010 10:49:20 AM, modified: 3/19/2010 10:49:20 AM Command line: "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
c:\program files\divx\divx update\divxupdate.exe Script: Quarantine, Delete, Delete via BC, Terminate	2524	DivX Update	© Copyright 2000 - 2009 DivX, Inc.	??	1109.29 kb, rsAh, created: 3/5/2010 10:32:28 AM, modified: 3/5/2010 10:32:28 AM Command line: "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
c:\windows\explorer.exe Script: Quarantine, Delete, Delete via BC, Terminate	2528	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	1009.50 kb, rsah, created: 8/19/2004 3:49:31 PM, modified: 4/13/2008 7:12:19 PM Command line: C:\WINDOWS\Explorer.EXE
c:\program files\intel\intel matrix storage manager\iaantmon.exe Script: Quarantine, Delete, Delete via BC, Terminate	752	RAID Monitor	Copyright(C) Intel Corporation 2003-05	??	84.12 kb, rsAh, created: 10/26/2005 1:59:35 PM, modified: 6/17/2005 7:55:58 AM Command line: "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe"
c:\program files\ipod\bin\ipodservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	1804	iPodService Module (32-bit)	© 2003-2010 Apple Inc. All rights reserved.	??	532.79 kb, rsAh, created: 3/26/2010 1:09:52 AM, modified: 3/26/2010 1:09:52 AM Command line: "C:\Program Files\iPod\bin\iPodService.exe"
c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate	2848	iTunesHelper	© 2003-2010 Apple Inc. All rights reserved.	??	138.79 kb, rsAh, created: 3/26/2010 1:10:02 AM, modified: 3/26/2010 1:10:02 AM Command line: "C:\Program Files\iTunes\iTunesHelper.exe"
c:\program files\raxco\perfectdisk10\pdagent.exe Script: Quarantine, Delete, Delete via BC, Terminate	1060	PDAgent Module	Copyright © 2009	??	1553.26 kb, rsAh, created: 3/2/2010 9:41:16 AM, modified: 3/2/2010 9:41:16 AM Command line: "C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe"
c:\program files\raxco\perfectdisk10\pdagents1.exe Script: Quarantine, Delete, Delete via BC, Terminate	2676	PDAgentS1 Module	Copyright © 2009	??	65.26 kb, rsAh, created: 3/2/2010 9:41:18 AM, modified: 3/2/2010 9:41:18 AM Command line: "C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe"
c:\program files\raxco\perfectdisk10\pdengine.exe Script: Quarantine, Delete, Delete via BC, Terminate	2964	PDEngine Module	Copyright © 2009	??	1465.26 kb, rsAh, created: 3/2/2010 9:41:08 AM, modified: 3/2/2010 9:41:08 AM Command line: "C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe"
c:\program files\peerblock\peerblock.exe Script: Quarantine, Delete, Delete via BC, Terminate	2260	PeerBlock	Copyright (C) 2009-2010 PeerBlock, LLC	??	1697.61 kb, rsAh, created: 3/28/2010 8:09:07 PM, modified: 3/9/2010 9:58:32 AM Command line: "C:\Program Files\PeerBlock\peerblock.exe"
c:\program files\raxco\perfectdisk10\perfectdisk.exe Script: Quarantine, Delete, Delete via BC, Terminate	2668	PerfectDisk 11	Copyright © 2010	??	9045.26 kb, rsAh, created: 3/2/2010 9:41:20 AM, modified: 3/2/2010 9:41:20 AM Command line: "C:\Program Files\Raxco\PerfectDisk10\PerfectDisk.exe" /icononlystart
Detected:53, recognized as trusted 43

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC	4194304	Apple Mobile Device Service	© 2010 Apple Inc. All rights reserved.	??	700
C:\Program Files\Common Files\Apple\Mobile Device Support\iTunesMobileDevice.dll Script: Quarantine, Delete, Delete via BC	38076416	iTunesMobileDevice	Copyright (C) 2009	--	2848
C:\Program Files\DivX\DivX Update\DivXUpdate.exe Script: Quarantine, Delete, Delete via BC	4194304	DivX Update	© Copyright 2000 - 2009 DivX, Inc.	??	2524
C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll Script: Quarantine, Delete, Delete via BC	268435456	DivX Update	© Copyright 2000 - 2009 DivX, Inc.	--	2524
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe Script: Quarantine, Delete, Delete via BC	4194304	RAID Monitor	Copyright(C) Intel Corporation 2003-05	??	752
C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC	4194304	iPodService Module (32-bit)	© 2003-2010 Apple Inc. All rights reserved.	??	1804
C:\Program Files\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.DLL Script: Quarantine, Delete, Delete via BC	268435456	iPodService Resource Library (32-bit)	© 2003-2010 Apple Inc. All rights reserved.	--	1804
C:\Program Files\iPod\bin\iPodService.Resources\iPodService.DLL Script: Quarantine, Delete, Delete via BC	9043968	iPodService Resource Library (32-bit)	© 2003-2010 Apple Inc. All rights reserved.	--	1804
C:\Program Files\iTunes\iTunesHelper.dll Script: Quarantine, Delete, Delete via BC	268435456	iTunesHelper DLL	© 2003-2010 Apple Inc. All rights reserved.	--	2848
C:\Program Files\iTunes\iTunesHelper.exe Script: Quarantine, Delete, Delete via BC	4194304	iTunesHelper	© 2003-2010 Apple Inc. All rights reserved.	??	2848
C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL Script: Quarantine, Delete, Delete via BC	17367040	iTunesHelper Resource Library	© 2003-2010 Apple Inc. All rights reserved.	--	2848
C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.DLL Script: Quarantine, Delete, Delete via BC	17563648	iTunesHelper Resource Library	© 2003-2010 Apple Inc. All rights reserved.	--	2848
C:\Program Files\J River\Media Jukebox\MJShellExt.dll Script: Quarantine, Delete, Delete via BC	62914560	MJShellExt DLL	Copyright (C) 1998-2001, J. River, Inc.	--	2528
C:\Program Files\PeerBlock\peerblock.exe Script: Quarantine, Delete, Delete via BC	4194304	PeerBlock	Copyright (C) 2009-2010 PeerBlock, LLC	??	2260
C:\Program Files\QuickTime\QTSystem\QTCF.dll Script: Quarantine, Delete, Delete via BC	1751777280	QuickTime CoreFoundation	Copyright Apple Inc. 1989-2010	--	2848
C:\Program Files\QuickTime\QTSystem\QuickTime.qts Script: Quarantine, Delete, Delete via BC	1719664640	QuickTime	Copyright Apple Inc. 1989-2010	--	2848
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe Script: Quarantine, Delete, Delete via BC	4194304	PDAgent Module	Copyright © 2009	??	1060
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe Script: Quarantine, Delete, Delete via BC	4194304	PDAgentS1 Module	Copyright © 2009	??	2676
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe Script: Quarantine, Delete, Delete via BC	4194304	PDEngine Module	Copyright © 2009	??	2964
C:\Program Files\Raxco\PerfectDisk10\PDEnginePS.dll Script: Quarantine, Delete, Delete via BC	268435456	PDEngine Proxy	Copyright © 2009	--	1060, 2964, 2668
C:\Program Files\Raxco\PerfectDisk10\PDState.dll Script: Quarantine, Delete, Delete via BC	26542080	Space Management Module	Copyright © 2009	--	1060
C:\Program Files\Raxco\PerfectDisk10\PDUtils.dll Script: Quarantine, Delete, Delete via BC	15204352	PDUtils Module	Copyright © 2009	--	1060, 2964
C:\Program Files\Raxco\PerfectDisk10\PerfectDisk.exe Script: Quarantine, Delete, Delete via BC	4194304	PerfectDisk 11	Copyright © 2010	??	2668
C:\Program Files\Raxco\PerfectDisk10\QtCore4.dll Script: Quarantine, Delete, Delete via BC	1728053248	C++ application development framework.	Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies)	--	2668
C:\Program Files\Raxco\PerfectDisk10\QtGui4.dll Script: Quarantine, Delete, Delete via BC	1694498816	C++ application development framework.	Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies)	--	2668
Modules found:468, recognized as trusted 443

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\ahm9tdj7.SYS Script: Quarantine, Delete, Delete via BC	B7C09000	066000 (417792)
C:\WINDOWS\System32\DLA\DLABOIOM.SYS Script: Quarantine, Delete, Delete via BC	BA3B8000	007000 (28672)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLADResN.SYS Script: Quarantine, Delete, Delete via BC	BA74A000	001000 (4096)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLAIFS_M.SYS Script: Quarantine, Delete, Delete via BC	A3354000	016000 (90112)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLAOPIOM.SYS Script: Quarantine, Delete, Delete via BC	A9614000	004000 (16384)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLAPoolM.SYS Script: Quarantine, Delete, Delete via BC	ABD4B000	002000 (8192)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLAUDF_M.SYS Script: Quarantine, Delete, Delete via BC	A3301000	016000 (90112)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\System32\DLA\DLAUDFAM.SYS Script: Quarantine, Delete, Delete via BC	A3317000	018000 (98304)	Drive Letter Access Component	Copyright © 2004 Sonic Solutions
C:\WINDOWS\system32\Drivers\DRVMCDB.SYS Script: Quarantine, Delete, Delete via BC	B9CEE000	016000 (90112)	Device Driver	Copyright © Sonic Solutions
C:\WINDOWS\system32\DRIVERS\MpFilter.sys Script: Quarantine, Delete, Delete via BC	AD600000	023000 (143360)	Microsoft antimalware file system filter driver	© Microsoft Corporation. All rights reserved.
C:\Program Files\PeerBlock\pbfilter.sys Script: Quarantine, Delete, Delete via BC	A562A000	007000 (28672)
C:\WINDOWS\system32\Drivers\snapman.sys Script: Quarantine, Delete, Delete via BC	B9B3A000	01F000 (126976)	Acronis Snapshot API	Copyright (c) Acronis 2000-2006
C:\WINDOWS\system32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	B9EBF000	0E8000 (950272)
Modules found - 166, recognized as trusted - 153

Services

Service	Description	Status	File	Group	Dependencies
Apple Mobile Device Service: Stop, Delete, Disable	Apple Mobile Device	Running	C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC		Tcpip
IAANTMon Service: Stop, Delete, Disable	Intel(R) Matrix Storage Event Monitor	Running	C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe Script: Quarantine, Delete, Delete via BC
iPod Service Service: Stop, Delete, Disable	iPod Service	Running	C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC		RpcSs
PDAgent Service: Stop, Delete, Disable	PDAgent	Running	C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe Script: Quarantine, Delete, Delete via BC
PDEngine Service: Stop, Delete, Disable	PDEngine	Running	C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe Script: Quarantine, Delete, Delete via BC
AcrSch2Svc Service: Stop, Delete, Disable	Acronis Scheduler2 Service	Not started	C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe Script: Quarantine, Delete, Delete via BC		RpcSs
AOL ACS Service: Stop, Delete, Disable	AOL Connectivity Service	Not started	C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe Script: Quarantine, Delete, Delete via BC
DSBrokerService Service: Stop, Delete, Disable	DSBrokerService	Not started	C:\Program Files\DellSupport\brkrsvc.exe Script: Quarantine, Delete, Delete via BC
Roxio UPnP Renderer 9 Service: Stop, Delete, Disable	Roxio UPnP Renderer 9	Not started	C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe Script: Quarantine, Delete, Delete via BC
Roxio Upnp Server 9 Service: Stop, Delete, Disable	Roxio Upnp Server 9	Not started	C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe Script: Quarantine, Delete, Delete via BC
Detected - 138, recognized as trusted - 128

Drivers

Service	Description	Status	File	Group	Dependencies
DLABOIOM Driver: Unload, Delete, Disable	DLABOIOM	Running	C:\WINDOWS\system32\DLA\DLABOIOM.SYS Script: Quarantine, Delete, Delete via BC	File system
DLADResN Driver: Unload, Delete, Disable	DLADResN	Running	C:\WINDOWS\system32\DLA\DLADResN.SYS Script: Quarantine, Delete, Delete via BC	Base
DLAIFS_M Driver: Unload, Delete, Disable	DLAIFS_M	Running	C:\WINDOWS\system32\DLA\DLAIFS_M.SYS Script: Quarantine, Delete, Delete via BC	Base
DLAOPIOM Driver: Unload, Delete, Disable	DLAOPIOM	Running	C:\WINDOWS\system32\DLA\DLAOPIOM.SYS Script: Quarantine, Delete, Delete via BC	Base
DLAPoolM Driver: Unload, Delete, Disable	DLAPoolM	Running	C:\WINDOWS\system32\DLA\DLAPoolM.SYS Script: Quarantine, Delete, Delete via BC	Base
DLAUDF_M Driver: Unload, Delete, Disable	DLAUDF_M	Running	C:\WINDOWS\system32\DLA\DLAUDF_M.SYS Script: Quarantine, Delete, Delete via BC	File system
DLAUDFAM Driver: Unload, Delete, Disable	DLAUDFAM	Running	C:\WINDOWS\system32\DLA\DLAUDFAM.SYS Script: Quarantine, Delete, Delete via BC	File system
drvmcdb Driver: Unload, Delete, Disable	drvmcdb	Running	C:\WINDOWS\System32\Drivers\DRVMCDB.SYS Script: Quarantine, Delete, Delete via BC	Filter
MpFilter Driver: Unload, Delete, Disable	Microsoft Malware Protection Driver	Running	C:\WINDOWS\system32\DRIVERS\MpFilter.sys Script: Quarantine, Delete, Delete via BC	FSFilter Anti-Virus	FltMgr
snapman Driver: Unload, Delete, Disable	Acronis Snapshots Manager	Running	C:\WINDOWS\system32\DRIVERS\snapman.sys Script: Quarantine, Delete, Delete via BC		tdrpman
sptd Driver: Unload, Delete, Disable	sptd	Running	C:\WINDOWS\System32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
bvrp_pci Driver: Unload, Delete, Disable	bvrp_pci	Not started	bvrp_pci.sys Script: Quarantine, Delete, Delete via BC
catchme Driver: Unload, Delete, Disable	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, Delete via BC	Filter
cpuz126 Driver: Unload, Delete, Disable	cpuz126	Not started	C:\DOCUME~1\Graham\LOCALS~1\Temp\cpuz.sys Script: Quarantine, Delete, Delete via BC
DSproct Driver: Unload, Delete, Disable	DSproct	Not started	C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys Script: Quarantine, Delete, Delete via BC
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
MBAMSwissArmy Driver: Unload, Delete, Disable	MBAMSwissArmy	Not started	C:\WINDOWS\system32\drivers\mbamswissarmy.sys Script: Quarantine, Delete, Delete via BC
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, Delete via BC	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, Delete via BC
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, Delete via BC
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, Delete via BC
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, Delete via BC
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, Delete via BC	Filter
TIEHDUSB Driver: Unload, Delete, Disable	TIEHDUSB	Not started	C:\WINDOWS\system32\drivers\tiehdusb.sys Script: Quarantine, Delete, Delete via BC
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, Delete via BC
Detected - 239, recognized as trusted - 211

Autoruns

File name	Status	Startup method	Description
0.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, previousProjectorProcessID Delete
ATIVCR1.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.VCR1 Delete
ATIVCR2.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.VCR2 Delete
C:\Program Files\AOL 9.6\aol.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Graham\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Graham\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL Beta.lnk,
C:\Program Files\America Online 9.0\aol.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\America Online 9.0.lnk,
C:\Program Files\DNA\DNAcpl.cpl Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, DNAcpl.cpl Delete
C:\Program Files\DivX\DivX Update\DivXUpdate.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, DivXUpdate Delete
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\IAANTmon, EventMessageFile Delete
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmjb.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\Musicmatch Jukebox.lnk,
C:\Program Files\Microsoft Games\Rise of Nations\Watson\dw15.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Rise of Nations Gold, EventMessageFile Delete
C:\Program Files\PeerBlock\peerblock.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, PeerBlock Delete
C:\Program Files\QuickTime\QTTask.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QuickTime Task Delete
C:\Program Files\QuickTime\QuickTimePlayer.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk,
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\PDAgent, EventMessageFile Delete
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\PDEngine, EventMessageFile Delete
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\PDState, EventMessageFile Delete
C:\Program Files\Sonic\Product\Media Experience\DMX.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Graham\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Graham\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Experience.lnk,
C:\Program Files\TitanTV\ATITVPIReader.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\TitanTVTVPIReader, EventMessageFile Delete
C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsole.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\Play Games.lnk,
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Auto Detect.lnk,
C:\Program Files\iTunes\iTunesHelper.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, iTunesHelper Delete
C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk,
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile Delete
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile Delete
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile Delete
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile Delete
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile Delete
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile Delete
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile Delete
C:\WINDOWS\system32\AegisE5.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\AegisP, EventMessageFile Delete
C:\WINDOWS\system32\DivX.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.DIVX Delete
C:\WINDOWS\system32\DivX.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.yv12 Delete
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\fxsevent.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Fax, EventMessageFile Delete
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile Delete
DVIDEO.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.DRAW Delete
IYVU9_32.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.yvu9 Delete
LCODCCMP.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.LEAD Delete
kbd101.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items found - 771, recognized as trusted - 719

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\WINDOWS\System32\DLA\DLASHX_W.DLL Script: Quarantine, Delete, Delete via BC	BHO	Drive Letter Access Component	Copyright © 2004 Sonic Solutions	{5CA3D70E-1895-11CF-8E15-001234567890} Delete
Items found - 12, recognized as trusted - 11

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, Delete via BC	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Script: Quarantine, Delete, Delete via BC	Autoplay for SlideShow			{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
C:\WINDOWS\system32\extmgr.dll Script: Quarantine, Delete, Delete via BC	Extensions Manager Folder	Extensions Manager	© Microsoft Corporation. All rights reserved.	{692F0339-CBAA-47e6-B5B5-3B84DB604E87} Delete
	Record ISO Image to CD			{34F4B935-17DC-4885-8BC9-CCD1ADF42F93} Delete
	Microsoft Access Custom Icon Handler			{BB7DF450-F119-11CD-8465-00AA00425D90} Delete
C:\Program Files\J River\Media Jukebox\MJShellExt.dll Script: Quarantine, Delete, Delete via BC	Media Jukebox	MJShellExt DLL	Copyright (C) 1998-2001, J. River, Inc.	{51CD2A0E-D225-493C-A989-72D038BD97B6} Delete
	dBpowerAMP Music Converter 1			{FED7043D-346A-414D-ACD7-550D052499A7} Delete
	dBpoweramp Music Converter			{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} Delete
"C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll" Script: Quarantine, Delete, Delete via BC	IntelliPoint Wireless Control Panel Property Page			{20082881-FC36-4E47-9A7A-644C95FF749F} Delete
"C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll" Script: Quarantine, Delete, Delete via BC	IntelliPoint Wheel Control Panel Property Page			{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} Delete
"C:\Program Files\Microsoft IntelliPoint\ipcplact.dll" Script: Quarantine, Delete, Delete via BC	IntelliPoint Activities Control Panel Property Page			{653DCCC2-13DB-45B2-A389-427885776CFE} Delete
"C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll" Script: Quarantine, Delete, Delete via BC	IntelliPoint Buttons Control Panel Property Page			{124597D8-850A-41AE-849C-017A4FA99CA2} Delete
C:\WINDOWS\System32\DLA\DLASHX_W.DLL Script: Quarantine, Delete, Delete via BC	DriveLetterAccess	Drive Letter Access Component	Copyright © 2004 Sonic Solutions	{5CA3D70E-1895-11CF-8E15-001234567890} Delete
C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll Script: Quarantine, Delete, Delete via BC	TIShelEx Shell Extension	TIShelEx Module	Copyright © 2003, 2004 Texas Instruments Incorporated, All Rights Reserved	{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02} Delete
	Windows Search Shell Service			{da67b8ad-e81b-4c70-9b91b417b5e33527} Delete
C:\Program Files\Acronis\TrueImageHome\tishell.dll Script: Quarantine, Delete, Delete via BC	Acronis True Image Shell Context Menu Extension	Acronis True Image Shell Extensions	Copyright (C) Acronis, 2000-2006.	{C539A15A-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\Acronis\TrueImageHome\tishell.dll Script: Quarantine, Delete, Delete via BC	Acronis True Image Shell Extension	Acronis True Image Shell Extensions	Copyright (C) Acronis, 2000-2006.	{C539A15B-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\iTunes\iTunesMiniPlayer.dll Script: Quarantine, Delete, Delete via BC	iTunes	iTunes Mini Player DLL	© 2003-2010 Apple Inc. All rights reserved.	{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} Delete
	ColumnHandler			{FED7043D-346A-414D-ACD7-550D052499A7} Delete
Items found - 213, recognized as trusted - 190

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 8, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
Items found - 3, recognized as trusted - 3

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 32, recognized as trusted - 32
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
7 LISTENING 0.0.0.0 22583 [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
9 LISTENING 0.0.0.0 43192 [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
13 LISTENING 0.0.0.0 53257 [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
17 LISTENING 0.0.0.0 47146 [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
19 LISTENING 0.0.0.0 39166 [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
21 LISTENING 0.0.0.0 63575 [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
25 LISTENING 0.0.0.0 22631 [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
80 LISTENING 0.0.0.0 53402 [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
135 LISTENING 0.0.0.0 55346 [1604] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 43079 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
443 LISTENING 0.0.0.0 4327 [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 2064 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
1026 LISTENING 0.0.0.0 53339 [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1027 LISTENING 0.0.0.0 57394 [3108] c:\windows\system32\alg.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1060 ESTABLISHED 127.0.0.1 27015 [2848] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1188 CLOSE_WAIT 127.0.0.1 27015 [2848] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
2205 CLOSE_WAIT 89.108.66.156 80 [2972] c:\documents and settings\graham\desktop\alureon.g\avz4\avz.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3389 LISTENING 0.0.0.0 38980 [1560] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5152 LISTENING 0.0.0.0 18540 [844] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5152 CLOSE_WAIT 127.0.0.1 1593 [844] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 LISTENING 0.0.0.0 47145 [716] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 FIN_WAIT2 127.0.0.1 1188 [700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 47121 [700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 1060 [700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
7 LISTENING -- -- [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
9 LISTENING -- -- [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
13 LISTENING -- -- [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
17 LISTENING -- -- [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
19 LISTENING -- -- [808] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
123 LISTENING -- -- [1704] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
123 LISTENING -- -- [1704] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
161 LISTENING -- -- [888] c:\windows\system32\snmp.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [1356] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1025 LISTENING -- -- [716] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1056 LISTENING -- -- [2524] c:\program files\divx\divx update\divxupdate.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [3672] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [3672] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3456 LISTENING -- -- [772] c:\windows\system32\inetsrv\inetinfo.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [1356] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5353 LISTENING -- -- [716] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}
Delete http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
C:\WINDOWS\opuc.dll
Script: Quarantine, Delete, Delete via BC Microsoft Office Update Detection Engine © 2006 Microsoft Corporation. All rights reserved. {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
Delete http://office.microsoft.com/officeupdate/content/opuc3.cab
{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}
Delete http://aolcc.aol.com/computercheckup/qdiagcc.cab
C:\WINDOWS\Downloaded Program Files\wlscBase.dll
Script: Quarantine, Delete, Delete via BC Windows Live Safety Center Base Module Copyright © 2005 Microsoft Corp. {5ED80217-570B-4DA9-BF44-BE107C0EC166}
Delete https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase2213.cab
C:\WINDOWS\Downloaded Program Files\rufsi.dll
Script: Quarantine, Delete, Delete via BC Symantec Security Check Registry and File Information control Copyright © 2004 Symantec Corporation {644E432F-49D3-41A1-8DD5-E099162EEEC5}
Delete http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
C:\WINDOWS\DOWNLO~1\msrdp.ocx
Script: Quarantine, Delete, Delete via BC Terminal Services ActiveX Client © Microsoft Corporation. All rights reserved. {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}
Delete http://69.213.66.54/TSWEB/msrdp.cab
C:\WINDOWS\opuc.dll
Script: Quarantine, Delete, Delete via BC Microsoft Office Update Detection Engine © 2006 Microsoft Corporation. All rights reserved. {C7DB51B4-BCF7-4923-8874-7F1A0DC92277}
Delete http://office.microsoft.com/officeupdate/content/opuc4.cab
Items found - 22, recognized as trusted - 14

Control Panel Applets (CPL)

File name Description Manufacturer
C:\WINDOWS\system32\cmdvdpak.cpl
Script: Quarantine, Delete, Delete via BC Cinemaster DVD Decoder Pack Control Panel Copyright (c) 2002 Sonic Solutions
C:\WINDOWS\system32\DivXControlPanelApplet.cpl
Script: Quarantine, Delete, Delete via BC DivX Control Panel © Copyright 2000 - 2009 DivX, Inc.
C:\WINDOWS\system32\javacpl.cpl
Script: Quarantine, Delete, Delete via BC Java(TM) Control Panel Copyright © 2004
Items found - 31, recognized as trusted - 28

Active Setup

File name Description Manufacturer CLSID
Items found - 19, recognized as trusted - 19

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Items found - 32, recognized as trusted - 29

Suspicious objects

File Description Type
C:\WINDOWS\system32\Drivers\sptd.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit >>> Kernel-mode hook - CPU[1].IDT[01]

AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 4/7/2010 3:59:14 PM Database loaded: signatures - 269740, NN profile(s) - 2, malware removal microprograms - 56, signature database released 06.04.2010 22:04 Heuristic microprograms loaded: 382 PVS microprograms loaded: 9 Digital signatures of system files loaded: 193046 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: enabled Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=085700) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055C700 KiST = 8050446C (284) Function NtCreateKey (29) intercepted (806237B6->B9EC00D0), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtEnumerateKey (47) intercepted (80623FF6->B9EC5E2C), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtEnumerateValueKey (49) intercepted (80624260->B9EC61BA), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtOpenKey (77) intercepted (80624B88->B9EC00B0), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtQueryKey (A0) intercepted (80624EAE->B9EC6292), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtQueryValueKey (B1) intercepted (806219EE->B9EC6112), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Function NtSetValueKey (F7) intercepted (80621D3C->B9EC6324), hook C:\WINDOWS\system32\Drivers\sptd.sys >>> Function restored successfully ! >>> Hook code blocked Functions checked: 284, intercepted: 7, restored: 7 1.3 Checking IDT and SYSENTER Analyzing CPU 1 >>> Danger - possible CPU address substitution[1].IDT[01] = [B8211541] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys, driver recognized as trusted >>> Danger - possible CPU address substitution[1].IDT[03] = [B82115E7] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys, driver recognized as trusted Analyzing CPU 2 >>> Danger - possible CPU address substitution[2].IDT[01] = [B8211541] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys, driver recognized as trusted >>> Danger - possible CPU address substitution[2].IDT[03] = [B82115E7] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys, driver recognized as trusted CmpCallCallBacks = 00093D84 Disable callback OK Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8B97C1E8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8B97C1E8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8AB017A0 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 8AB017A0 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 53 Number of modules loaded: 428 Scanning RAM - complete 3. Scanning disks Direct reading: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP21F974FA.exe Direct reading: C:\WINDOWS\system32\drivers\sptd.sys 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: terminal connections to the PC are allowed Checking - complete 9. Troubleshooting wizard >> Service termination timeout is out of admissible values >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 136730, extracted from archives: 86884, malicious software found 0, suspicions - 0 Scanning finished at 4/7/2010 4:41:18 PM !!! Attention !!! Restored 7 KiST functions during Anti-Rootkit operation This may affect execution of certain software, so it is strongly recommended to reboot Time of scanning: 00:42:05 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Remove traces of deleted files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: prevent terminal connections to the PC
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
7	LISTENING	0.0.0.0	22583	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
9	LISTENING	0.0.0.0	43192	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
13	LISTENING	0.0.0.0	53257	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
17	LISTENING	0.0.0.0	47146	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
19	LISTENING	0.0.0.0	39166	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
21	LISTENING	0.0.0.0	63575	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
25	LISTENING	0.0.0.0	22631	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
80	LISTENING	0.0.0.0	53402	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
135	LISTENING	0.0.0.0	55346	[1604] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	43079	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
443	LISTENING	0.0.0.0	4327	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	2064	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
1026	LISTENING	0.0.0.0	53339	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
1027	LISTENING	0.0.0.0	57394	[3108] c:\windows\system32\alg.exe Script: Quarantine, Delete, Delete via BC, Terminate
1060	ESTABLISHED	127.0.0.1	27015	[2848] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
1188	CLOSE_WAIT	127.0.0.1	27015	[2848] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
2205	CLOSE_WAIT	89.108.66.156	80	[2972] c:\documents and settings\graham\desktop\alureon.g\avz4\avz.exe Script: Quarantine, Delete, Delete via BC, Terminate
3389	LISTENING	0.0.0.0	38980	[1560] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
5152	LISTENING	0.0.0.0	18540	[844] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, Delete via BC, Terminate
5152	CLOSE_WAIT	127.0.0.1	1593	[844] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	LISTENING	0.0.0.0	47145	[716] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	FIN_WAIT2	127.0.0.1	1188	[700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	LISTENING	0.0.0.0	47121	[700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	ESTABLISHED	127.0.0.1	1060	[700] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
7	LISTENING	--	--	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
9	LISTENING	--	--	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
13	LISTENING	--	--	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
17	LISTENING	--	--	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
19	LISTENING	--	--	[808] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, Delete via BC, Terminate
123	LISTENING	--	--	[1704] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
123	LISTENING	--	--	[1704] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
161	LISTENING	--	--	[888] c:\windows\system32\snmp.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[1356] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
1025	LISTENING	--	--	[716] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
1056	LISTENING	--	--	[2524] c:\program files\divx\divx update\divxupdate.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[3672] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[3672] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3456	LISTENING	--	--	[772] c:\windows\system32\inetsrv\inetinfo.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[1356] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
5353	LISTENING	--	--	[716] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate