Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 23/09/2011; 23:51)

List of processes

File name	PID	Description	Copyright	MD5	Information
Detected:58, recognized as trusted 58

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules detected:635, recognized as trusted 635

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\system32\DRIVERS\78664950.sys Script: Quarantine, Delete, BC delete	8CA02000	522000 (5382144)
C:\Windows\System32\Drivers\dump_diskdump.sys Script: Quarantine, Delete, BC delete	9B3F6000	00A000 (40960)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, BC delete	967A0000	011000 (69632)
C:\Windows\System32\Drivers\dump_nvstor.sys Script: Quarantine, Delete, BC delete	9677B000	025000 (151552)
Modules detected - 173, recognized as trusted - 169

Services

Service	Description	Status	File	Group	Dependencies
Detected - 159, recognized as trusted - 159

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\Users\DOMINI~1.FON\AppData\Local\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
DgiVecp Driver: Unload, Delete, Disable, BC delete	DgiVecp	Not started	C:\Windows\system32\Drivers\DgiVecp.sys Script: Quarantine, Delete, BC delete
MpKsl20750f32 Driver: Unload, Delete, Disable, BC delete	MpKsl20750f32	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FD143D54-4B07-40DA-BC47-26EFCE4A11C3}\MpKsl20750f32.sys Script: Quarantine, Delete, BC delete
MpKsl23cd48fb Driver: Unload, Delete, Disable, BC delete	MpKsl23cd48fb	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{72E28A9E-6343-4440-B439-422225D6EA56}\MpKsl23cd48fb.sys Script: Quarantine, Delete, BC delete
MpKsl517f41c0 Driver: Unload, Delete, Disable, BC delete	MpKsl517f41c0	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2EC6ED00-9463-4D1F-87AE-AE651E11511A}\MpKsl517f41c0.sys Script: Quarantine, Delete, BC delete
MpKsl5e4611be Driver: Unload, Delete, Disable, BC delete	MpKsl5e4611be	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6CC8828D-A330-4811-9A82-6370EA2F4CE2}\MpKsl5e4611be.sys Script: Quarantine, Delete, BC delete
MpKsl83591d93 Driver: Unload, Delete, Disable, BC delete	MpKsl83591d93	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A3F70CE2-8CE0-48C8-9CC4-D6F46CED286D}\MpKsl83591d93.sys Script: Quarantine, Delete, BC delete
MpKsla4b22a4c Driver: Unload, Delete, Disable, BC delete	MpKsla4b22a4c	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{58FDFEF4-7EB3-409A-803E-B887376A351E}\MpKsla4b22a4c.sys Script: Quarantine, Delete, BC delete
MpKslce25963e Driver: Unload, Delete, Disable, BC delete	MpKslce25963e	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{868ABC79-1C45-4A1C-B7F2-4D24DDC12343}\MpKslce25963e.sys Script: Quarantine, Delete, BC delete
MpKsldd8a1e0f Driver: Unload, Delete, Disable, BC delete	MpKsldd8a1e0f	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2EDAEF55-24F3-4C5A-9D9C-771A6334EC82}\MpKsldd8a1e0f.sys Script: Quarantine, Delete, BC delete
MpKslf01c5627 Driver: Unload, Delete, Disable, BC delete	MpKslf01c5627	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB8652A4-05FF-44A8-957F-D3C6D9341628}\MpKslf01c5627.sys Script: Quarantine, Delete, BC delete
MpKslf3843a20 Driver: Unload, Delete, Disable, BC delete	MpKslf3843a20	Not started	C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB8652A4-05FF-44A8-957F-D3C6D9341628}\MpKslf3843a20.sys Script: Quarantine, Delete, BC delete
shlfwoov Driver: Unload, Delete, Disable, BC delete	shlfwoov	Not started	C:\Windows\system32\drivers\shlfwoov.sys Script: Quarantine, Delete, BC delete	Boot Bus Extender
Synth3dVsc Driver: Unload, Delete, Disable, BC delete	Synth3dVsc	Not started	C:\Windows\system32\drivers\synth3dvsc.sys Script: Quarantine, Delete, BC delete
tsusbhub Driver: Unload, Delete, Disable, BC delete	tsusbhub	Not started	C:\Windows\system32\drivers\tsusbhub.sys Script: Quarantine, Delete, BC delete
VGPU Driver: Unload, Delete, Disable, BC delete	VGPU	Not started	C:\Windows\system32\drivers\rdvgkmd.sys Script: Quarantine, Delete, BC delete
Detected - 281, recognized as trusted - 265

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe Script: Quarantine, Delete, BC delete	Disabled	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run-, Adobe Reader Speed Launcher Delete
C:\Program Files\Microsoft IntelliType Pro\dw15.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\IntelliType Pro, EventMessageFile
C:\Users\Dominick J. Fontana\AppData\Local\temp\_uninst_78664950.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Users\Dominick J. Fontana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Dominick J. Fontana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_78664950.lnk,
C:\Windows\System32\drivers\avipbb.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\avipbb, EventMessageFile
C:\Windows\System32\drivers\ssidrv.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ssidrv, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
D:\Programs\AVG Internet Security 2011\avgameh.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application, EventMessageFile
progman.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 660, recognized as trusted - 649

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} Delete
	Extension module			{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
Elements detected - 8, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	{B9B9F083-2B04-452A-8691-83694AC1037B}			Logitech Setpoint Extension Delete
	Shell Extension for Malware scanning			{45AC2688-0253-4ED8-97DE-B5370FA7D48A} Delete
Elements detected - 27, recognized as trusted - 25

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 9, recognized as trusted - 9

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 32, recognized as trusted - 32
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [912] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [3880] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
990 LISTENING 0.0.0.0 0 [2852] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5679 LISTENING 0.0.0.0 0 [2852] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
7438 LISTENING 0.0.0.0 0 [2852] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [568] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1064] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1124] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [680] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [628] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1124] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1280] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1280] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1124] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [3880] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [3880] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1388] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52040 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52042 LISTENING -- -- [1280] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52044 LISTENING -- -- [1280] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55397 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55398 LISTENING -- -- [4052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
57497 LISTENING -- -- [4572] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
62472 LISTENING -- -- [732] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 6, recognized as trusted - 6

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 19, recognized as trusted - 16

Suspicious objects

File Description Type
C:\Windows\system32\DRIVERS\6875123drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis
Windows version: Windows 7 Ultimate, Build=7601, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 003E0010<>77222082
IAT modification detected: GetModuleFileNameA - 003E0080<>7726D75A
IAT modification detected: FreeLibrary - 003E00F0<>7726EF67
IAT modification detected: GetModuleFileNameW - 003E0160<>7726EF35
IAT modification detected: CreateProcessW - 003E01D0<>7722204D
IAT modification detected: LoadLibraryW - 003E02B0<>7726EF42
IAT modification detected: LoadLibraryA - 003E0320<>7726DC65
IAT modification detected: GetProcAddress - 003E0390<>7726CC94
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:AddMandatoryAce (1029) intercepted, method ProcAddressHijack.GetProcAddress ->773AAC79->75CEDE2B
Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method ProcAddressHijack.GetProcAddress ->773AAE19->77D172D8
Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method ProcAddressHijack.GetProcAddress ->773AAE50->77D1733F
Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method ProcAddressHijack.GetProcAddress ->773AAE87->77D17C40
Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method ProcAddressHijack.GetProcAddress ->773AAEBE->77D15F8A
Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method ProcAddressHijack.GetProcAddress ->773AAEF6->77D15E7D
Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method ProcAddressHijack.GetProcAddress ->773AAF2A->77D171C5
Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method ProcAddressHijack.GetProcAddress ->773AAF5D->77D16B9D
Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method ProcAddressHijack.GetProcAddress ->773AAF95->75CFFBBD
Function advapi32.dll:PerfCreateInstance (1515) intercepted, method ProcAddressHijack.GetProcAddress ->773AB01C->75272187
Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method ProcAddressHijack.GetProcAddress ->773AB035->75272A1D
Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method ProcAddressHijack.GetProcAddress ->773AB05A->75272B3C
Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method ProcAddressHijack.GetProcAddress ->773AB083->75272259
Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method ProcAddressHijack.GetProcAddress ->773AB09C->752727B9
Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method ProcAddressHijack.GetProcAddress ->773AB0C1->752728D6
Function advapi32.dll:PerfQueryInstance (1528) intercepted, method ProcAddressHijack.GetProcAddress ->773AB0EA->75272373
Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method ProcAddressHijack.GetProcAddress ->773AB102->75272447
Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method ProcAddressHijack.GetProcAddress ->773AB11F->752720B0
Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method ProcAddressHijack.GetProcAddress ->773AB13B->75272565
Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method ProcAddressHijack.GetProcAddress ->773AB15A->75272680
Function advapi32.dll:PerfStartProvider (1533) intercepted, method ProcAddressHijack.GetProcAddress ->773AB17D->75271FED
Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method ProcAddressHijack.GetProcAddress ->773AB195->75271F34
Function advapi32.dll:PerfStopProvider (1535) intercepted, method ProcAddressHijack.GetProcAddress ->773AB1AF->75272026
Function advapi32.dll:SystemFunction035 (1753) intercepted, method ProcAddressHijack.GetProcAddress ->773AB200->756E3EA8
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:DavAddConnection (1) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B10->6BB229DD
Function netapi32.dll:DavDeleteConnection (2) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B29->6BB2181B
Function netapi32.dll:DavFlushFile (3) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B45->6BB21713
Function netapi32.dll:DavGetExtendedError (4) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B5A->6BB22347
Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B76->6BB2275B
Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method ProcAddressHijack.GetProcAddress ->737D3B94->6BB2257D
Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method ProcAddressHijack.GetProcAddress ->737D3BB2->75544B85
Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method ProcAddressHijack.GetProcAddress ->737D3BD1->75544EB1
Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method ProcAddressHijack.GetProcAddress ->737D3BF2->75545181
Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method ProcAddressHijack.GetProcAddress ->737D3C13->75544D61
Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method ProcAddressHijack.GetProcAddress ->737D3C32->75546DD1
Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method ProcAddressHijack.GetProcAddress ->737D3C57->75546D51
Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method ProcAddressHijack.GetProcAddress ->737D3C7C->75546769
Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method ProcAddressHijack.GetProcAddress ->737D3C9E->7553B1FA
Function netapi32.dll:DsGetDcCloseW (15) intercepted, method ProcAddressHijack.GetProcAddress ->737D3CC0->75544A95
Function netapi32.dll:DsGetDcNameA (16) intercepted, method ProcAddressHijack.GetProcAddress ->737D3CD7->75545B04
Function netapi32.dll:DsGetDcNameW (17) intercepted, method ProcAddressHijack.GetProcAddress ->737D3CED->7553509E
Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D03->75545721
Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D24->75534CB1
Function netapi32.dll:DsGetDcNextA (20) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D45->755449CE
Function netapi32.dll:DsGetDcNextW (21) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D5B->75544925
Function netapi32.dll:DsGetDcOpenA (22) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D71->75544875
Function netapi32.dll:DsGetDcOpenW (23) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D87->755447E3
Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method ProcAddressHijack.GetProcAddress ->737D3D9D->75545371
Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method ProcAddressHijack.GetProcAddress ->737D3DBB->75545541
Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method ProcAddressHijack.GetProcAddress ->737D3DD9->75546E67
Function netapi32.dll:DsGetSiteNameA (27) intercepted, method ProcAddressHijack.GetProcAddress ->737D3DFF->75545A8B
Function netapi32.dll:DsGetSiteNameW (28) intercepted, method ProcAddressHijack.GetProcAddress ->737D3E17->75535FDD
Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method ProcAddressHijack.GetProcAddress ->737D3E2F->75546F69
Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method ProcAddressHijack.GetProcAddress ->737D3E57->741F4339
Function netapi32.dll:DsRoleCancel (31) intercepted, method ProcAddressHijack.GetProcAddress ->737D3E80->741F34A9
Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method ProcAddressHijack.GetProcAddress ->737D3E94->741F3EAD
Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method ProcAddressHijack.GetProcAddress ->737D3EA8->741F3F99
Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method ProcAddressHijack.GetProcAddress ->737D3EC1->741F4189
Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method ProcAddressHijack.GetProcAddress ->737D3ED7->741F32B5
Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method ProcAddressHijack.GetProcAddress ->737D3EF6->741F19A9
Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method ProcAddressHijack.GetProcAddress ->737D3F0E->741F3651
Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method ProcAddressHijack.GetProcAddress ->737D3F2C->741F3351
Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method ProcAddressHijack.GetProcAddress ->737D3F50->741F3401
Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method ProcAddressHijack.GetProcAddress ->737D3F73->741F1F3D
Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method ProcAddressHijack.GetProcAddress ->737D3F9C->741F3539
Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method ProcAddressHijack.GetProcAddress ->737D3FB7->741F35C9
Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method ProcAddressHijack.GetProcAddress ->737D3FDE->741F4261
Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method ProcAddressHijack.GetProcAddress ->737D4002->75545A4B
Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method ProcAddressHijack.GetProcAddress ->737D4021->75544B19
Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method ProcAddressHijack.GetProcAddress ->737D4040->6BDB24A9
Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method ProcAddressHijack.GetProcAddress ->737D405B->6BDB2581
Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method ProcAddressHijack.GetProcAddress ->737D4077->6BDB29F9
Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method ProcAddressHijack.GetProcAddress ->737D409D->6BDB22C1
Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method ProcAddressHijack.GetProcAddress ->737D40C0->6BDB2651
Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method ProcAddressHijack.GetProcAddress ->737D40E1->6BDB23D1
Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method ProcAddressHijack.GetProcAddress ->737D4105->6BDB2729
Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method ProcAddressHijack.GetProcAddress ->737D4126->6BDB20BF
Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method ProcAddressHijack.GetProcAddress ->737D4142->6BDB2919
Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method ProcAddressHijack.GetProcAddress ->737D4164->755456A1
Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method ProcAddressHijack.GetProcAddress ->737D4190->755463A3
Function netapi32.dll:I_NetAccountSync (57) intercepted, method ProcAddressHijack.GetProcAddress ->737D41AC->755463A3
Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method ProcAddressHijack.GetProcAddress ->737D41C6->75546F9E
Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method ProcAddressHijack.GetProcAddress ->737D41ED->75547021
Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method ProcAddressHijack.GetProcAddress ->737D4215->75546389
Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method ProcAddressHijack.GetProcAddress ->737D4232->75546519
Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method ProcAddressHijack.GetProcAddress ->737D424D->75546389
Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method ProcAddressHijack.GetProcAddress ->737D4268->75546396
Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method ProcAddressHijack.GetProcAddress ->737D4284->75AB7C91
Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method ProcAddressHijack.GetProcAddress ->737D429E->6BDA4E39
Function netapi32.dll:I_NetGetDCList (66) intercepted, method ProcAddressHijack.GetProcAddress ->737D42BF->75545CEE
Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method ProcAddressHijack.GetProcAddress ->737D42D7->75546EE9
Function netapi32.dll:I_NetLogonControl (69) intercepted, method ProcAddressHijack.GetProcAddress ->737D42FF->755463B0
Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method ProcAddressHijack.GetProcAddress ->737D431A->75546431
Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method ProcAddressHijack.GetProcAddress ->737D4336->75536414
Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method ProcAddressHijack.GetProcAddress ->737D4357->75546089
Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method ProcAddressHijack.GetProcAddress ->737D4374->75545E89
Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method ProcAddressHijack.GetProcAddress ->737D4390->75545FD9
Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method ProcAddressHijack.GetProcAddress ->737D43AE->75545F31
Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method ProcAddressHijack.GetProcAddress ->737D43D3->75546109
Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method ProcAddressHijack.GetProcAddress ->737D43F0->75545E19
Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method ProcAddressHijack.GetProcAddress ->737D440D->75545DA5
Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method ProcAddressHijack.GetProcAddress ->737D4429->75546189
Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method ProcAddressHijack.GetProcAddress ->737D444A->75546209
Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method ProcAddressHijack.GetProcAddress ->737D446C->75536384
Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method ProcAddressHijack.GetProcAddress ->737D448E->75546C59
Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method ProcAddressHijack.GetProcAddress ->737D44AF->75546B59
Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method ProcAddressHijack.GetProcAddress ->737D44CF->75546289
Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method ProcAddressHijack.GetProcAddress ->737D44EF->75546309
Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method ProcAddressHijack.GetProcAddress ->737D4510->7553621B
Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method ProcAddressHijack.GetProcAddress ->737D4531->75AB4171
Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method ProcAddressHijack.GetProcAddress ->737D4552->75AB6D01
Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method ProcAddressHijack.GetProcAddress ->737D4575->75546BD9
Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method ProcAddressHijack.GetProcAddress ->737D459B->75536074
Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method ProcAddressHijack.GetProcAddress ->737D45C2->75546AE4
Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method ProcAddressHijack.GetProcAddress ->737D45E9->737B5B19
Function netapi32.dll:NetAddServiceAccount (98) intercepted, method ProcAddressHijack.GetProcAddress ->737D460C->755470A9
Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method ProcAddressHijack.GetProcAddress ->737D462A->737C1415
Function netapi32.dll:NetApiBufferFree (102) intercepted, method ProcAddressHijack.GetProcAddress ->737D4648->737C13D2
Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method ProcAddressHijack.GetProcAddress ->737D4662->737C3741
Function netapi32.dll:NetApiBufferSize (104) intercepted, method ProcAddressHijack.GetProcAddress ->737D4682->737C3789
Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method ProcAddressHijack.GetProcAddress ->737D469C->6BDB2801
Function netapi32.dll:NetConnectionEnum (112) intercepted, method ProcAddressHijack.GetProcAddress ->737D46BC->75AB5511
Function netapi32.dll:NetDfsAdd (113) intercepted, method ProcAddressHijack.GetProcAddress ->737D46D5->6BDA78FD
Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method ProcAddressHijack.GetProcAddress ->737D46E6->6BDA6859
Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method ProcAddressHijack.GetProcAddress ->737D46FD->6BDA7401
Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method ProcAddressHijack.GetProcAddress ->737D4718->6BDA2B1E
Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method ProcAddressHijack.GetProcAddress ->737D4730->6BDA2BB1
Function netapi32.dll:NetDfsEnum (118) intercepted, method ProcAddressHijack.GetProcAddress ->737D474E->6BDA70F9
Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method ProcAddressHijack.GetProcAddress ->737D4760->6BDA3F25
Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method ProcAddressHijack.GetProcAddress ->737D477B->6BDA2C51
Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method ProcAddressHijack.GetProcAddress ->737D4795->6BDA5363
Function netapi32.dll:NetDfsGetInfo (122) intercepted, method ProcAddressHijack.GetProcAddress ->737D47B9->6BDA2D69
Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method ProcAddressHijack.GetProcAddress ->737D47CE->6BDA7741
Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method ProcAddressHijack.GetProcAddress ->737D47E7->6BDA3AD5
Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method ProcAddressHijack.GetProcAddress ->737D480C->6BDA5C19
Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method ProcAddressHijack.GetProcAddress ->737D4836->6BDA2E9C
Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method ProcAddressHijack.GetProcAddress ->737D4858->6BDA2F91
Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method ProcAddressHijack.GetProcAddress ->737D4877->6BDA72C5
Function netapi32.dll:NetDfsMove (129) intercepted, method ProcAddressHijack.GetProcAddress ->737D4898->6BDA5651
Function netapi32.dll:NetDfsRemove (130) intercepted, method ProcAddressHijack.GetProcAddress ->737D48AA->6BDA7A19
Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method ProcAddressHijack.GetProcAddress ->737D48BE->6BDA6A99
Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method ProcAddressHijack.GetProcAddress ->737D48D8->6BDA6BE5
Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method ProcAddressHijack.GetProcAddress ->737D48F8->6BDA5879
Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method ProcAddressHijack.GetProcAddress ->737D4916->6BDA2CE1
Function netapi32.dll:NetDfsRename (135) intercepted, method ProcAddressHijack.GetProcAddress ->737D4931->6BDA2E91
Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method ProcAddressHijack.GetProcAddress ->737D4945->6BDA4301
Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method ProcAddressHijack.GetProcAddress ->737D4960->6BDA53AF
Function netapi32.dll:NetDfsSetInfo (138) intercepted, method ProcAddressHijack.GetProcAddress ->737D4984->6BDA6D8B
Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method ProcAddressHijack.GetProcAddress ->737D4999->6BDA7822
Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method ProcAddressHijack.GetProcAddress ->737D49B2->6BDA3B24
Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method ProcAddressHijack.GetProcAddress ->737D49D7->737B5E31
Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method ProcAddressHijack.GetProcAddress ->737D49F8->75547191
Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A1D->75546526
Function netapi32.dll:NetFileClose (147) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A41->75AB5649
Function netapi32.dll:NetFileEnum (148) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A55->75AB5719
Function netapi32.dll:NetFileGetInfo (149) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A68->75AB5849
Function netapi32.dll:NetGetAnyDCName (150) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A7E->75544AA5
Function netapi32.dll:NetGetDCName (151) intercepted, method ProcAddressHijack.GetProcAddress ->737D4A97->75535EB2
Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method ProcAddressHijack.GetProcAddress ->737D4AAD->737A52FF
Function netapi32.dll:NetGetJoinInformation (153) intercepted, method ProcAddressHijack.GetProcAddress ->737D4AD2->737B2C3F
Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method ProcAddressHijack.GetProcAddress ->737D4AEF->737B59C9
Function netapi32.dll:NetGroupAdd (155) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B08->737A77C9
Function netapi32.dll:NetGroupAddUser (156) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B1B->737A79B5
Function netapi32.dll:NetGroupDel (157) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B32->737A79D3
Function netapi32.dll:NetGroupDelUser (158) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B45->737A79F3
Function netapi32.dll:NetGroupEnum (159) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B5C->737A7A11
Function netapi32.dll:NetGroupGetInfo (160) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B70->737A2C04
Function netapi32.dll:NetGroupGetUsers (161) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B87->737A7ED0
Function netapi32.dll:NetGroupSetInfo (162) intercepted, method ProcAddressHijack.GetProcAddress ->737D4B9F->737A8180
Function netapi32.dll:NetGroupSetUsers (163) intercepted, method ProcAddressHijack.GetProcAddress ->737D4BB6->737A832C
Function netapi32.dll:NetIsServiceAccount (164) intercepted, method ProcAddressHijack.GetProcAddress ->737D4BCE->755472D1
Function netapi32.dll:NetJoinDomain (165) intercepted, method ProcAddressHijack.GetProcAddress ->737D4BEB->737B54B1
Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C00->737A8C32
Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C18->737A8D5E
Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C36->737A92FE
Function netapi32.dll:NetLocalGroupDel (169) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C55->737A8D7C
Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C6D->737A8E00
Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method ProcAddressHijack.GetProcAddress ->737D4C8B->737A9322
Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method ProcAddressHijack.GetProcAddress ->737D4CAA->737A8E1E
Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method ProcAddressHijack.GetProcAddress ->737D4CC3->737A2BA1
Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method ProcAddressHijack.GetProcAddress ->737D4CDF->737A21BE
Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method ProcAddressHijack.GetProcAddress ->737D4CFE->737A91BC
Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method ProcAddressHijack.GetProcAddress ->737D4D1A->737A92DA
Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method ProcAddressHijack.GetProcAddress ->737D4D39->75546CE1
Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method ProcAddressHijack.GetProcAddress ->737D4D65->7553617C
Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method ProcAddressHijack.GetProcAddress ->737D4D85->757CF423
Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method ProcAddressHijack.GetProcAddress ->737D4DA9->737A4F6F
Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method ProcAddressHijack.GetProcAddress ->737D4DCB->75547241
Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method ProcAddressHijack.GetProcAddress ->737D4DEB->737C2A9C
Function netapi32.dll:NetRemoteTOD (189) intercepted, method ProcAddressHijack.GetProcAddress ->737D4E0E->75AB6C01
Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method ProcAddressHijack.GetProcAddress ->737D4E22->737B5C21
Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method ProcAddressHijack.GetProcAddress ->737D4E48->75547121
Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method ProcAddressHijack.GetProcAddress ->737D4E69->737B5749
Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method ProcAddressHijack.GetProcAddress ->737D4E89->757CB537
Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method ProcAddressHijack.GetProcAddress ->737D4EAD->6BD919D1
Function netapi32.dll:NetScheduleJobDel (210) intercepted, method ProcAddressHijack.GetProcAddress ->737D4EC8->6BD91AC9
Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method ProcAddressHijack.GetProcAddress ->737D4EE3->6BD91BC1
Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method ProcAddressHijack.GetProcAddress ->737D4EFF->6BD91CE1
Function netapi32.dll:NetServerAliasAdd (213) intercepted, method ProcAddressHijack.GetProcAddress ->737D4F1E->75AB7833
Function netapi32.dll:NetServerAliasDel (214) intercepted, method ProcAddressHijack.GetProcAddress ->737D4F37->75AB7A69
Function netapi32.dll:NetServerAliasEnum (215) intercepted, method ProcAddressHijack.GetProcAddress ->737D4F50->75AB7921
Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method ProcAddressHijack.GetProcAddress ->737D4F6A->75AB7401
Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method ProcAddressHijack.GetProcAddress ->737D4F8A->75AB76EB
Function netapi32.dll:NetServerDiskEnum (218) intercepted, method ProcAddressHijack.GetProcAddress ->737D4FAA->75AB6549
Function netapi32.dll:NetServerEnum (219) intercepted, method ProcAddressHijack.GetProcAddress ->737D4FC3->6BDB2F61
Function netapi32.dll:NetServerEnumEx (220) intercepted, method ProcAddressHijack.GetProcAddress ->737D4FD9->6BDB2C5F
Function netapi32.dll:NetServerGetInfo (221) intercepted, method ProcAddressHijack.GetProcAddress ->737D4FF1->75AB3CFA
Function netapi32.dll:NetServerSetInfo (222) intercepted, method ProcAddressHijack.GetProcAddress ->737D5009->75AB6671
Function netapi32.dll:NetServerTransportAdd (223) intercepted, method ProcAddressHijack.GetProcAddress ->737D5021->75AB6841
Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method ProcAddressHijack.GetProcAddress ->737D503E->75AB7319
Function netapi32.dll:NetServerTransportDel (225) intercepted, method ProcAddressHijack.GetProcAddress ->737D505D->75AB69F1
Function netapi32.dll:NetServerTransportEnum (226) intercepted, method ProcAddressHijack.GetProcAddress ->737D507A->75AB6AC9
Function netapi32.dll:NetSessionDel (231) intercepted, method ProcAddressHijack.GetProcAddress ->737D5098->75AB5931
Function netapi32.dll:NetSessionEnum (232) intercepted, method ProcAddressHijack.GetProcAddress ->737D50AD->75AB5A01
Function netapi32.dll:NetSessionGetInfo (233) intercepted, method ProcAddressHijack.GetProcAddress ->737D50C3->75AB5B31
Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method ProcAddressHijack.GetProcAddress ->737D50DC->737B5D29
Function netapi32.dll:NetShareAdd (235) intercepted, method ProcAddressHijack.GetProcAddress ->737D50FD->75AB5C71
Function netapi32.dll:NetShareCheck (236) intercepted, method ProcAddressHijack.GetProcAddress ->737D5110->75AB5E81
Function netapi32.dll:NetShareDel (237) intercepted, method ProcAddressHijack.GetProcAddress ->737D5125->75AB5F71
Function netapi32.dll:NetShareDelEx (238) intercepted, method ProcAddressHijack.GetProcAddress ->737D5138->75AB7B51
Function netapi32.dll:NetShareDelSticky (239) intercepted, method ProcAddressHijack.GetProcAddress ->737D514D->75AB60C1
Function netapi32.dll:NetShareEnum (240) intercepted, method ProcAddressHijack.GetProcAddress ->737D5166->75AB3F33
Function netapi32.dll:NetShareEnumSticky (241) intercepted, method ProcAddressHijack.GetProcAddress ->737D517A->75AB61B9
Function netapi32.dll:NetShareGetInfo (242) intercepted, method ProcAddressHijack.GetProcAddress ->737D5194->75AB4335
Function netapi32.dll:NetShareSetInfo (243) intercepted, method ProcAddressHijack.GetProcAddress ->737D51AB->75AB6331
Function netapi32.dll:NetUnjoinDomain (245) intercepted, method ProcAddressHijack.GetProcAddress ->737D51C2->737B5639
Function netapi32.dll:NetUseAdd (247) intercepted, method ProcAddressHijack.GetProcAddress ->737D51D9->737B35DB
Function netapi32.dll:NetUseDel (248) intercepted, method ProcAddressHijack.GetProcAddress ->737D51EA->737B5FA1
Function netapi32.dll:NetUseEnum (249) intercepted, method ProcAddressHijack.GetProcAddress ->737D51FB->737B317F
Function netapi32.dll:NetUseGetInfo (250) intercepted, method ProcAddressHijack.GetProcAddress ->737D520D->737B6031
Function netapi32.dll:NetUserAdd (251) intercepted, method ProcAddressHijack.GetProcAddress ->737D5222->737A5648
Function netapi32.dll:NetUserChangePassword (252) intercepted, method ProcAddressHijack.GetProcAddress ->737D5234->737A6D0F
Function netapi32.dll:NetUserDel (253) intercepted, method ProcAddressHijack.GetProcAddress ->737D5251->737A581F
Function netapi32.dll:NetUserEnum (254) intercepted, method ProcAddressHijack.GetProcAddress ->737D5263->737A59CF
Function netapi32.dll:NetUserGetGroups (255) intercepted, method ProcAddressHijack.GetProcAddress ->737D5276->737A5DFA
Function netapi32.dll:NetUserGetInfo (256) intercepted, method ProcAddressHijack.GetProcAddress ->737D528E->737A1BE2
Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method ProcAddressHijack.GetProcAddress ->737D52A4->737A28AA
Function netapi32.dll:NetUserModalsGet (258) intercepted, method ProcAddressHijack.GetProcAddress ->737D52C1->737A64A3
Function netapi32.dll:NetUserModalsSet (259) intercepted, method ProcAddressHijack.GetProcAddress ->737D52D9->737A67B3
Function netapi32.dll:NetUserSetGroups (260) intercepted, method ProcAddressHijack.GetProcAddress ->737D52F1->737A608E
Function netapi32.dll:NetUserSetInfo (261) intercepted, method ProcAddressHijack.GetProcAddress ->737D5309->737A5D16
Function netapi32.dll:NetValidateName (262) intercepted, method ProcAddressHijack.GetProcAddress ->737D531F->737B5851
Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method ProcAddressHijack.GetProcAddress ->737D5336->737A9CBF
Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method ProcAddressHijack.GetProcAddress ->737D5357->737A9EC3
Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method ProcAddressHijack.GetProcAddress ->737D537C->737B4E3D
Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method ProcAddressHijack.GetProcAddress ->737D5398->737B4F19
Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method ProcAddressHijack.GetProcAddress ->737D53B4->737B4CF1
Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method ProcAddressHijack.GetProcAddress ->737D53D1->737B4AC9
Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method ProcAddressHijack.GetProcAddress ->737D53E9->737B372F
Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method ProcAddressHijack.GetProcAddress ->737D5404->737B4C0D
Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method ProcAddressHijack.GetProcAddress ->737D541F->737C29A4
Function netapi32.dll:NetpIsRemote (289) intercepted, method ProcAddressHijack.GetProcAddress ->737D543E->737C3835
Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method ProcAddressHijack.GetProcAddress ->737D5454->737C1C30
Function netapi32.dll:NetpwNameCompare (297) intercepted, method ProcAddressHijack.GetProcAddress ->737D5473->737C1F31
Function netapi32.dll:NetpwNameValidate (298) intercepted, method ProcAddressHijack.GetProcAddress ->737D548D->737C1989
Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method ProcAddressHijack.GetProcAddress ->737D54A8->737C263D
Function netapi32.dll:NetpwPathCompare (300) intercepted, method ProcAddressHijack.GetProcAddress ->737D54C7->737C408E
Function netapi32.dll:NetpwPathType (301) intercepted, method ProcAddressHijack.GetProcAddress ->737D54E1->737C2413
Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method ProcAddressHijack.GetProcAddress ->737D54F8->755364BC
Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method ProcAddressHijack.GetProcAddress ->737D551B->75535E80
Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method ProcAddressHijack.GetProcAddress ->737D5543->75536324
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=169B00)
 Kernel ntkrnlpa.exe found in memory at address 82C4F000
   SDT = 82DB8B00
   KiST = 82CCDD5C (401)
Function NtAdjustPrivilegesToken (0C) intercepted (82ED4BE5->AC04AE36), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcConnectPort (16) intercepted (82EC52A6->AC04D074), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcCreatePort (17) intercepted (82E44C82->AC04D2EE), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtAlpcSendWaitReceivePort (27) intercepted (82EA1FAF->AC04D564), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (32) intercepted (82E94420->AC04B74A), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (3B) intercepted (82EC7DB1->AC04C57E), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (40) intercepted (82E90717->AC04CAC8), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (42) intercepted (82E9F28A->AC04BA26), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (4A) intercepted (82E60212->AC04C9AE), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (4B) intercepted (82ED05A1->AC04AA24), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (4D) intercepted (82E417D5->AC04C882), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (54) intercepted (82E72F75->AC04ABCC), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (55) intercepted (82E55A09->AC04CBE8), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (57) intercepted (82F2BCCE->AC04B3D0), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThreadEx (58) intercepted (82EC01CC->AC04B4CE), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateUserProcess (5D) intercepted (82EBE0FE->AC04D7AE), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (5E) intercepted (82DF413C->AC04C918), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (60) intercepted (82EFDBE0->AC04E2D6), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (6B) intercepted (82EC3472->AC04BEA8), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (6F) intercepted (82E81582->AC04F4E4), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (86) intercepted (82EA5748->AC04BCB6), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (9B) intercepted (82E15B80->AC04E3C8), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (A8) intercepted (82E9643A->AC04EB30), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (B1) intercepted (82E5FC0E->AC04CB5E), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (B3) intercepted (82E81BA2->AC04B7CC), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (BB) intercepted (82EB1188->AC04CA3E), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (BE) intercepted (82E61A58->AC04B074), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (C2) intercepted (82EB971C->AC04E8CA), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (C3) intercepted (82E3513C->AC04CC7E), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (C6) intercepted (82EADE2D->AC04AF64), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryDirectoryObject (E0) intercepted (82EA8A96->AC04D868), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (FE) intercepted (82EC6A8E->AC04EE6A), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (10D) intercepted (82E4BD20->AC04E75C), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (124) intercepted (82EEB948->AC0496DE), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (126) intercepted (82E40AB3->AC04CFE2), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (127) intercepted (82E88674->AC04CEA8), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (12B) intercepted (82E8D96B->AC04E070), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (12E) intercepted (82EE19B4->AC049A56), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (130) intercepted (82EC03F3->AC04F386), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (135) intercepted (82EE3226->AC049676), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (138) intercepted (82EADE62->AC04C2C4), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (13C) intercepted (82F2CDCF->AC04B5EC), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (150) intercepted (82E537FC->AC04D90A), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (15B) intercepted (82E516A2->AC04E566), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (15E) intercepted (82E9E194->AC04EFBA), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (16E) intercepted (82F2D96F->AC04F0AC), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (16F) intercepted (82EE4EDD->AC04F1E6), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (170) intercepted (82ED5514->AC04E1FA), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (172) intercepted (82EAAA65->AC04B21A), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (173) intercepted (82EC83DC->AC04B170), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (181) intercepted (82EB46E2->AC04ED0E), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (18F) intercepted (82EAF7C2->AC04B306), hook C:\Windows\system32\DRIVERS\6875123drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 401, intercepted: 52, restored: 52
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00000000
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
 Checking - complete
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Process termination timeout is out of admissible values
 >>  Service termination timeout is out of admissible values
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[912] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
554	LISTENING	0.0.0.0	0	[3880] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
990	LISTENING	0.0.0.0	0	[2852] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
5679	LISTENING	0.0.0.0	0	[2852] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
7438	LISTENING	0.0.0.0	0	[2852] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
10243	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, BC delete, Terminate
49152	LISTENING	0.0.0.0	0	[568] c:\windows\system32\wininit.exe Script: Quarantine, Delete, BC delete, Terminate
49153	LISTENING	0.0.0.0	0	[1064] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49154	LISTENING	0.0.0.0	0	[1124] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
49155	LISTENING	0.0.0.0	0	[680] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
49156	LISTENING	0.0.0.0	0	[628] c:\windows\system32\services.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[1124] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1280] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3702	LISTENING	--	--	[1280] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[1124] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
5004	LISTENING	--	--	[3880] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5005	LISTENING	--	--	[3880] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, BC delete, Terminate
5355	LISTENING	--	--	[1388] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
52040	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
52042	LISTENING	--	--	[1280] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
52044	LISTENING	--	--	[1280] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
55397	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
55398	LISTENING	--	--	[4052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
57497	LISTENING	--	--	[4572] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
62472	LISTENING	--	--	[732] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate