Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 27/09/2011; 19:11)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\dcmsvc\dcmsvc.exe Script: Quarantine, Delete, BC delete, Terminate	452			??	29.73 kb, rsAh, created: 01.01.2010 13:41:52, modified: 07.04.2009 14:53:32 Command line: "C:\Program Files\dcmsvc\dcmsvc.exe"
c:\program files\hp\digital imaging\bin\hpqste08.exe Script: Quarantine, Delete, BC delete, Terminate	3172	HP CUE Status Root	Copyright (C) Hewlett-Packard Co. 1995-2009	??	165.00 kb, rsAh, created: 21.05.2009 22:46:36, modified: 21.05.2009 22:46:36 Command line: "C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe" -CtxID "#Hewlett-Packard#HP Deskjet F4400 series#1262563394" -Startup
c:\program files\hp\digital imaging\bin\hpqtra08.exe Script: Quarantine, Delete, BC delete, Terminate	752	HP Digital Imaging Monitor	Copyright (C) Hewlett-Packard Co. 1995-2009	??	269.30 kb, rsAh, created: 21.05.2009 23:13:36, modified: 21.05.2009 23:13:36 Command line: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"
c:\documents and settings\jeremiah schumacher\application data\sandisk\sandisksecureaccess_manager.exe Script: Quarantine, Delete, BC delete, Terminate	596	RunSanDiskSecureAccess_Win	Copyright (C) 2010	??	30366.63 kb, rsAh, created: 22.11.2010 17:09:49, modified: 10.11.2010 18:16:42 Command line: "C:\Documents and Settings\Jeremiah Schumacher\Application Data\SanDisk\SanDiskSecureAccess_Manager.exe"
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate	1432	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	??	57.50 kb, rsAh, created: 31.03.2003 07:00:00, modified: 17.08.2010 08:17:06 Command line: C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate	176	Generic Host Process for Win32 Services	© Microsoft Corporation. All rights reserved.	??	14.00 kb, rsAh, created: 31.03.2003 07:00:00, modified: 13.04.2008 19:12:36 Command line: C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\program files\warner bros. digital copy manager\warner bros. digital copy manager.exe Script: Quarantine, Delete, BC delete, Terminate	896			??	139.00 kb, rsAh, created: 24.03.2011 06:42:32, modified: 24.03.2011 06:42:32 Command line: "C:\Program Files\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe"
Detected:46, recognized as trusted 43

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Documents and Settings\Jeremiah Schumacher\Application Data\SanDisk\My Vaults\dmBackup.dll Script: Quarantine, Delete, BC delete	268435456			--	596
C:\Documents and Settings\Jeremiah Schumacher\Application Data\SanDisk\My Vaults\dmEngineAPP.dll Script: Quarantine, Delete, BC delete	73793536			--	596
C:\Program Files\HP\Digital Imaging\bin\hpocxi08.dll Script: Quarantine, Delete, BC delete	337641472	HP CUE/AiO Context Information Objects	Copyright (C) Hewlett-Packard Co. 1995-2009	--	176
C:\Program Files\HP\Digital Imaging\bin\hpodio08.dll Script: Quarantine, Delete, BC delete	21233664	HP OfficeJet COM Device IO Objects (CUE)	Copyright (C) Hewlett-Packard Co. 1995-2009	--	3172, 752
C:\Program Files\HP\Digital Imaging\bin\hpotra08.dll Script: Quarantine, Delete, BC delete	375390208	HP All-in-One TrayAppPlugin	Copyright (C) Hewlett-Packard Co. 1995-2009	--	752
C:\WINDOWS\system32\CNMLM38.DLL Script: Quarantine, Delete, BC delete	1724907520	BJ Language Monitor	Copyright CANON INC. 1999-2001 All Rights Reserved	--	1432
C:\WINDOWS\system32\hpzll3xu.dll Script: Quarantine, Delete, BC delete	14024704	LanguageMonitor	Copyright (C) 1999	--	1432
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\CNMPD38.DLL Script: Quarantine, Delete, BC delete	14417920	Canon BJ Print Processor Dispatcher	Copyright CANON INC. 1999-2001 All Rights Reserved	--	1432
Modules detected:413, recognized as trusted 405

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
30742503.sys Script: Quarantine, Delete, BC delete	BA2DE000	522000 (5382144)
C:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	B8521000	018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	F79C9000	002000 (8192)
C:\WINDOWS\System32\DRIVERS\msikbd2k.sys Script: Quarantine, Delete, BC delete	F799F000	002000 (8192)
Modules detected - 137, recognized as trusted - 133

Services

Service	Description	Status	File	Group	Dependencies
sdCoreService Service: Stop, Delete, Disable, BC delete	PC Tools Security Service	Not started	C:\Program Files\PC Tools Security\pctsSvc.exe Script: Quarantine, Delete, BC delete
WebrootSpySweeperService Service: Stop, Delete, Disable, BC delete	Webroot Spy Sweeper Engine	Not started	C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe Script: Quarantine, Delete, BC delete		RPCSS
Detected - 114, recognized as trusted - 112

Drivers

Service	Description	Status	File	Group	Dependencies
msikbd2k Driver: Unload, Delete, Disable, BC delete	Multimedia Keyboard Filter Driver	Running	C:\WINDOWS\system32\DRIVERS\msikbd2k.sys Script: Quarantine, Delete, BC delete	Keyboard Class
Abiosdsk Driver: Unload, Delete, Disable, BC delete	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
abp480n5 Driver: Unload, Delete, Disable, BC delete	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, BC delete	SCSI miniport
adpu160m Driver: Unload, Delete, Disable, BC delete	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Aha154x Driver: Unload, Delete, Disable, BC delete	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable, BC delete	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78xx Driver: Unload, Delete, Disable, BC delete	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
AliIde Driver: Unload, Delete, Disable, BC delete	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
amsint Driver: Unload, Delete, Disable, BC delete	amsint	Not started	amsint.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc Driver: Unload, Delete, Disable, BC delete	asc	Not started	asc.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3350p Driver: Unload, Delete, Disable, BC delete	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3550 Driver: Unload, Delete, Disable, BC delete	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Atdisk Driver: Unload, Delete, Disable, BC delete	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
BsUDF Driver: Unload, Delete, Disable, BC delete	InCD UDF Driver	Not started	C:\WINDOWS\system32\Drivers\BsUDF.sys Script: Quarantine, Delete, BC delete	File System
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\ComboFix2\catchme.sys Script: Quarantine, Delete, BC delete	Base
cd20xrnt Driver: Unload, Delete, Disable, BC delete	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Changer Driver: Unload, Delete, Disable, BC delete	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
CmdIde Driver: Unload, Delete, Disable, BC delete	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
Cpqarray Driver: Unload, Delete, Disable, BC delete	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, BC delete	SCSI miniport
cpuz135 Driver: Unload, Delete, Disable, BC delete	cpuz135	Not started	C:\DOCUME~1\JEREMI~1\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys Script: Quarantine, Delete, BC delete
dac960nt Driver: Unload, Delete, Disable, BC delete	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dpti2o Driver: Unload, Delete, Disable, BC delete	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, BC delete	SCSI miniport
EraserUtilRebootDrv Driver: Unload, Delete, Disable, BC delete	EraserUtilRebootDrv	Not started	C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys Script: Quarantine, Delete, BC delete
hpn Driver: Unload, Delete, Disable, BC delete	hpn	Not started	hpn.sys Script: Quarantine, Delete, BC delete	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable, BC delete	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, BC delete	SCSI Class
i2omp Driver: Unload, Delete, Disable, BC delete	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ini910u Driver: Unload, Delete, Disable, BC delete	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, BC delete	SCSI miniport
IntelIde Driver: Unload, Delete, Disable, BC delete	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
lbrtfdc Driver: Unload, Delete, Disable, BC delete	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
mraid35x Driver: Unload, Delete, Disable, BC delete	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
PalmUSBD Driver: Unload, Delete, Disable, BC delete	PalmUSBD	Not started	C:\WINDOWS\system32\drivers\PalmUSBD.sys Script: Quarantine, Delete, BC delete
PCIDump Driver: Unload, Delete, Disable, BC delete	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PCIIde Driver: Unload, Delete, Disable, BC delete	PCIIde	Not started	PCIIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
PDCOMP Driver: Unload, Delete, Disable, BC delete	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable, BC delete	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable, BC delete	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable, BC delete	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
perc2 Driver: Unload, Delete, Disable, BC delete	perc2	Not started	perc2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
perc2hib Driver: Unload, Delete, Disable, BC delete	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, BC delete	Filter
ql1080 Driver: Unload, Delete, Disable, BC delete	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable, BC delete	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql12160 Driver: Unload, Delete, Disable, BC delete	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1240 Driver: Unload, Delete, Disable, BC delete	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1280 Driver: Unload, Delete, Disable, BC delete	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Simbad Driver: Unload, Delete, Disable, BC delete	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
Sparrow Driver: Unload, Delete, Disable, BC delete	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_hi Driver: Unload, Delete, Disable, BC delete	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable, BC delete	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc810 Driver: Unload, Delete, Disable, BC delete	symc810	Not started	symc810.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc8xx Driver: Unload, Delete, Disable, BC delete	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
TosIde Driver: Unload, Delete, Disable, BC delete	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
TrueSight Driver: Unload, Delete, Disable, BC delete	TrueSight	Not started	C:\Documents and Settings\Jeremiah Schumacher\Desktop\TrueSight.sys Script: Quarantine, Delete, BC delete
ultra Driver: Unload, Delete, Disable, BC delete	ultra	Not started	ultra.sys Script: Quarantine, Delete, BC delete	SCSI miniport
WDICA Driver: Unload, Delete, Disable, BC delete	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 205, recognized as trusted - 151

Autoruns

File name	Status	Startup method	Description
C:\Documents and Settings\Jeremiah Schumacher\Application Data\Adobe\AdobeUpdate\Adobeupdt32.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Run, AdobeUpdate Delete
C:\Documents and Settings\Jeremiah Schumacher\Application Data\Adobe\AdobeUpdate\Adobeupdt32.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Run, AdobeUpdate Delete
C:\Documents and Settings\Jeremiah Schumacher\Application Data\B25DB8D00F176EBFC376C8CBDE506700\kocinc700kk.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1123561945-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run, kocinc700kk.exe Delete
C:\Documents and Settings\Jeremiah Schumacher\Application Data\SanDisk\SanDiskSecureAccess_Manager.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1123561945-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run, SanDiskSecureAccess_Manager.exe Delete
C:\Documents and Settings\Jeremiah Schumacher\Local Settings\temp\_uninst_30742503.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Jeremiah Schumacher\Start Menu\Programs\Startup\, C:\Documents and Settings\Jeremiah Schumacher\Start Menu\Programs\Startup\_uninst_30742503.lnk,
C:\PROGRA~1\COMMON~1\fluxDVD\Lib\XEB\XEBShell.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {C9CF278C-460E-4917-BC43-3F75E6E47D3D} Delete
C:\Program Files\Malware Erase\Malwarebytes' Anti-Malware\Desktop\mbam.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk,
C:\Program Files\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Jeremiah Schumacher\Start Menu\Programs\Startup\, C:\Documents and Settings\Jeremiah Schumacher\Start Menu\Programs\Startup\Warner Bros.lnk,
C:\Program Files\XPMedic\XPMedic.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\XPMedic.lnk,
C:\Program Files\dcmsvc\dcmsvc.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, dcmsvc Delete
C:\WINDOWS\Installer\{C73F2967-062E-48F2-A462-D335B8950183}\SafariIco.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Jeremiah Schumacher\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk,
C:\WINDOWS\System32\Drivers\AliIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
C:\WINDOWS\System32\Drivers\CmdIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
C:\WINDOWS\System32\Drivers\IntelIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
C:\WINDOWS\System32\Drivers\PciIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\pciide, EventMessageFile
C:\WINDOWS\System32\Drivers\TosIde.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\KB905474\wgasetup.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup, EventMessageFile
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
kbd101.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-1123561945-117609710-839522115-1003\Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 840, recognized as trusted - 798

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\WINDOWS\system32\wscui32.dll Script: Quarantine, Delete, BC delete	BHO			{021E961F-C02A-4D57-832D-9264684EC5Ad} Delete
	BHO			{5C255C8A-E604-49b4-9D64-90988571CECB} Delete
	Explorer Bar			{32683183-48a0-441b-a342-7c2a440a9478} Delete
Elements detected - 19, recognized as trusted - 16

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	Media Band			{32683183-48a0-441b-a342-7c2a440a9478} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
C:\PROGRA~1\COMMON~1\fluxDVD\Lib\XEB\XEBShell.dll Script: Quarantine, Delete, BC delete	fluxDVD Shell Extension	fluxDVD Shell Extension	Copyright © 2005-2007 ACE GmbH	{C9CF278C-460E-4917-BC43-3F75E6E47D3D} Delete
	{A0EAC751-EFE8-4757-A7BA-1CA34A8341CB}			MaxContextMenu extension Delete
Elements detected - 199, recognized as trusted - 191

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
C:\WINDOWS\system32\CNMLM38.DLL Script: Quarantine, Delete, BC delete	Monitor	Canon BJ Language Monitor S300	BJ Language Monitor	Copyright CANON INC. 1999-2001 All Rights Reserved
C:\WINDOWS\system32\hpzll3xu.dll Script: Quarantine, Delete, BC delete	Monitor	LIDIL Language Monitor	LanguageMonitor	Copyright (C) 1999
Elements detected - 13, recognized as trusted - 11

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 4, recognized as trusted - 4

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 18, recognized as trusted - 18
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
7 LISTENING 0.0.0.0 47242 [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING 0.0.0.0 61652 [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING 0.0.0.0 39086 [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING 0.0.0.0 47106 [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING 0.0.0.0 6184 [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
135 LISTENING 0.0.0.0 47260 [1076] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 24726 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1030 ESTABLISHED 127.0.0.1 27015 [556] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1037 LISTENING 0.0.0.0 34931 [2760] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 LISTENING 0.0.0.0 55514 [252] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 2128 [1932] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
9421 LISTENING 0.0.0.0 47256 [1812] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
9422 LISTENING 0.0.0.0 97 [1812] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
9423 LISTENING 0.0.0.0 43062 [1812] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
21534 LISTENING 0.0.0.0 55532 [452] c:\program files\dcmsvc\dcmsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 26792 [1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 ESTABLISHED 127.0.0.1 1030 [1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7 LISTENING -- -- [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING -- -- [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING -- -- [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING -- -- [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING -- -- [1132] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1120] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
161 LISTENING -- -- [1496] c:\windows\system32\snmp.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [788] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING -- -- [1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING -- -- [1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING -- -- [1932] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING -- -- [1812] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1029 LISTENING -- -- [1812] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1031 LISTENING -- -- [556] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1032 LISTENING -- -- [556] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
1040 LISTENING -- -- [1704] c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1320] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [788] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [1932] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\WINDOWS\Downloaded Program Files\symdlmgr.dll
Script: Quarantine, Delete, BC delete Symantec Shared Component Copyright (c) 2000-2006 Symantec Corporation. All rights reserved. {6A344D34-5231-452A-8A57-D064AC9B7862}
Delete https://webdl.symantec.com/activex/symdlmgr.cab
C:\WINDOWS\Downloaded Program Files\cpcScan.dll
Script: Quarantine, Delete, BC delete BIOS Scanner Crucial Technology, Inc. All rights reserved. {A90A5822-F108-45AD-8482-9BC8B12DD539}
Delete http://www.crucial.com/controls/cpcScanner.cab
C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
Script: Quarantine, Delete, BC delete WinAmpX Module Copyright 1999 {FA3662C3-B8E8-11D6-A667-0010B556D978}
Delete http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Elements detected - 12, recognized as trusted - 9

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 26, recognized as trusted - 26

Active Setup

File name Description Manufacturer CLSID
Elements detected - 15, recognized as trusted - 15

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 33, recognized as trusted - 30

Suspicious objects

File Description Type

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B30010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00B30080<>7C80B56F
IAT modification detected: FreeLibrary - 00B300F0<>7C80AC7E
IAT modification detected: GetModuleFileNameW - 00B30160<>7C80B475
IAT modification detected: CreateProcessW - 00B301D0<>7C802336
IAT modification detected: LoadLibraryW - 00B302B0<>7C80AEEB
IAT modification detected: LoadLibraryA - 00B30320<>7C801D7B
IAT modification detected: GetProcAddress - 00B30390<>7C80AE40
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=0832A0)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A2A0
   KiST = 804E26B8 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
CmpCallCallBacks = 0013AD62
Disable callback - уже нейтирализованы
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\driver\tcpip[IRP_MJ_CREATE] = 8A0D1AF8 -> hook not defined
\driver\tcpip[IRP_MJ_CREATE_NAMED_PIPE] = 8A0D1A80 -> hook not defined
\driver\tcpip[IRP_MJ_CLOSE] = 8A0D1A08 -> hook not defined
\driver\tcpip[IRP_MJ_READ] = 8A0D1990 -> hook not defined
\driver\tcpip[IRP_MJ_WRITE] = 8A0D1918 -> hook not defined
\driver\tcpip[IRP_MJ_QUERY_INFORMATION] = 8A0D18A0 -> hook not defined
\driver\tcpip[IRP_MJ_SET_INFORMATION] = 8A0D1828 -> hook not defined
\driver\tcpip[IRP_MJ_QUERY_EA] = 8A0D17B0 -> hook not defined
\driver\tcpip[IRP_MJ_SET_EA] = 8A0D1738 -> hook not defined
\driver\tcpip[IRP_MJ_FLUSH_BUFFERS] = 8A0D16C0 -> hook not defined
\driver\tcpip[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A0D1648 -> hook not defined
\driver\tcpip[IRP_MJ_SET_VOLUME_INFORMATION] = 8A0D15D0 -> hook not defined
\driver\tcpip[IRP_MJ_DIRECTORY_CONTROL] = 8A0D1558 -> hook not defined
\driver\tcpip[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A0D14E0 -> hook not defined
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = 8A0D1468 -> hook not defined
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = 8A0D13F0 -> hook not defined
\driver\tcpip[IRP_MJ_SHUTDOWN] = 8A0D1378 -> hook not defined
\driver\tcpip[IRP_MJ_LOCK_CONTROL] = 8A0D1300 -> hook not defined
\driver\tcpip[IRP_MJ_CLEANUP] = 8A0D1288 -> hook not defined
\driver\tcpip[IRP_MJ_CREATE_MAILSLOT] = 8A0D1210 -> hook not defined
\driver\tcpip[IRP_MJ_QUERY_SECURITY] = 8A0D1198 -> hook not defined
\driver\tcpip[IRP_MJ_SET_SECURITY] = 8A0D1120 -> hook not defined
\driver\tcpip[IRP_MJ_POWER] = 8A0D10A8 -> hook not defined
\driver\tcpip[IRP_MJ_SYSTEM_CONTROL] = 8A0D0020 -> hook not defined
\driver\tcpip[IRP_MJ_DEVICE_CHANGE] = 8A0D0FA8 -> hook not defined
\driver\tcpip[IRP_MJ_QUERY_QUOTA] = 8A0D0F30 -> hook not defined
\driver\tcpip[IRP_MJ_SET_QUOTA] = 8A0D0EB8 -> hook not defined
\driver\tcpip[IRP_MJ_PNP] = 8A0D0E40 -> hook not defined
 Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
 >>  Process termination timeout is out of admissible values
 >>  Service termination timeout is out of admissible values
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
7	LISTENING	0.0.0.0	47242	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	0.0.0.0	61652	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	0.0.0.0	39086	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	0.0.0.0	47106	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	0.0.0.0	6184	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
135	LISTENING	0.0.0.0	47260	[1076] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	24726	[4] System Script: Quarantine, Delete, BC delete, Terminate
1030	ESTABLISHED	127.0.0.1	27015	[556] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1037	LISTENING	0.0.0.0	34931	[2760] c:\windows\system32\alg.exe Script: Quarantine, Delete, BC delete, Terminate
5152	LISTENING	0.0.0.0	55514	[252] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	2128	[1932] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
9421	LISTENING	0.0.0.0	47256	[1812] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
9422	LISTENING	0.0.0.0	97	[1812] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
9423	LISTENING	0.0.0.0	43062	[1812] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
21534	LISTENING	0.0.0.0	55532	[452] c:\program files\dcmsvc\dcmsvc.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	26792	[1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
27015	ESTABLISHED	127.0.0.1	1030	[1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7	LISTENING	--	--	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	--	--	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	--	--	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	--	--	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	--	--	[1132] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[1120] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
161	LISTENING	--	--	[1496] c:\windows\system32\snmp.exe Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[788] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1025	LISTENING	--	--	[1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1026	LISTENING	--	--	[1880] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1027	LISTENING	--	--	[1932] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
1028	LISTENING	--	--	[1812] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1029	LISTENING	--	--	[1812] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1031	LISTENING	--	--	[556] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1032	LISTENING	--	--	[556] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, BC delete, Terminate
1040	LISTENING	--	--	[1704] c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1320] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[788] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[1932] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate