Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 14/05/2012; 15:48)

List of processes

File name	PID	Description	Copyright	MD5	Information
Detected:42, recognized as trusted 42

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules detected:461, recognized as trusted 461

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	F4399000	018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	F7A72000	002000 (8192)
C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Script: Quarantine, Delete, BC delete	F1377000	003000 (12288)
Modules detected - 153, recognized as trusted - 150

Services

Service	Description	Status	File	Group	Dependencies
RoxLiveShare9 Service: Stop, Delete, Disable, BC delete	LiveShare P2P Server 9	Not started	C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe Script: Quarantine, Delete, BC delete		RPCSS
Detected - 109, recognized as trusted - 108

Drivers

Service	Description	Status	File	Group	Dependencies
Abiosdsk Driver: Unload, Delete, Disable, BC delete	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
Atdisk Driver: Unload, Delete, Disable, BC delete	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Not started	C:\DOCUME~1\hra\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
Changer Driver: Unload, Delete, Disable, BC delete	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
lbrtfdc Driver: Unload, Delete, Disable, BC delete	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
LMIRfsClientNP Driver: Unload, Delete, Disable, BC delete	LMIRfsClientNP	Not started	LMIRfsClientNP.sys Script: Quarantine, Delete, BC delete	NetworkProvider
PCIDump Driver: Unload, Delete, Disable, BC delete	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable, BC delete	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable, BC delete	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable, BC delete	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable, BC delete	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
Simbad Driver: Unload, Delete, Disable, BC delete	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
WDICA Driver: Unload, Delete, Disable, BC delete	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 214, recognized as trusted - 201

Autoruns

File name	Status	Startup method	Description
C:\Documents and Settings\hra\Local Settings\Temp\_uninst_27976583.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\hra\Start Menu\Programs\Startup\, C:\Documents and Settings\hra\Start Menu\Programs\Startup\_uninst_27976583.lnk,
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\KB905474\wgasetup.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup, EventMessageFile
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
kbd101.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-2617700467-1337732287-186788590-2635\Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 811, recognized as trusted - 785

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Elements detected - 13, recognized as trusted - 13

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
Elements detected - 207, recognized as trusted - 202

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 12, recognized as trusted - 12

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 4, recognized as trusted - 4

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 11, recognized as trusted - 11
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 53305 [1088] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 2240 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 63648 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1032 ESTABLISHED 127.0.0.1 5354 [2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1052 ESTABLISHED 64.74.103.159 443 [124] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
1056 ESTABLISHED 127.0.0.1 2002 [2212] c:\program files\logmein\x86\logmeinsystray.exe
Script: Quarantine, Delete, BC delete, Terminate
1063 LISTENING 0.0.0.0 63705 [3416] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
2002 LISTENING 0.0.0.0 32877 [124] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
2002 ESTABLISHED 127.0.0.1 1056 [124] c:\program files\logmein\x86\logmein.exe
Script: Quarantine, Delete, BC delete, Terminate
2990 ESTABLISHED 192.168.0.91 32465 [1072] c:\docume~1\hra\locals~1\temp\1062207\4412528.exe
Script: Quarantine, Delete, BC delete, Terminate
3124 ESTABLISHED 192.168.0.120 445 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3129 ESTABLISHED 192.168.2.110 139 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3389 LISTENING 0.0.0.0 55444 [984] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3428 TIME_WAIT 204.232.200.90 80 [0]
5152 LISTENING 0.0.0.0 63608 [476] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5152 CLOSE_WAIT 127.0.0.1 3137 [476] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 24786 [176] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 ESTABLISHED 127.0.0.1 1032 [176] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
6999 LISTENING 0.0.0.0 10361 [2100] c:\program files\trend micro\client server security agent\tmproxy.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 2064 [2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
36256 LISTENING 0.0.0.0 20618 [1952] c:\program files\trend micro\client server security agent\tmlisten.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1184] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1184] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [716] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING -- -- [716] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING -- -- [2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1029 LISTENING -- -- [2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1030 LISTENING -- -- [176] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
1069 LISTENING -- -- [660] \??\c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1384] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1384] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3594 LISTENING -- -- [2532] c:\program files\common files\installshield\updateservice\agent.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [716] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [176] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Elements detected - 11, recognized as trusted - 11

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 28, recognized as trusted - 28

Active Setup

File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
Elements detected - 32, recognized as trusted - 32

Suspicious objects

File Description Type

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B90010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00B90080<>7C80B56F
IAT modification detected: FreeLibrary - 00B900F0<>7C80AC7E
IAT modification detected: GetModuleFileNameW - 00B90160<>7C80B475
IAT modification detected: CreateProcessW - 00B901D0<>7C802336
IAT modification detected: LoadLibraryW - 00B902B0<>7C80AEEB
IAT modification detected: LoadLibraryA - 00B90320<>7C801D7B
IAT modification detected: GetProcAddress - 00B90390<>7C80AE40
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504494 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00093D84
Disable callback - уже нейтирализованы
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
 Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: terminal connections to the PC are allowed
>> Security: sending Remote Assistant queries is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  Windows Explorer - show extensions of known file types
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: prevent terminal connections to the PC
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	53305	[1088] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	2240	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	63648	[4] System Script: Quarantine, Delete, BC delete, Terminate
1032	ESTABLISHED	127.0.0.1	5354	[2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1052	ESTABLISHED	64.74.103.159	443	[124] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
1056	ESTABLISHED	127.0.0.1	2002	[2212] c:\program files\logmein\x86\logmeinsystray.exe Script: Quarantine, Delete, BC delete, Terminate
1063	LISTENING	0.0.0.0	63705	[3416] c:\windows\system32\alg.exe Script: Quarantine, Delete, BC delete, Terminate
2002	LISTENING	0.0.0.0	32877	[124] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
2002	ESTABLISHED	127.0.0.1	1056	[124] c:\program files\logmein\x86\logmein.exe Script: Quarantine, Delete, BC delete, Terminate
2990	ESTABLISHED	192.168.0.91	32465	[1072] c:\docume~1\hra\locals~1\temp\1062207\4412528.exe Script: Quarantine, Delete, BC delete, Terminate
3124	ESTABLISHED	192.168.0.120	445	[4] System Script: Quarantine, Delete, BC delete, Terminate
3129	ESTABLISHED	192.168.2.110	139	[4] System Script: Quarantine, Delete, BC delete, Terminate
3389	LISTENING	0.0.0.0	55444	[984] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3428	TIME_WAIT	204.232.200.90	80	[0]
5152	LISTENING	0.0.0.0	63608	[476] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5152	CLOSE_WAIT	127.0.0.1	3137	[476] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	24786	[176] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5354	ESTABLISHED	127.0.0.1	1032	[176] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
6999	LISTENING	0.0.0.0	10361	[2100] c:\program files\trend micro\client server security agent\tmproxy.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	2064	[2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
36256	LISTENING	0.0.0.0	20618	[1952] c:\program files\trend micro\client server security agent\tmlisten.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123	LISTENING	--	--	[1184] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[1184] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[716] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1025	LISTENING	--	--	[716] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1028	LISTENING	--	--	[2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1029	LISTENING	--	--	[2012] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1030	LISTENING	--	--	[176] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
1069	LISTENING	--	--	[660] \??\c:\windows\system32\winlogon.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1384] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1384] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
3594	LISTENING	--	--	[2532] c:\program files\common files\installshield\updateservice\agent.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[716] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[176] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate