Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 24/06/2012; 09:22)

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\common files\arcsoft\connection service\bin\acservice.exe Script: Quarantine, Delete, BC delete, Terminate	1812	ArcSoft Connect Service	Copyright (C) ArcSoft 2007	??	110.50 kb, rsAh, created: 11.09.2010 20:43:05, modified: 11.11.2011 17:24:16 Command line: "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe"
c:\program files\bt business broadband desktop help\btbb\bthelpnotifier.exe Script: Quarantine, Delete, BC delete, Terminate	5208	mcci+McciTrayApp	Copyright Є 1999-2009, Alcatel-Lucent	??	1547.50 kb, rsAh, created: 25.05.2010 10:07:08, modified: 07.12.2009 12:56:00 Command line: "C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe"
c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate	920	Cisco Systems VPN Client	Copyright © 1998-2003 Cisco Systems, Inc.	??	1400.02 kb, rsAh, created: 12.02.2008 17:01:12, modified: 11.11.2011 17:24:21 Command line: "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
c:\program files\wave systems corp\common\dataserver.exe Script: Quarantine, Delete, BC delete, Terminate	1076	Database Service	Copyright © 2004 Wave Systems Corp.	??	308.00 kb, rsAh, created: 25.03.2006 17:24:04, modified: 11.11.2011 17:24:23 Command line: "C:\Program Files\Wave Systems Corp\Common\DataServer.exe"
c:\program files\intel\wireless\bin\evteng.exe Script: Quarantine, Delete, BC delete, Terminate	1236	Intel(R) PROSet/Wireless Event Log	Copyright (c) Intel Corporation 1999-2005	??	112.06 kb, rsAh, created: 28.12.2005 11:45:02, modified: 11.11.2011 17:24:10 Command line: "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe"
c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	5528	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	1009.50 kb, rsAh, created: 11.08.2004 17:00:13, modified: 14.04.2008 01:12:19 Command line: C:\WINDOWS\explorer.exe
c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate	556	LSA Shell (Export Version)	© Microsoft Corporation. All rights reserved.	??	13.00 kb, rsAh, created: 11.08.2004 17:00:18, modified: 14.04.2008 01:12:24 Command line: C:\WINDOWS\system32\lsass.exe
c:\mbl\mbrain\software\mortgage brain framework 1.0\bin\mbservicehost.exe Script: Quarantine, Delete, BC delete, Terminate	2040	mbServiceHost	Copyright © 2010	??	28.50 kb, rsAh, created: 30.11.2010 14:16:18, modified: 30.11.2010 14:16:18 Command line: "C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe"
c:\program files\common files\motive\mccicmservice.exe Script: Quarantine, Delete, BC delete, Terminate	796	mcci+McciCMService	Copyright Є 1999-2009, Alcatel-Lucent	??	312.00 kb, rsAh, created: 25.05.2010 10:05:59, modified: 11.11.2011 17:24:26 Command line: "C:\Program Files\Common Files\Motive\McciCMService.exe"
c:\program files\vodafone\vodafone mobile connect\bin\mobileconnect.exe Script: Quarantine, Delete, BC delete, Terminate	4888	MobileConnect	Copyright © 2005-2009 Vodafone Group. All rights reserved.	??	2355.50 kb, rsAh, created: 20.04.2010 11:43:08, modified: 18.09.2009 18:48:34 Command line: "C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" /silent
c:\program files\dell\quickset\nicconfigsvc.exe Script: Quarantine, Delete, BC delete, Terminate	2100	Internal Network Card Power Management Service	Copyright (C) 2005 Dell Inc.	??	372.00 kb, rsAh, created: 21.05.2006 18:03:39, modified: 11.11.2011 17:25:40 Command line: "C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe"
c:\windows\system32\nvsvc32.exe Script: Quarantine, Delete, BC delete, Terminate	2276	NVIDIA Driver Helper Service, Version 83.13	(C) NVIDIA Corporation. All rights reserved.	??	140.07 kb, rsAh, created: 21.05.2006 17:39:52, modified: 11.11.2011 17:25:41 Command line: C:\WINDOWS\system32\nvsvc32.exe
c:\program files\intel\wireless\bin\regsrvc.exe Script: Quarantine, Delete, BC delete, Terminate	2368	Intel(R) PROSet/Wireless Registry Service	Copyright (c) Intel Corporation 1999-2005	??	216.00 kb, rsAh, created: 28.12.2005 11:44:24, modified: 11.11.2011 17:25:43 Command line: "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe"
c:\program files\intel\wireless\bin\s24evmon.exe Script: Quarantine, Delete, BC delete, Terminate	1284	Wireless Management Service	Copyright (c) Intel Corporation 1999-2005	??	532.00 kb, rsAh, created: 28.12.2005 11:47:10, modified: 11.11.2011 17:24:13 Command line: "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe"
c:\program files\microsoft sql server\90\shared\sqlbrowser.exe Script: Quarantine, Delete, BC delete, Terminate	2776	SQL Browser Service EXE	© Microsoft Corp. All rights reserved.	??	233.34 kb, rsAh, created: 10.12.2010 19:29:30, modified: 11.11.2011 17:25:52 Command line: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
c:\program files\microsoft sql server\mssql\binn\sqlservr.exe Script: Quarantine, Delete, BC delete, Terminate	1608	SQL Server Windows NT	© 1988-2003 Microsoft Corp. All rights reserved.	??	7344.08 kb, rsAh, created: 17.12.2002 17:26:22, modified: 11.11.2011 17:25:37 Command line: "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe Script: Quarantine, Delete, BC delete, Terminate	976	SQL Server Windows NT	© Microsoft Corp. All rights reserved.	??	28606.84 kb, rsAh, created: 10.12.2010 19:29:30, modified: 11.11.2011 17:24:55 Command line: "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sETI
c:\program files\microsoft sql server\mssql$otp\binn\sqlservr.exe Script: Quarantine, Delete, BC delete, Terminate	1036	SQL Server Windows NT	© 1988-2004 Microsoft Corp. All rights reserved.	??	8944.00 kb, rsAh, created: 04.05.2005 01:04:28, modified: 11.11.2011 17:25:19 Command line: "C:\Program Files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe" -sOTP
c:\program files\microsoft sql server\90\shared\sqlwriter.exe Script: Quarantine, Delete, BC delete, Terminate	2800	SQL Server VSS Writer	© Microsoft Corp. All rights reserved.	??	84.84 kb, rsAh, created: 10.12.2010 19:30:50, modified: 11.11.2011 17:25:54 Command line: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
c:\program files\vodafone\vodafone mobile connect\bin\vmcservice.exe Script: Quarantine, Delete, BC delete, Terminate	272	VMCService	Copyright © 2005-2009 Vodafone Group. All rights reserved.	??	10.50 kb, rsAh, created: 18.09.2009 19:48:28, modified: 11.11.2011 17:26:16 Command line: "C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe"
c:\program files\intel\wireless\bin\wlkeeper.exe Script: Quarantine, Delete, BC delete, Terminate	1316	WLANKEEPER	Copyright (c) Intel Corporation 1999-2005	??	256.07 kb, rsAh, created: 28.12.2005 12:04:56, modified: 11.11.2011 17:24:14 Command line: "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe"
Detected:61, recognized as trusted 43

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\0e4a2cdb\001b4b6f_571fcb01\mbSystemManager.DLL Script: Quarantine, Delete, BC delete	17170432	SystemManager	Copyright © 2007	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1087cab2\0091e9f5_0a3acb01\MBProcFeeData.DLL Script: Quarantine, Delete, BC delete	119209984	MBProcFeeData	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\14981b07\002fd8c3_0a3acb01\MBEventLogManager.DLL Script: Quarantine, Delete, BC delete	113311744	EventLogManager	Copyright © 2007	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1a6e6ad9\0048a0eb_f45fcb01\MBDocumentManager.DLL Script: Quarantine, Delete, BC delete	114753536	MBDocumentManager	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\1a9d2087\004ee984_1075cb01\MBLenderManager.DLL Script: Quarantine, Delete, BC delete	114098176	MBLenderManager	Copyright © 2008	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\21540dac\00791824_17accb01\MBScheme.DLL Script: Quarantine, Delete, BC delete	116129792	MBScheme	Copyright © 2008	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\29e0446b\00e5d320_0b3acb01\MBLenderPanelManager.DLL Script: Quarantine, Delete, BC delete	114032640	MBLenderPanelManager	Copyright © 2008	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\2a53c4a8\0094dbe6_f45fcb01\MBClientManager.DLL Script: Quarantine, Delete, BC delete	112852992	mbClientManager	© Mortgage Brain Ltd. All rights reserved	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\3d264949\00f1c3cf_0a3acb01\MBCompanyData.DLL Script: Quarantine, Delete, BC delete	118358016	MBCompanyData	Copyright © 2008	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\4d71d4fe\00ee196e_571fcb01\mbHost.DLL Script: Quarantine, Delete, BC delete	112656384	mbHost	Copyright © 20010	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\5105ae54\00790998_0b3acb01\mbIntegrationData.DLL Script: Quarantine, Delete, BC delete	121831424	mbIntegrationData	© Mortgage Brain Ltd. All rights reserved	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\52053979\000287c5_7b59cb01\MBKFIData.DLL Script: Quarantine, Delete, BC delete	118554624	MBKFIData	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\638a1b1b\002960ec_0a3acb01\MBLenderPanelData.DLL Script: Quarantine, Delete, BC delete	119078912	MBLenderPanelData	Copyright © 2010	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\6d6eb4e6\004d5d2a_0b3acb01\MBQuickCalculatorManager.DLL Script: Quarantine, Delete, BC delete	122028032	QuickCalculatorManager	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\78139e24\002fdf8a_1075cb01\mbMTEForms.DLL Script: Quarantine, Delete, BC delete	114229248	mbMTEForms	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\81fe7b6c\008145ca_b276cb01\MBCompanyManager.DLL Script: Quarantine, Delete, BC delete	115015680	MBCompanyManager	© Mortgage Brain Ltd. All rights reserved	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\a7d2e126\00d575c1_0a3acb01\mbGeneric.DLL Script: Quarantine, Delete, BC delete	54001664	mbGeneric	Copyright © 2007	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\a94a4ec5\005671f0_7b59cb01\MBSettingsManager.DLL Script: Quarantine, Delete, BC delete	119668736	MBSettingsManager	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\c7e46120\00a202ee_f45fcb01\MBKFIManager.DLL Script: Quarantine, Delete, BC delete	115539968	MBKFIManager	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\cea5eacc\00120522_0b3acb01\MBProcFeeManager.DLL Script: Quarantine, Delete, BC delete	114360320	MBProcFeeManager	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\dd6bfbf5\007f6c69_1ea1cb01\MBAuditManager.DLL Script: Quarantine, Delete, BC delete	114622464	MBAuditManager	© Mortgage Brain Ltd. All rights reserved	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\de46c531\003ddfcd_7b59cb01\MBSettingsData.DLL Script: Quarantine, Delete, BC delete	119537664	MBSettingsData	Copyright © 2009	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\f8553d7a\005316f0_6fa0cb01\mbIntegration.DLL Script: Quarantine, Delete, BC delete	121438208	mbIntegration	© Mortgage Brain Ltd. All rights reserved	--	2040
C:\Documents and Settings\NetworkService\Local Settings\Application Data\assembly\dl3\Y1M0X5PK.LRL\JT1B59VE.JDJ\fb87e9e7\00ad4c0b_aa97cb01\MBSchemeManager.DLL Script: Quarantine, Delete, BC delete	122421248	MBSchemeManager	Copyright © 2009	--	2040
C:\MBL\System\MBLAPPS.DLL Script: Quarantine, Delete, BC delete	130220032	ActiveX Dll	Mortgage Brain Ltd (2007)	--	2040
C:\Program Files\Common Files\Motive\McciContextDetectorEmail_DSR.dll Script: Quarantine, Delete, BC delete	1660944384	mcci+McciContextDetectorEmail	Copyright Є 1999-2009, Alcatel-Lucent	--	5208
C:\Program Files\Common Files\Motive\McciContextDetectorWin32_DSR.dll Script: Quarantine, Delete, BC delete	17891328	mcci+McciContextDetectorWin32	Copyright Є 1999-2009, Alcatel-Lucent	--	5208
C:\Program Files\Common Files\Motive\McciContextX.dll Script: Quarantine, Delete, BC delete	1650458624	mcci+McciContextX	Copyright Є 1999-2009, Alcatel-Lucent	--	5208
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\ContextMenuItem.dll Script: Quarantine, Delete, BC delete	20119552	ContextMenuItem Module	Copyright 2002	--	5528
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\VaultServer.dll Script: Quarantine, Delete, BC delete	20316160	VaultServer Dynamic Link Library	Copyright (C) 2004	--	5528
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WxEtsEula.dll Script: Quarantine, Delete, BC delete	20971520	WxEtsEula DLL	Copyright (C) 2004	--	5528
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\359fd69eb60e9844ffd497e92345178c\Microsoft.VisualBasic.ni.dll Script: Quarantine, Delete, BC delete	1581449216	Visual Basic Runtime Library	© Microsoft Corporation. All rights reserved.	--	2040
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll Script: Quarantine, Delete, BC delete	2061369344	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4888
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\01abbadafaf265d9f4ac9bbb247acb98\System.Windows.Forms.ni.dll Script: Quarantine, Delete, BC delete	2063400960	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4888
C:\WINDOWS\system32\biolsp.dll Script: Quarantine, Delete, BC delete	10027008	BioLsp Dynamic Link Library	Copyright © 2005 Wave Systems Corp.	--	556
C:\WINDOWS\system32\detoured.dll Script: Quarantine, Delete, BC delete	20905984			--	5528
C:\WINDOWS\system32\tcg15.dll Script: Quarantine, Delete, BC delete	268435456	tcgdll Dynamic Link Library	Copyright © 2004 Wave Systems Corp.	--	1076
C:\WINDOWS\system32\wclient14.dll Script: Quarantine, Delete, BC delete	3735552	Wave Client Class Library	Copyright © 2004 Wave Systems Corp.	--	1076
C:\WINDOWS\system32\wvauth.dll Script: Quarantine, Delete, BC delete	268435456	Authentication Package	Copyright © 2005 Wave Systems Corp.	--	556
C:\WINDOWS\system32\wxvault.dll Script: Quarantine, Delete, BC delete	27262976	wxvault Dynamic Link Library	Copyright (C) 2004	--	5528
Modules detected:655, recognized as trusted 615

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\DOCUME~1\richards\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, BC delete	F7964000	008000 (32768)
C:\WINDOWS\system32\Drivers\CVPNDRVA.sys Script: Quarantine, Delete, BC delete	A9800000	07B000 (503808)	Cisco Systems VPN Client IPSec Driver	Copyright © 1998-2003 Cisco Systems, Inc.
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	F7AA6000	002000 (8192)
C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Script: Quarantine, Delete, BC delete	F7AF2000	002000 (8192)
spgg.sys Script: Quarantine, Delete, BC delete	F7383000	100000 (1048576)
Modules detected - 155, recognized as trusted - 150

Services

Service	Description	Status	File	Group	Dependencies
ACDaemon Service: Stop, Delete, Disable, BC delete	ArcSoft Connect Daemon	Running	C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe Script: Quarantine, Delete, BC delete
CVPND Service: Stop, Delete, Disable, BC delete	Cisco Systems, Inc. VPN Service	Running	C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe Script: Quarantine, Delete, BC delete		Tcpip
DataSvr2 Service: Stop, Delete, Disable, BC delete	DataSvr2	Running	C:\Program Files\Wave Systems Corp\Common\DataServer.exe Script: Quarantine, Delete, BC delete		RPCSS
EvtEng Service: Stop, Delete, Disable, BC delete	Intel(R) PROSet/Wireless Event Log	Running	C:\Program Files\Intel\Wireless\Bin\EvtEng.exe Script: Quarantine, Delete, BC delete		RPCSS
MBServiceHost Service: Stop, Delete, Disable, BC delete	MB Service Host	Running	C:\MBL\MBrain\Software\Mortgage Brain Framework 1.0\bin\mbServiceHost.exe Script: Quarantine, Delete, BC delete
McciCMService Service: Stop, Delete, Disable, BC delete	McciCMService	Running	C:\Program Files\Common Files\Motive\McciCMService.exe Script: Quarantine, Delete, BC delete		RPCSS
MSSQL$ETI Service: Stop, Delete, Disable, BC delete	SQL Server (ETI)	Running	C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe Script: Quarantine, Delete, BC delete
MSSQL$OTP Service: Stop, Delete, Disable, BC delete	MSSQL$OTP	Running	C:\Program Files\Microsoft SQL Server\MSSQL$OTP\Binn\sqlservr.exe Script: Quarantine, Delete, BC delete
MSSQLSERVER Service: Stop, Delete, Disable, BC delete	MSSQLSERVER	Running	C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe Script: Quarantine, Delete, BC delete
NICCONFIGSVC Service: Stop, Delete, Disable, BC delete	NICCONFIGSVC	Running	C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe Script: Quarantine, Delete, BC delete
NVSvc Service: Stop, Delete, Disable, BC delete	NVIDIA Display Driver Service	Running	C:\WINDOWS\system32\nvsvc32.exe Script: Quarantine, Delete, BC delete
RegSrvc Service: Stop, Delete, Disable, BC delete	Intel(R) PROSet/Wireless Registry Service	Running	C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe Script: Quarantine, Delete, BC delete		RPCSS
S24EventMonitor Service: Stop, Delete, Disable, BC delete	Intel(R) PROSet/Wireless Service	Running	C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe Script: Quarantine, Delete, BC delete	PNP_TDI	s24trans
SQLBrowser Service: Stop, Delete, Disable, BC delete	SQL Server Browser	Running	C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe Script: Quarantine, Delete, BC delete
SQLWriter Service: Stop, Delete, Disable, BC delete	SQL Server VSS Writer	Running	C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe Script: Quarantine, Delete, BC delete
VMCService Service: Stop, Delete, Disable, BC delete	Vodafone Mobile Connect Service	Running	C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe Script: Quarantine, Delete, BC delete		winmgmt
WLANKEEPER Service: Stop, Delete, Disable, BC delete	Intel(R) PROSet/Wireless SSO Service	Running	C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe Script: Quarantine, Delete, BC delete	PNP_TDI	S24EventMonitor
Canon Driver Information Assist Service Service: Stop, Delete, Disable, BC delete	Canon Driver Information Assist Service	Not started	C:\Program Files\Canon\DIAS\CnxDIAS.exe Script: Quarantine, Delete, BC delete		Spooler
MSCamSvc Service: Stop, Delete, Disable, BC delete	MSCamSvc	Not started	C:\Program Files\Microsoft LifeCam\MSCamS32.exe Script: Quarantine, Delete, BC delete		RPCSS
tcsd_win32.exe Service: Stop, Delete, Disable, BC delete	NTRU Hybrid TSS v2.0.7 TCS	Not started	C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe Script: Quarantine, Delete, BC delete
Detected - 154, recognized as trusted - 134

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, BC delete	catchme	Running	C:\DOCUME~1\richards\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
CVPNDRVA Driver: Unload, Delete, Disable, BC delete	Cisco Systems IPsec Driver	Running	C:\WINDOWS\system32\Drivers\CVPNDRVA.sys Script: Quarantine, Delete, BC delete		DNE
sptd Driver: Unload, Delete, Disable, BC delete	sptd	Running	C:\WINDOWS\System32\Drivers\sptd.sys Script: Quarantine, Delete, BC delete	Boot Bus Extender
Abiosdsk Driver: Unload, Delete, Disable, BC delete	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
Atdisk Driver: Unload, Delete, Disable, BC delete	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
Changer Driver: Unload, Delete, Disable, BC delete	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
lbrtfdc Driver: Unload, Delete, Disable, BC delete	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
MREMPR5 Driver: Unload, Delete, Disable, BC delete	MREMPR5 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
MRENDIS5 Driver: Unload, Delete, Disable, BC delete	MRENDIS5 NDIS Protocol Driver	Not started	C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS Script: Quarantine, Delete, BC delete	PNP_TDI
NokiaSuite3 Driver: Unload, Delete, Disable, BC delete	NokiaSuite3	Not started	C:\WINDOWS\system32\Drivers\NokiaSuite3.sys Script: Quarantine, Delete, BC delete	Extended base
PCIDump Driver: Unload, Delete, Disable, BC delete	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable, BC delete	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable, BC delete	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable, BC delete	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable, BC delete	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
Simbad Driver: Unload, Delete, Disable, BC delete	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
tfju17xkb.sys Driver: Unload, Delete, Disable, BC delete	tfju17xkb.sys	Not started	C:\WINDOWS\system32\drivers\tfju17xkb.sys Script: Quarantine, Delete, BC delete
WDICA Driver: Unload, Delete, Disable, BC delete	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 246, recognized as trusted - 228

Autoruns

File name	Status	Startup method	Description
C:\Documents and Settings\richards\Local Settings\temp\_uninst_44341505.bat Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\richards\Start Menu\Programs\Startup\, C:\Documents and Settings\richards\Start Menu\Programs\Startup\_uninst_44341505.lnk,
C:\Documents and Settings\richards\My Documents\Develop Database\client 2011.mdb Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\richards\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\richards\Application Data\Microsoft\Internet Explorer\Quick Launch\Client new.mdb.lnk,
C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\SQLAGENT.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SQLAgent$ABBEYIIOFFLINE, EventMessageFile
C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, btbb_McciTrayApp Delete
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\CVPND, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cfwids.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfeapfk.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfeavfk.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfebopk.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfefirek.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfendisk.sys, EventMessageFile
C:\Program Files\Common Files\McAfee\SystemCore\ Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mferkdet.sys, EventMessageFile
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WLANKEEPER, EventMessageFile
C:\Program Files\Iomega\Iomegaware\IMGMENU.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {c7745760-8ead-11ce-b750-02608ca5202c} Delete
C:\Program Files\Iomega\Iomegaware\Imgprop.Dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {c7745761-8ead-11ce-b750-02608ca5202c} Delete
C:\Program Files\Windows Media Player\WMPNetwk.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WMPNetworkSvc, EventMessageFile
C:\WINDOWS\System32\Drivers\NokiaSuite3.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Ncds, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\AegisE5.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\AegisP, EventMessageFile
C:\WINDOWS\system32\EventLogger.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\FocusErrorSubsystem, EventMessageFile
C:\WINDOWS\system32\KB905474\wgasetup.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup, EventMessageFile
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\ZipToA.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ZipToA, EventMessageFile
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
C:\WINDOWS\system32\tcgcsp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled CSP, Image Path Delete
C:\WINDOWS\system32\tcgcsp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Wave TCG Enabled SChannel CSP, Image Path Delete
C:\WINDOWS\system32\twext.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {596AB062-B4D2-4215-9F74-E9109B0A8153} Delete
C:\WINDOWS\system32\twext.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {9DB7A13C-F208-4981-8353-73CC61AE2783} Delete
C:\WINDOWS\system32\wvauth.dll Script: Quarantine, Delete, BC delete	--	?	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Lsa, Authentication Packages
SDEvents.dll Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
\\Servant\Private\LFSSYSTEM\AutoFEUpdaterV2.13\StartMDB.exe Script: Quarantine, Delete, BC delete	Active	Shortcut in Autoruns folder	C:\Documents and Settings\richards\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\richards\Application Data\Microsoft\Internet Explorer\Quick Launch\LFSSystem.lnk,
c:\Program Files\Halifax GI - Intermediaries\Halifax GI - Intermediaries.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Halifax GI - Intermediaries Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_USERS, S-1-5-21-3533930121-66260186-3188412238-1135\Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items detected - 990, recognized as trusted - 938

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
c:\progra~1\mcafee\msk\mskapbho.dll Script: Quarantine, Delete, BC delete	BHO			{27B4851A-3207-45A2-B947-BE8AFE6163AB} Delete
Elements detected - 13, recognized as trusted - 12

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
C:\WINDOWS\system32\twext.dll Script: Quarantine, Delete, BC delete	Previous Versions Property Page			{596AB062-B4D2-4215-9F74-E9109B0A8153} Delete
C:\WINDOWS\system32\twext.dll Script: Quarantine, Delete, BC delete	Previous Versions			{9DB7A13C-F208-4981-8353-73CC61AE2783} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
C:\Program Files\Iomega\Iomegaware\IMGMENU.dll Script: Quarantine, Delete, BC delete	IomegaWare for Windows NT	IMGMENU	Copyright © 1999 Iomega Corporation All language version	{c7745760-8ead-11ce-b750-02608ca5202c} Delete
C:\Program Files\Iomega\Iomegaware\Imgprop.Dll Script: Quarantine, Delete, BC delete	IomegaWare for Windows NT	IMGPROP	Copyright © 1999 Iomega Corporation, All language version	{c7745761-8ead-11ce-b750-02608ca5202c} Delete
	Microsoft Browser Architecture			{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} Delete
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
Elements detected - 222, recognized as trusted - 211

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Elements detected - 17, recognized as trusted - 17

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 6, recognized as trusted - 6

SPI/LSP settings

Namespace providers (NSP)

Provider	Status	EXE file	Description	GUID
Detected - 6, recognized as trusted - 6

Transport protocol providers (TSP, LSP)

Provider EXE file Description
Detected - 54, recognized as trusted - 54
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
7 LISTENING 0.0.0.0 24738 [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING 0.0.0.0 24712 [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING 0.0.0.0 37024 [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING 0.0.0.0 22572 [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING 0.0.0.0 24678 [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
135 LISTENING 0.0.0.0 49171 [860] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 39118 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 6396 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1028 ESTABLISHED 127.0.0.1 5354 [1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1036 LISTENING 0.0.0.0 4266 [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
1041 LISTENING 0.0.0.0 2096 [2496] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1801 LISTENING 0.0.0.0 4330 [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
2103 LISTENING 0.0.0.0 32797 [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
2105 LISTENING 0.0.0.0 49238 [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
2107 LISTENING 0.0.0.0 6227 [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
3390 LISTENING 0.0.0.0 38974 [1036] c:\program files\microsoft sql server\mssql$otp\binn\sqlservr.exe
Script: Quarantine, Delete, BC delete, Terminate
3969 TIME_WAIT 192.168.1.65 6646 [0]
3986 TIME_WAIT 192.168.1.65 6646 [0]
5354 ESTABLISHED 127.0.0.1 1028 [1844] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 6197 [1844] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
6646 LISTENING 0.0.0.0 2272 [252] c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe
Script: Quarantine, Delete, BC delete, Terminate
8001 LISTENING 0.0.0.0 39070 [2040] c:\mbl\mbrain\software\mortgage brain framework 1.0\bin\mbservicehost.exe
Script: Quarantine, Delete, BC delete, Terminate
8090 LISTENING 0.0.0.0 2128 [2040] c:\mbl\mbrain\software\mortgage brain framework 1.0\bin\mbservicehost.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 37011 [1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7 LISTENING -- -- [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
9 LISTENING -- -- [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
13 LISTENING -- -- [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
17 LISTENING -- -- [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
19 LISTENING -- -- [2580] c:\windows\system32\tcpsvcs.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
161 LISTENING -- -- [2752] c:\windows\system32\snmp.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [556] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING -- -- [1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1026 LISTENING -- -- [1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
1027 LISTENING -- -- [1844] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
1035 LISTENING -- -- [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
1434 LISTENING -- -- [2776] c:\program files\microsoft sql server\90\shared\sqlbrowser.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1672] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1672] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
2348 LISTENING -- -- [5664] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
3527 LISTENING -- -- [3872] c:\windows\system32\mqsvc.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [556] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [1844] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
6646 LISTENING -- -- [252] c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe
Script: Quarantine, Delete, BC delete, Terminate
62515 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate
62517 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate
62519 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate
62521 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate
62523 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate
62524 LISTENING -- -- [920] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete
Elements detected - 1, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 32, recognized as trusted - 32

Active Setup

File name Description Manufacturer CLSID
Elements detected - 16, recognized as trusted - 16

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 37, recognized as trusted - 34

Suspicious objects

File Description Type
C:\WINDOWS\system32\DRIVERS\0077467drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
mfehidk.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
\SystemRoot\system32\DRIVERS\0077467drv.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B00010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00B00080<>7C80B56F
IAT modification detected: FreeLibrary - 00B000F0<>7C80AC7E
IAT modification detected: GetModuleFileNameW - 00B00160<>7C80B475
IAT modification detected: CreateProcessW - 00B001D0<>7C802336
IAT modification detected: LoadLibraryW - 00B002B0<>7C80AEEB
IAT modification detected: LoadLibraryA - 00B00320<>7C801D7B
IAT modification detected: GetProcAddress - 00B00390<>7C80AE40
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=085700)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 8055C700
   KiST = 80504494 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (805EC336->A5B57690), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (19) intercepted (805BC538->A5B57F94), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (1F) intercepted (805A45D8->A5B58DC8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (23) intercepted (8060EE4C->A5B59312), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (25) intercepted (805790A2->A5B58270), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (80623FD6->A5B56500), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (2B) intercepted (8061758E->A5B591F8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (2C) intercepted (805790DC->A5B5727E), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (2E) intercepted (805A50F4->A5B590CC), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (32) intercepted (805AB3D0->A5B57426), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (33) intercepted (80614F4C->A5B59432), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (805D1038->A5B57C1C), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (38) intercepted (805A5118->A5B59162), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (39) intercepted (80643A1C->A5B5AB1A), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (80624472->A5B56B0A), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) - machine code modification Method of JmpTo. jmp F724F2BEmfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtDeleteValueKey (41) intercepted (80624642->A5B56EBE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) - machine code modification Method of JmpTo. jmp F724F2EAmfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtDeviceIoControlFile (42) intercepted (80579268->A5B586F2), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805BE010->A5B5BD26), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80624822->A5B5700A), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (80624A8C->A5B570A2), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (54) intercepted (8057929C->A5B58500), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (80584172->A5B5AC0C), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey (62) intercepted (806261FA->A5B564DC), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey2 (63) intercepted (80625E06->A5B564EE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (6C) intercepted (805B2042->A5B5B374), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (6C) - machine code modification Method of JmpTo. jmp F724F340mfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtNotifyChangeKey (6F) intercepted (806261C4->A5B571CE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (72) intercepted (8060EF4C->A5B593A8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (8057A1A0->A5B58016), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (806253B4->A5B566C0), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (78) intercepted (80617666->A5B59288), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805CB456->A5B578CC), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) - machine code modification Method of JmpTo. jmp F724F268mfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtOpenSection (7D) intercepted (805AA3F4->A5B5B10E), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (7E) intercepted (80615046->A5B594C8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (805CB6E2->A5B577BE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) - machine code modification Method of JmpTo. jmp F724F27Cmfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtQueryKey (A0) intercepted (806256F6->A5B5713A), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryMultipleValueKey (A1) intercepted (80623124->A5B56D72), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (A7) intercepted (805B85E8->A5B5B6AE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (806221FA->A5B5699C), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (B4) intercepted (805D2756->A5B5AFA0), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRenameKey (C0) intercepted (806239F8->A5B56C2C), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRenameKey (C0) - machine code modification Method of JmpTo. jmp F724F2D4mfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtReplaceKey (C1) intercepted (806260AA->A5B55F16), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (C2) intercepted (805A54F4->A5B5982C), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (C3) intercepted (805A64BC->A5B596F2), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (C8) intercepted (805A2D7E->A5B5A8B4), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (806259B6->A5B5628E), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (CE) intercepted (805D4A18->A5B5BBC8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (CF) intercepted (80625AB2->A5B55EAE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (D2) intercepted (805A3D6C->A5B58B0E), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (D5) intercepted (805D2C1A->A5B57E38), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (E6) intercepted (805FA686->A5B5A154), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) intercepted (805C0636->A5B5ADAA), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) - machine code modification Method of JmpTo. jmp F724F316mfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtSetSystemInformation (F0) intercepted (8060FC04->A5B5B7FE), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80622548->A5B56816), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (FD) intercepted (805D4AE0->A5B5B8F0), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (FE) intercepted (805D4952->A5B5BA2A), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (FF) intercepted (80617FAA->A5B5AA3E), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805D22D8->A5B57A68), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) - machine code modification Method of JmpTo. jmp F724F36Amfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtTerminateThread (102) intercepted (805D24D2->A5B579C8), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (10B) intercepted (805B2E50->A5B5B552), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (10B) - machine code modification Method of JmpTo. jmp F724F356mfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function NtWriteVirtualMemory (115) intercepted (805B43D4->A5B57B52), hook C:\WINDOWS\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtYieldExecution (116) - machine code modification Method of JmpTo. jmp F724F32Amfehidk.sys, driver recognized as trusted
>>> Function restored successfully !
Function FsRtlCheckLockForReadAccess (804EAF84) - machine code modification Method of JmpTo. jmp A5B49FD0 \SystemRoot\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
Function IoIsOperationSynchronous (804EF92C) - machine code modification Method of JmpTo. jmp A5B4A3AC \SystemRoot\system32\DRIVERS\0077467drv.sys, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 284, intercepted: 60, restored: 72
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Analysis for CPU 2
CmpCallCallBacks = 00093D84
Disable callback OK
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 87D631F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 87D631F8 -> hook not defined
 Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
 >>  Disable HDD autorun
 >>  Disable autorun from network drives
 >>  Disable CD/DVD autorun
 >>  Disable removable media autorun
 >>  [?? - AVZ1789]
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry
Additional operations:Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
7	LISTENING	0.0.0.0	24738	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	0.0.0.0	24712	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	0.0.0.0	37024	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	0.0.0.0	22572	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	0.0.0.0	24678	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
135	LISTENING	0.0.0.0	49171	[860] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	39118	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	6396	[4] System Script: Quarantine, Delete, BC delete, Terminate
1028	ESTABLISHED	127.0.0.1	5354	[1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1036	LISTENING	0.0.0.0	4266	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
1041	LISTENING	0.0.0.0	2096	[2496] c:\windows\system32\alg.exe Script: Quarantine, Delete, BC delete, Terminate
1801	LISTENING	0.0.0.0	4330	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
2103	LISTENING	0.0.0.0	32797	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
2105	LISTENING	0.0.0.0	49238	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
2107	LISTENING	0.0.0.0	6227	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
3390	LISTENING	0.0.0.0	38974	[1036] c:\program files\microsoft sql server\mssql$otp\binn\sqlservr.exe Script: Quarantine, Delete, BC delete, Terminate
3969	TIME_WAIT	192.168.1.65	6646	[0]
3986	TIME_WAIT	192.168.1.65	6646	[0]
5354	ESTABLISHED	127.0.0.1	1028	[1844] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
5354	LISTENING	0.0.0.0	6197	[1844] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
6646	LISTENING	0.0.0.0	2272	[252] c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe Script: Quarantine, Delete, BC delete, Terminate
8001	LISTENING	0.0.0.0	39070	[2040] c:\mbl\mbrain\software\mortgage brain framework 1.0\bin\mbservicehost.exe Script: Quarantine, Delete, BC delete, Terminate
8090	LISTENING	0.0.0.0	2128	[2040] c:\mbl\mbrain\software\mortgage brain framework 1.0\bin\mbservicehost.exe Script: Quarantine, Delete, BC delete, Terminate
27015	LISTENING	0.0.0.0	37011	[1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
7	LISTENING	--	--	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
9	LISTENING	--	--	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
13	LISTENING	--	--	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
17	LISTENING	--	--	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
19	LISTENING	--	--	[2580] c:\windows\system32\tcpsvcs.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
161	LISTENING	--	--	[2752] c:\windows\system32\snmp.exe Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[556] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1025	LISTENING	--	--	[1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1026	LISTENING	--	--	[1824] c:\program files\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, BC delete, Terminate
1027	LISTENING	--	--	[1844] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
1035	LISTENING	--	--	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
1434	LISTENING	--	--	[2776] c:\program files\microsoft sql server\90\shared\sqlbrowser.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1672] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1672] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
2348	LISTENING	--	--	[5664] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
3527	LISTENING	--	--	[3872] c:\windows\system32\mqsvc.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[556] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
5353	LISTENING	--	--	[1844] c:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, BC delete, Terminate
6646	LISTENING	--	--	[252] c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe Script: Quarantine, Delete, BC delete, Terminate
62515	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate
62517	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate
62519	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate
62521	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate
62523	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate
62524	LISTENING	--	--	[920] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, BC delete, Terminate