Results of system analysis
AVZ 4.30
http://z-oleg.com/secur/avz/List of processes
File name PID Description Copyright MD5 Information
c:\progra~1\avg\avg8\avgemc.exe
Script: Quarantine, Delete, BC delete, Terminate 2004 AVG E-Mail Scanner Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 881.27 kb, rsAh,
created: 4/27/2008 10:16:44 PM,
modified: 4/27/2008 10:16:45 PM
Command line:
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\progra~1\avg\avg8\avgrsx.exe
Script: Quarantine, Delete, BC delete, Terminate 716 AVG Resident Shield Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 304.27 kb, rsAh,
created: 4/27/2008 10:17:07 PM,
modified: 4/27/2008 10:17:08 PM
Command line:
avgrsx.exe
c:\progra~1\avg\avg8\avgtray.exe
Script: Quarantine, Delete, BC delete, Terminate 648 AVG Tray Monitor Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 1149.77 kb, rsAh,
created: 4/27/2008 10:16:50 PM,
modified: 4/27/2008 10:16:51 PM
Command line:
"C:\PROGRA~1\AVG\AVG8\avgtray.exe"
c:\progra~1\avg\avg8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 504 AVG Watchdog Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 276.27 kb, rsAh,
created: 4/27/2008 10:16:42 PM,
modified: 4/27/2008 10:16:42 PM
Command line:
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\windows\system32\drivers\dcfssvc.exe
Script: Quarantine, Delete, BC delete, Terminate 580 Kodak DC Ring 3 Conduit (Win32) Copyright © Eastman Kodak Co. 2000 ?? 73.56 kb, rsAh,
created: 2/25/2008 8:02:47 PM,
modified: 5/18/2000 3:00:12 PM
Command line:
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\windows\explorer.exe
Script: Quarantine, Delete, BC delete, Terminate 204 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 1009.00 kb, rsAh,
created: 8/4/2004 6:56:50 AM,
modified: 6/13/2007 6:23:07 PM
Command line:
C:\WINDOWS\Explorer.EXE
c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate 3840 Firefox Mozilla Corporation ?? 7481.11 kb, rsAh,
created: 6/20/2007 7:27:52 PM,
modified: 4/17/2008 4:29:34 PM
Command line:
"C:\Program Files\Mozilla Firefox\firefox.exe"
c:\windows\system32\qconsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 768 IBM Access Connections - Service Component. Copyright © IBM Corp. 2001, 2005 ?? 76.00 kb, rsAh,
created: 6/20/2007 5:51:55 PM,
modified: 3/18/2005 3:07:00 AM
Command line:
System32\QCONSVC.EXE
c:\windows\system32\rundll32.exe
Script: Quarantine, Delete, BC delete, Terminate 524 Run a DLL as an App © Microsoft Corporation. All rights reserved. ?? 32.50 kb, rsAh,
created: 8/4/2004 6:56:56 AM,
modified: 8/4/2004 6:56:56 AM
Command line:
"C:\WINDOWS\system32\RunDll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
c:\documents and settings\ruberc\application data\smilebox\smileboxtray.exe
Script: Quarantine, Delete, BC delete, Terminate 856 Smilebox Tray © 2007 Smilebox, Inc. All Rights Reserved. ?? 196.63 kb, rsAh,
created: 4/30/2008 1:44:40 PM,
modified: 5/1/2008 4:44:40 AM
Command line:
"C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe"
c:\windows\system32\tpkmpsvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1312 ?? 32.00 kb, rsAh,
created: 6/20/2007 5:44:12 PM,
modified: 7/11/2003 6:19:22 PM
Command line:
C:\WINDOWS\system32\TpKmpSVC.exe
c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate 828 Windows NT Logon Application © Microsoft Corporation. All rights reserved. ?? 490.50 kb, rsAh,
created: 8/4/2004 6:56:58 AM,
modified: 8/4/2004 6:56:58 AM
Command line:
winlogon.exe
c:\program files\microsoft office\office11\winword.exe
Script: Quarantine, Delete, BC delete, Terminate 2288 Microsoft Office Word Copyright © 1983-2003 Microsoft Corporation. All rights reserved. ?? 11755.55 kb, rsAh,
created: 8/6/2003 1:24:20 PM,
modified: 8/6/2003 1:24:20 PM
Command line:
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
c:\progra~1\yahoo!\messen~1\ymsgr_tray.exe
Script: Quarantine, Delete, BC delete, Terminate 176 Yahoo! Messenger Tray © 1998-2007 Yahoo! Inc. All rights reserved. ?? 101.23 kb, rsAh,
created: 3/27/2008 11:37:56 AM,
modified: 8/30/2007 5:43:18 PM
Command line:
"C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe" -ymsgr
Detected:33, recognized as trusted 23
Module name Handle Description Copyright MD5 Used by processes
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
Script: Quarantine, Delete, BC delete 4194304 Smilebox Tray © 2007 Smilebox, Inc. All Rights Reserved. ?? 856
C:\Program Files\Adobe\Reader 8.0\Reader\viewerps.dll
Script: Quarantine, Delete, BC delete 18743296 Acrobat Viewer ProxyStub Library Adobe Systems, Inc. Copyright © 2007 -- 204
C:\Program Files\AVG\AVG8\avgabout.dll
Script: Quarantine, Delete, BC delete 12779520 AVG About Box Library Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgcfgx.dll
Script: Quarantine, Delete, BC delete 13434880 AVG Configuration Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 648, 3840, 2288
C:\Program Files\AVG\AVG8\avgcorex.dll
Script: Quarantine, Delete, BC delete 19333120 AVG Scanning Core Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgcrlpx.dll
Script: Quarantine, Delete, BC delete 24838144 AVG Core RLP Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avglngx.dll
Script: Quarantine, Delete, BC delete 14221312 AVG Language Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 648, 3840, 2288
C:\Program Files\AVG\AVG8\avglogx.dll
Script: Quarantine, Delete, BC delete 268435456 AVG Logging Library Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004, 716, 648, 504, 3840, 2288
C:\Program Files\AVG\AVG8\avgoff2k.dll
Script: Quarantine, Delete, BC delete 1645740032 Office 2000+ anti-virus extension Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgscanx.dll
Script: Quarantine, Delete, BC delete 18874368 AVG Scanning Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2288
C:\Program Files\AVG\AVG8\avgsrmx.dll
Script: Quarantine, Delete, BC delete 16384000 AVG Scan Result Manager Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgvvx.dll
Script: Quarantine, Delete, BC delete 16973824 AVG Virus Vault Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 648
C:\Program Files\AVG\AVG8\avgxpl.dll
Script: Quarantine, Delete, BC delete 53215232 LinkScanner SDK Copyright © 2008 AVG Technologies CZ, s.r.o. -- 3840
C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
Script: Quarantine, Delete, BC delete 49414144 Safe Search for Firefox Copyright © 2008 AVG Technologies CZ, s.r.o. -- 3840
C:\Program Files\Microsoft Office\OFFICE11\1033\srintl.dll
Script: Quarantine, Delete, BC delete 1040187392 Microsoft Office component Copyright © 2001-2003 Microsoft Corporation. All rights reserved. -- 2288
C:\Program Files\Mozilla Firefox\components\jar50.dll
Script: Quarantine, Delete, BC delete 1610678272 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\components\myspell.dll
Script: Quarantine, Delete, BC delete 1610874880 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\components\spellchk.dll
Script: Quarantine, Delete, BC delete 1610940416 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\extensions\
[email protected]\components\FULLSOFT.DLL
Script: Quarantine, Delete, BC delete 25886720 Talkback Library © Copyright 1997-1999 Full Circle Software, Inc. All Rights Reserved. -- 3840
C:\Program Files\Mozilla Firefox\extensions\
[email protected]\components\qfaservices.dll
Script: Quarantine, Delete, BC delete 268435456 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\firefox.exe
Script: Quarantine, Delete, BC delete 4194304 Firefox Mozilla Corporation ?? 3840
C:\Program Files\Mozilla Firefox\freebl3.dll
Script: Quarantine, Delete, BC delete 1611202560 NSS freebl Library -- 3840
C:\Program Files\Mozilla Firefox\js3250.dll
Script: Quarantine, Delete, BC delete 1611464704 Netscape 32-bit JavaScript Module Copyright Netscape Communications. 1994-96 -- 3840
C:\Program Files\Mozilla Firefox\nspr4.dll
Script: Quarantine, Delete, BC delete 1612316672 NSPR Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\nss3.dll
Script: Quarantine, Delete, BC delete 1612513280 NSS Base Library -- 3840
C:\Program Files\Mozilla Firefox\nssckbi.dll
Script: Quarantine, Delete, BC delete 1612906496 NSS Builtin Trusted Root CAs -- 3840
C:\Program Files\Mozilla Firefox\plc4.dll
Script: Quarantine, Delete, BC delete 1613234176 PLC Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\plds4.dll
Script: Quarantine, Delete, BC delete 1613299712 PLDS Library Copyright © 1996-2000 Netscape Communications Corporation -- 3840
C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
Script: Quarantine, Delete, BC delete 805306368 -- 3840
C:\Program Files\Mozilla Firefox\smime3.dll
Script: Quarantine, Delete, BC delete 1613430784 NSS S/MIME Library -- 3840
C:\Program Files\Mozilla Firefox\softokn3.dll
Script: Quarantine, Delete, BC delete 1613561856 NSS PKCS #11 Library -- 3840
C:\Program Files\Mozilla Firefox\ssl3.dll
Script: Quarantine, Delete, BC delete 1613824000 NSS SSL Library -- 3840
C:\Program Files\Mozilla Firefox\xpcom.dll
Script: Quarantine, Delete, BC delete 1613955072 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\xpcom_compat.dll
Script: Quarantine, Delete, BC delete 1614020608 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Mozilla Firefox\xpcom_core.dll
Script: Quarantine, Delete, BC delete 1614151680 License: MPL 1.1/GPL 2.0/LGPL 2.1 -- 3840
C:\Program Files\Yahoo!\Shared\YbSkin2.dll
Script: Quarantine, Delete, BC delete 1667235840 Yahoo! Skinning Object © Yahoo! Inc. All rights reserved. -- 176
C:\PROGRA~1\AVG\AVG8\avgcfgx.dll
Script: Quarantine, Delete, BC delete 10682368 AVG Configuration Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgcorex.dll
Script: Quarantine, Delete, BC delete 4521984 AVG Scanning Core Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 716
C:\PROGRA~1\AVG\AVG8\avgcrlpx.dll
Script: Quarantine, Delete, BC delete 60227584 AVG Core RLP Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 716
C:\PROGRA~1\AVG\AVG8\avgemc.exe
Script: Quarantine, Delete, BC delete 4194304 AVG E-Mail Scanner Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 2004
C:\PROGRA~1\AVG\AVG8\avglngx.dll
Script: Quarantine, Delete, BC delete 28311552 AVG Language Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Resident Shield Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 716
C:\PROGRA~1\AVG\AVG8\avgsched.dll
Script: Quarantine, Delete, BC delete 27459584 AVG Scheduler Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgtray.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Tray Monitor Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 648
C:\PROGRA~1\AVG\AVG8\avgwd.dll
Script: Quarantine, Delete, BC delete 7602176 AVG Watchdog Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete 4194304 AVG Watchdog Service Copyright © 2008 AVG Technologies CZ, s.r.o. ?? 504
C:\PROGRA~1\AVG\AVG8\avgwdwsc.dll
Script: Quarantine, Delete, BC delete 27918336 AVG Windows Security Center Module Copyright © 2008 AVG Technologies CZ, s.r.o. -- 504
C:\PROGRA~1\AVG\AVG8\libsasl.dll
Script: Quarantine, Delete, BC delete 1646264320 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\saslcrammd5.dll
Script: Quarantine, Delete, BC delete 1646460928 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\sasldigestmd5.dll
Script: Quarantine, Delete, BC delete 1646526464 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\sasllogin.dll
Script: Quarantine, Delete, BC delete 1646395392 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\AVG\AVG8\saslplain.dll
Script: Quarantine, Delete, BC delete 1646329856 Cyrus SASL API implementation Copyright © 2008 AVG Technologies CZ, s.r.o. -- 2004
C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll
Script: Quarantine, Delete, BC delete 268435456 IBM ThinkPad Battery MaxiMiser Gauge Copyright © IBM Corp. 2000,2005. -- 204, 524
C:\PROGRA~1\ThinkPad\UTILIT~1\tppwrw32.dll
Script: Quarantine, Delete, BC delete 10158080 IBM ThinkPad Power Management DLL for Win32 Copyright © IBM Corp. 1997,2005. -- 524
C:\PROGRA~1\Yahoo!\MESSEN~1\res_msgr.dll
Script: Quarantine, Delete, BC delete 1694498816 Resource Module © 1998-2007 Yahoo! Inc. All rights reserved. -- 176
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
Script: Quarantine, Delete, BC delete 4194304 Yahoo! Messenger Tray © 1998-2007 Yahoo! Inc. All rights reserved. ?? 176
C:\WINDOWS\system32\avgrsstx.dll
Script: Quarantine, Delete, BC delete 268435456 AVG Resident Shield Starter Copyright © 2008 AVG Technologies CZ, s.r.o. -- 828
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
Script: Quarantine, Delete, BC delete 65536 Kodak DC Ring 3 Conduit (Win32) Copyright © Eastman Kodak Co. 2000 ?? 580
C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
Script: Quarantine, Delete, BC delete 1761607680 Director Support Copyright © 1985-2006 Adobe Systems, Inc. -- 3840
C:\WINDOWS\System32\QCONSVC.EXE
Script: Quarantine, Delete, BC delete 4194304 IBM Access Connections - Service Component. Copyright © IBM Corp. 2001, 2005 ?? 768
C:\WINDOWS\system32\tphklock.dll
Script: Quarantine, Delete, BC delete 18481152 -- 828
C:\WINDOWS\system32\TpKmpSVC.exe
Script: Quarantine, Delete, BC delete 4194304 ?? 1312
Modules detected:342, recognized as trusted 280
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\System32\drivers\ANC.SYS
Script: Quarantine, Delete, BC delete F7BF1000 003000 (12288) IBM Access Connections - ANC Copyright © IBM Corp. 2003, 2004
C:\WINDOWS\System32\Drivers\avgldx86.sys
Script: Quarantine, Delete, BC delete EF808000 016000 (90112) AVG AVI Loader Driver Copyright © 2008 AVG Technologies CZ, s.r.o.
C:\WINDOWS\System32\Drivers\avgmfx86.sys
Script: Quarantine, Delete, BC delete F891B000 005000 (20480) AVG Resident Shield Minifilter Driver Copyright © 2008 GRISOFT, s.r.o.
C:\WINDOWS\System32\Drivers\avgtdix.sys
Script: Quarantine, Delete, BC delete EF158000 011000 (69632) AVG Network connection watcher Copyright © 2008 AVG Technologies CZ, s.r.o.
C:\WINDOWS\system32\DRIVERS\DcCam.sys
Script: Quarantine, Delete, BC delete F88E3000 008000 (32768) Kodak Digital Camera Driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\system32\DRIVERS\DCFS2k.sys
Script: Quarantine, Delete, BC delete F8693000 009000 (36864) Kodak DC File System Driver (NT) Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\system32\DRIVERS\DcLps.sys
Script: Quarantine, Delete, BC delete F8A7B000 002000 (8192) Kodak Digital Camera LPS Driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete EF7F0000 018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Script: Quarantine, Delete, BC delete F8A79000 002000 (8192)
C:\WINDOWS\system32\DRIVERS\EXPORTIT.SYS
Script: Quarantine, Delete, BC delete EF9F6000 01D000 (118784) Kodak DC File System driver Copyright © Eastman Kodak Co. 2000
C:\WINDOWS\System32\drivers\IBMBLDID.SYS
Script: Quarantine, Delete, BC delete F8B52000 001000 (4096)
C:\WINDOWS\System32\Drivers\TPHKDRV.SYS
Script: Quarantine, Delete, BC delete F89EF000 004000 (16384) ThinkPad Hotkey Driver Copyright © 1999,2002, IBM Corporation
C:\WINDOWS\System32\drivers\Tppwr.sys
Script: Quarantine, Delete, BC delete F890B000 008000 (32768) IBM ThinkPad Power Management Device Driver Copyright © IBM Corp. 1997,2005.
C:\WINDOWS\System32\drivers\TSMAPIP.SYS
Script: Quarantine, Delete, BC delete F8903000 006000 (24576)
Modules detected - 133, recognized as trusted - 119
Services
Service Description Status File Group Dependencies
avg8emc
Service: Stop, Delete, Disable AVG8 E-mail Scanner Running C:\PROGRA~1\AVG\AVG8\avgemc.exe
Script: Quarantine, Delete, BC delete RPCSS
avg8wd
Service: Stop, Delete, Disable AVG8 WatchDog Running C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
Script: Quarantine, Delete, BC delete
Dcfssvc
Service: Stop, Delete, Disable Dcfssvc Running C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
Script: Quarantine, Delete, BC delete
QCONSVC
Service: Stop, Delete, Disable QCONSVC Running C:\WINDOWS\system32\QCONSVC.EXE
Script: Quarantine, Delete, BC delete
TpKmpSVC
Service: Stop, Delete, Disable IBM KCU Service Running C:\WINDOWS\system32\TpKmpSVC.exe
Script: Quarantine, Delete, BC delete
Detected - 51, recognized as trusted - 46
Drivers
Service Description Status File Group Dependencies
ANC
Driver: Unload, Delete, Disable ANC Running C:\WINDOWS\system32\drivers\ANC.SYS
Script: Quarantine, Delete, BC delete
AvgLdx86
Driver: Unload, Delete, Disable AVG AVI Loader Driver x86 Running C:\WINDOWS\System32\Drivers\avgldx86.sys
Script: Quarantine, Delete, BC delete AVG
AvgMfx86
Driver: Unload, Delete, Disable AVG On-access Scanner Minifilter Driver x86 Running C:\WINDOWS\System32\Drivers\avgmfx86.sys
Script: Quarantine, Delete, BC delete AVG
AvgTdiX
Driver: Unload, Delete, Disable AVG8 Network Redirector Running C:\WINDOWS\System32\Drivers\avgtdix.sys
Script: Quarantine, Delete, BC delete
DcCam
Driver: Unload, Delete, Disable Kodak Camera Proxy Running C:\WINDOWS\system32\DRIVERS\DcCam.sys
Script: Quarantine, Delete, BC delete Base
DCFS2k
Driver: Unload, Delete, Disable DCFS2k Running C:\WINDOWS\system32\DRIVERS\DCFS2k.sys
Script: Quarantine, Delete, BC delete Base
DcLps
Driver: Unload, Delete, Disable Legacy Polling Service Running C:\WINDOWS\system32\DRIVERS\DcLps.sys
Script: Quarantine, Delete, BC delete Base
IBMTPCHK
Driver: Unload, Delete, Disable IBMTPCHK Running C:\WINDOWS\system32\drivers\IBMBLDID.SYS
Script: Quarantine, Delete, BC delete
TPHKDRV
Driver: Unload, Delete, Disable TPHKDRV Running C:\WINDOWS\system32\Drivers\TPHKDRV.sys
Script: Quarantine, Delete, BC delete
TPPWR
Driver: Unload, Delete, Disable TPPWR Running C:\WINDOWS\system32\drivers\Tppwr.sys
Script: Quarantine, Delete, BC delete
TSMAPIP
Driver: Unload, Delete, Disable TSMAPIP Running C:\WINDOWS\system32\drivers\TSMAPIP.SYS
Script: Quarantine, Delete, BC delete
Detected - 100, recognized as trusted - 89
Autoruns
File name Status Startup method Description
"C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe" -p %ld -e %ld
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Adobe Photo Downloader
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Adobe Reader Speed Launcher
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMLREF
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMMONWND
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, DataLayer
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, EZEJMNAP
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, HotKeysCmds
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IgfxTray
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, iTunesHelper
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, NeroFilterCheck
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, PCSuiteTrayApplication
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QCTRAY
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QCWLICON
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QuickTime Task
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, RemoteControl
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SoundMAX
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, SoundMAXPnP
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TP4EX
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPHOTKEY
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPKMAPHELPER
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TrackPointSrv
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, msnmsgr
.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, PcSync
C:\Documents and Settings\Ruberc\Application Data\Smilebox\SmileboxTray.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SmileboxTray
C:\PROGRA~1\AVG\AVG8\avgtray.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, AVG8_TRAY
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, MSKAGENTEXE
C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BLOG
C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BMMGAG
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Yahoo! Pager
C:\Program Files\McAfee\McAfee QuickClean\Uni.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\RunOnce, ARC
C:\WINDOWS\system32\avgrsstx.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs
QConGina.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina, DLLName
tphklock.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey, DLLName
Autoruns items detected - 86, recognized as trusted - 52
Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\Program Files\AVG\AVG8\avgssie.dll
Script: Quarantine, Delete, BC delete BHO Safe Search for Internet Explorer Copyright © 2008 AVG Technologies CZ, s.r.o. {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Delete
Elements detected - 4, recognized as trusted - 3
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, BC delete Display Panning CPL Extension {42071714-76d4-11d1-8b24-00a0c9068ff3}
Shell extensions for file compression {764BF0E1-F219-11ce-972D-00AA00A14F56}
Encryption Context Menu {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Media Band {32683183-48a0-441b-a342-7c2a440a9478}
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, BC delete Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
Script: Quarantine, Delete, BC delete Registered ActiveX Controls Microsoft® Developer Studio Explorer Shell Extensions Copyright © Microsoft Corp. 1997 {6B19FEC2-A45B-11CF-9045-00A0C9039735}
C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
Script: Quarantine, Delete, BC delete Developer Studio Components Microsoft® Developer Studio Explorer Shell Extensions Copyright © Microsoft Corp. 1997 {D545EBD1-BD92-11CF-8772-00A0C9039735}
C:\Program Files\Common Files\KODAK\IFSCore\shellext.dll
Script: Quarantine, Delete, BC delete KodakShellExtension Shell Extension DLL Copyright © Eastman Kodak Company 2000 {acb4a560-3606-11d3-aef4-00104bd0f92d}
C:\Program Files\AVG\AVG8\avgse.dll
Script: Quarantine, Delete, BC delete AVG8 Shell Extension AVG Shell Extension Copyright © 2008 AVG Technologies CZ, s.r.o. {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
AVG8 Find Extension {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
Elements detected - 204, recognized as trusted - 192
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 8, recognized as trusted - 8
Task Scheduler jobs
File name Job name Job status Description Manufacturer
C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
Script: Quarantine, Delete, BC delete BMMTask.job The task will not run at the scheduled times because it has been disabled.
Elements detected - 2, recognized as trusted - 1
SPI/LSP settings
Namespace providers (NSP)
Manufacturer Status EXE file Description GUID
Detected - 3, recognized as trusted - 3
Transport protocol providers (TSP, LSP)
Manufacturer EXE file Description
Detected - 13, recognized as trusted - 13
Results of automatic SPI settings check
LSP settings checked. No errors detected
TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 2192 [1152] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 38926 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 28803 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1028 LISTENING 0.0.0.0 59513 [2344] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1034 ESTABLISHED 127.0.0.1 1035 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1035 ESTABLISHED 127.0.0.1 1034 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1036 ESTABLISHED 127.0.0.1 1037 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1037 ESTABLISHED 127.0.0.1 1036 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1128 ESTABLISHED 205.188.194.1 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1222 FIN_WAIT2 122.55.35.169 443 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1238 TIME_WAIT 58.71.107.11 80 [0]
1263 LAST_ACK 203.84.204.69 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1269 LAST_ACK 203.84.204.69 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1279 ESTABLISHED 58.71.107.18 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1309 LAST_ACK 209.191.93.150 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1312 ESTABLISHED 206.222.234.68 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1313 ESTABLISHED 206.222.234.68 443 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
1314 ESTABLISHED 206.222.234.68 80 [3840] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
10110 LISTENING 0.0.0.0 57452 [2004] c:\progra~1\avg\avg8\avgemc.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1224] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1224] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [892] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1032 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1040 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1041 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1060 LISTENING -- -- [1292] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1412] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1412] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [892] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Microsoft XML Parser for Java
Delete file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
Script: Quarantine, Delete, BC delete Kaspersky Online Scanner GUI Part Copyright c Kaspersky Lab 1997-2007. Portions Copyright c Lan Crypto {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
Delete
http://www.kaspersky...can_unicode.cabC:\WINDOWS\DOWNLO~1\CONFLICT.2\stg_drm.ocx
Script: Quarantine, Delete, BC delete SpinTopDRM Module Copyright 2007 {149E45D8-163E-4189-86FC-45022AB2B6C9}
Delete file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
C:\WINDOWS\DOWNLO~1\oscan82.ocx
Script: Quarantine, Delete, BC delete {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
Delete
http://download.bitd...can8/oscan8.cabC:\WINDOWS\Downloaded Program Files\fscax.dll
Script: Quarantine, Delete, BC delete {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}
Delete
http://support.f-sec...m/ols/fscax.cab./Images/armhelper.ocx
Script: Quarantine, Delete, BC delete {CC450D71-CC90-424C-8638-1F2DBAC87A54}
Delete file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
Elements detected - 6, recognized as trusted - 0
Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\tp4ex.cpl
Script: Quarantine, Delete, BC delete IBM TrackPoint Accessibility Features Copyright © IBM Corporation 2001-2002
Elements detected - 25, recognized as trusted - 24
Active Setup
File name Description Manufacturer CLSID
Elements detected - 14, recognized as trusted - 14
HOSTS file
Hosts file record
127.0.0.1 localhost
Protocols and handlers
File name Type Description Manufacturer CLSID
C:\Program Files\AVG\AVG8\avgpp.dll
Script: Quarantine, Delete, BC delete Handler Safe Search pluggable protocol (linkscanner: ExPLabs.com Pluggable Protocol) Copyright © 2008 AVG Technologies CZ, s.r.o. {F274614C-63F8-47D5-A4D1-FBDDE494F8D1}
Elements detected - 34, recognized as trusted - 33
Suspicious objects
File Description Type
Script commands
Add commands to script:
* Blocking hooks using Anti-Rootkit
* Enable AVZGuard
* BootCleaner - import list of deleted files
* Registry cleanup after deleting files
* BootCleaner - activate
* Reboot
* Insert template for QuarantineFile() - quarantining file
* Insert template for BC_QrFile() - quarantining file via BootCleaner
* Insert template for DeleteFile() - deleting file
* Insert template for DelCLSID() - deleting CLSID item from registry
File list