Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate	4020	CLI Application (Command Line Interface)	2002-2005	??	44.00 kb, rsAh, created: 01/02/2006 3:41:22 PM, modified: 01/02/2006 3:41:22 PM Command line: "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" -hide Wizard
g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate	4028	CLI Application (Command Line Interface)	2002-2005	??	44.00 kb, rsAh, created: 01/02/2006 3:41:22 PM, modified: 01/02/2006 3:41:22 PM Command line: "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" -hide SystemTray
g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate	1796	CLI Application (Command Line Interface)	2002-2005	??	44.00 kb, rsAh, created: 01/02/2006 3:41:22 PM, modified: 01/02/2006 3:41:22 PM Command line: "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
g:\utilities\ipod\bin\ipodservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	3556	iPodService Module (32-bit)	© 2003-2009 Apple Inc. All Rights Reserved.	??	532.78 kb, rsAh, created: 09/21/2009 3:36:02 PM, modified: 09/21/2009 3:36:02 PM Command line: G:\Utilities\iPod\bin\iPodService.exe
g:\utilities\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate	1984	iTunesHelper Module	© 2003-2009 Apple Inc. All Rights Reserved.	??	298.28 kb, rsAh, created: 09/21/2009 3:36:12 PM, modified: 09/21/2009 3:36:12 PM Command line: "G:\utilities\iTunes\iTunesHelper.exe"
c:\hallmark card studio 2009\planner\plnrnote.exe Script: Quarantine, Delete, Delete via BC, Terminate	2496	Hallmark Event Planner	Copyright © 2004 Creative Home. All rights reserved.	??	251.84 kb, rsAh, created: 08/29/2008 3:30:26 PM, modified: 08/29/2008 3:30:26 PM Command line: "C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe"
g:\windows\system32\spoolsv.exe Script: Quarantine, Delete, Delete via BC, Terminate	1584	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	??	56.50 kb, rsah, created: 06/10/2005 6:55:46 PM, modified: 06/10/2005 6:53:32 PM Command line: G:\WINDOWS\system32\spoolsv.exe
g:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate	1532	Generic Host Process for Win32 Services	© Microsoft Corporation. All rights reserved.	??	14.00 kb, rsah, created: 08/23/2001 7:00:00 AM, modified: 08/04/2004 2:56:57 AM Command line: G:\WINDOWS\System32\svchost.exe -k imgsvc
g:\windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC, Terminate	684	Windows NT Logon Application	© Microsoft Corporation. All rights reserved.	??	490.50 kb, rsah, created: 08/28/2002 10:41:28 PM, modified: 08/04/2004 2:56:57 AM Command line: winlogon.exe
Detected:42, recognized as trusted 41

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe Script: Quarantine, Delete, Delete via BC	4194304	Hallmark Event Planner	Copyright © 2004 Creative Home. All rights reserved.	??	2496
G:\Utilities\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.DLL Script: Quarantine, Delete, Delete via BC	9043968	iPodService Resource Library (32-bit)	© 2003-2009 Apple Inc. All Rights Reserved.	--	3556
G:\utilities\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL Script: Quarantine, Delete, Delete via BC	14090240	iTunesHelper Resource Library	© 2003-2009 Apple Inc. All Rights Reserved.	--	1984
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll Script: Quarantine, Delete, Delete via BC	2030829568	Microsoft Common Language Runtime Class Library	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll Script: Quarantine, Delete, Delete via BC	1686700032	System.Configuration.dll	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll Script: Quarantine, Delete, Delete via BC	2061369344	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll Script: Quarantine, Delete, Delete via BC	1735852032	Microsoft .NET Runtime Object Remoting	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll Script: Quarantine, Delete, Delete via BC	78970880	System.Web.dll	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll Script: Quarantine, Delete, Delete via BC	2063400960	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll Script: Quarantine, Delete, Delete via BC	1668939776	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll Script: Quarantine, Delete, Delete via BC	2051276800	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4020, 4028, 1796
G:\WINDOWS\SCANUSDP.dll Script: Quarantine, Delete, Delete via BC	11337728	Asynchronous USD for SCSI	Copyright (C) 1998	--	1532
G:\WINDOWS\system32\EBPMON24.DLL Script: Quarantine, Delete, Delete via BC	1346371584	EPSON Bi-directional Monitor	Copyright (C) SEIKO EPSON CORP. 2002-2003	--	1584
G:\WINDOWS\system32\WgaLogon.dll Script: Quarantine, Delete, Delete via BC	20316160	Windows Genuine Advantage - Meddelande	© 1995-2007 Microsoft Corporation	--	684
Modules found:452, recognized as trusted 438

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
G:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, Delete via BC	F153B000	018000 (98304)
G:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, Delete via BC	F8CEC000	002000 (8192)
G:\WINDOWS\System32\DRIVERS\Dvd43.sys Script: Quarantine, Delete, Delete via BC	F8B26000	007000 (28672)	Video DVD protection removal tool	None. It's free
G:\WINDOWS\System32\DRIVERS\EPPSCAN.sys Script: Quarantine, Delete, Delete via BC	F6C16000	012000 (73728)	EPPSCAN WDM Driver	Copyright © 2000
G:\WINDOWS\System32\drivers\KID_SYS.sys Script: Quarantine, Delete, Delete via BC	F8CB0000	002000 (8192)	Kensington Input Devices Class Filter Driver	Copyright ©2001 ACCO Brands, Inc.
G:\WINDOWS\System32\DRIVERS\NTIDrvr.sys Script: Quarantine, Delete, Delete via BC	F8CAC000	002000 (8192)	NTI CD-ROM Filter Driver	Copyright (C) 2002 NewTech Infosystems, Inc.
G:\WINDOWS\system32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	F8684000	0D1000 (856064)
G:\WINDOWS\System32\Drivers\SPTD1517.SYS Script: Quarantine, Delete, Delete via BC	F866C000	018000 (98304)
G:\WINDOWS\System32\Drivers\Udfreadr_xp.SYS Script: Quarantine, Delete, Delete via BC	F1A7E000	033000 (208896)	CD-UDF NT Filesystem Reader Driver	Copyright (c) 2001-2003, Roxio, Inc.
G:\WINDOWS\system32\DRIVERS\vsb.sys Script: Quarantine, Delete, Delete via BC	F8B6E000	005000 (20480)	Virtual Serial Bus	Copyright © ELTIMA Software 2000-2006
G:\WINDOWS\System32\DRIVERS\vserial.sys Script: Quarantine, Delete, Delete via BC	F741D000	00B000 (45056)	Virtual Serial Port Driver	Copyright © ELTIMA Software 2000-2006
Modules found - 161, recognized as trusted - 150

Services

Service	Description	Status	File	Group	Dependencies
GoogleDesktopManager-093007-112848 Service: Stop, Delete, Disable	Google Desktop Manager 5.5.709.30344	Not started	G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Script: Quarantine, Delete, Delete via BC		RPCSS
NetFxUpdate_v1.1.4322 Service: Stop, Delete, Disable	Microsoft .NET Framework v1.1.4322 Update	Not started	G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe Script: Quarantine, Delete, Delete via BC
Detected - 102, recognized as trusted - 100

Drivers

Service	Description	Status	File	Group	Dependencies
Dvd43 Driver: Unload, Delete, Disable	Dvd43	Running	G:\WINDOWS\system32\DRIVERS\Dvd43.sys Script: Quarantine, Delete, Delete via BC
EPPSCSIx Driver: Unload, Delete, Disable	EPPSCSI Driver	Running	G:\WINDOWS\system32\DRIVERS\EPPSCAN.sys Script: Quarantine, Delete, Delete via BC	SCSI Miniport
kid_sys Driver: Unload, Delete, Disable	Kensington Input Devices Class filter driver	Running	G:\WINDOWS\system32\drivers\KID_SYS.sys Script: Quarantine, Delete, Delete via BC
NTIDrvr Driver: Unload, Delete, Disable	Upper Class Filter Driver	Running	G:\WINDOWS\system32\DRIVERS\NTIDrvr.sys Script: Quarantine, Delete, Delete via BC
sptd Driver: Unload, Delete, Disable	sptd	Running	G:\WINDOWS\System32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
Udfreadr_xp Driver: Unload, Delete, Disable	Udfreadr_xp	Running	G:\WINDOWS\system32\Drivers\Udfreadr_xp.sys Script: Quarantine, Delete, Delete via BC	File System
vsbus Driver: Unload, Delete, Disable	Virtual Serial Bus Enumerator	Running	G:\WINDOWS\system32\DRIVERS\vsb.sys Script: Quarantine, Delete, Delete via BC	Extended Base
vserial Driver: Unload, Delete, Disable	ELTIMA Virtual Serial Ports Driver	Running	G:\WINDOWS\system32\DRIVERS\vserial.sys Script: Quarantine, Delete, Delete via BC	Extended Base
1e735214 Driver: Unload, Delete, Disable	1e735214	Not started	G:\WINDOWS\System32\drivers\1e735214.sys Script: Quarantine, Delete, Delete via BC
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
abp480n5 Driver: Unload, Delete, Disable	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Ad-Watch Connect Filter Driver: Unload, Delete, Disable	Ad-Watch Connect Kernel Filter	Not started	G:\WINDOWS\system32\drivers\NSDriver.sys Script: Quarantine, Delete, Delete via BC
Ad-Watch Real-Time Scanner Driver: Unload, Delete, Disable	AW Real-Time Scanner	Not started	G:\WINDOWS\system32\drivers\AWRTPD.sys Script: Quarantine, Delete, Delete via BC
adpu160m Driver: Unload, Delete, Disable	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Aha154x Driver: Unload, Delete, Disable	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78xx Driver: Unload, Delete, Disable	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
AliIde Driver: Unload, Delete, Disable	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
amsint Driver: Unload, Delete, Disable	amsint	Not started	amsint.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc Driver: Unload, Delete, Disable	asc	Not started	asc.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3350p Driver: Unload, Delete, Disable	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3550 Driver: Unload, Delete, Disable	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
catchme Driver: Unload, Delete, Disable	catchme	Not started	G:\DOCUME~1\Randy\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
cd20xrnt Driver: Unload, Delete, Disable	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, Delete via BC	Filter
CmdIde Driver: Unload, Delete, Disable	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
CoolerXPDriver Driver: Unload, Delete, Disable	CoolerXPDriver	Not started	G:\Utilities\PC Alert 4\NTCooler.sys Script: Quarantine, Delete, Delete via BC
Cpqarray Driver: Unload, Delete, Disable	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dac960nt Driver: Unload, Delete, Disable	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dpti2o Driver: Unload, Delete, Disable	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
DtvAudio Driver: Unload, Delete, Disable	DtvAudio	Not started	G:\WINDOWS\system32\DRIVERS\DtvAudio.sys Script: Quarantine, Delete, Delete via BC
DtvVideo Driver: Unload, Delete, Disable	DtvVideo	Not started	G:\WINDOWS\system32\DRIVERS\DtvVideo.sys Script: Quarantine, Delete, Delete via BC
dvd43llh Driver: Unload, Delete, Disable	dvd43llh	Not started	G:\WINDOWS\system32\DRIVERS\dvd43llh.sys Script: Quarantine, Delete, Delete via BC
GMSIPCI Driver: Unload, Delete, Disable	GMSIPCI	Not started	D:\INSTALL\GMSIPCI.SYS Script: Quarantine, Delete, Delete via BC
hpn Driver: Unload, Delete, Disable	hpn	Not started	hpn.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, Delete via BC	SCSI Class
i2omp Driver: Unload, Delete, Disable	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ini910u Driver: Unload, Delete, Disable	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
IntelIde Driver: Unload, Delete, Disable	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
mraid35x Driver: Unload, Delete, Disable	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ossrv Driver: Unload, Delete, Disable	Creative OS Services Driver	Not started	G:\WINDOWS\system32\drivers\ctoss2k.sys Script: Quarantine, Delete, Delete via BC
oxmf Driver: Unload, Delete, Disable	OXPCI Bus enumerator	Not started	G:\WINDOWS\system32\DRIVERS\oxmf.sys Script: Quarantine, Delete, Delete via BC	Extended base
Oxmfuf Driver: Unload, Delete, Disable	Filter driver for OX16PCI954 ports	Not started	G:\WINDOWS\system32\DRIVERS\oxmfuf.sys Script: Quarantine, Delete, Delete via BC	PNP Filter
oxser Driver: Unload, Delete, Disable	OX16C95x Serial port driver	Not started	G:\WINDOWS\system32\DRIVERS\oxser.sys Script: Quarantine, Delete, Delete via BC	Extended base
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, Delete via BC	PCI Configuration
PCIIde Driver: Unload, Delete, Disable	PCIIde	Not started	PCIIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, Delete via BC
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, Delete via BC
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, Delete via BC
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, Delete via BC
perc2 Driver: Unload, Delete, Disable	perc2	Not started	perc2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
perc2hib Driver: Unload, Delete, Disable	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, Delete via BC	Filter
pfc Driver: Unload, Delete, Disable	Padus ASPI Shell	Not started	G:\WINDOWS\system32\drivers\pfc.sys Script: Quarantine, Delete, Delete via BC	filter
pwd_2k Driver: Unload, Delete, Disable	pwd_2k	Not started	pwd_2k.sys Script: Quarantine, Delete, Delete via BC	filter
ql1080 Driver: Unload, Delete, Disable	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql12160 Driver: Unload, Delete, Disable	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1240 Driver: Unload, Delete, Disable	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1280 Driver: Unload, Delete, Disable	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
rtl8139 Driver: Unload, Delete, Disable	Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver	Not started	G:\WINDOWS\system32\DRIVERS\RTL8139.SYS Script: Quarantine, Delete, Delete via BC	NDIS
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, Delete via BC	Filter
SOFTLOK Driver: Unload, Delete, Disable	SOFTLOK	Not started	SOFTLOK.sys Script: Quarantine, Delete, Delete via BC	Extended Base
Sparrow Driver: Unload, Delete, Disable	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sym_hi Driver: Unload, Delete, Disable	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc810 Driver: Unload, Delete, Disable	symc810	Not started	symc810.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc8xx Driver: Unload, Delete, Disable	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
SymIM Driver: Unload, Delete, Disable	Symantec Network Security Intermediate Filter Service	Not started	G:\WINDOWS\system32\DRIVERS\SymIM.sys Script: Quarantine, Delete, Delete via BC
SymIMMP Driver: Unload, Delete, Disable	SymIMMP	Not started	G:\WINDOWS\system32\DRIVERS\SymIM.sys Script: Quarantine, Delete, Delete via BC
TosIde Driver: Unload, Delete, Disable	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
vaxscsi Driver: Unload, Delete, Disable	vaxscsi	Not started	G:\WINDOWS\System32\Drivers\vaxscsi.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
VPNET Driver: Unload, Delete, Disable	DTVNet Ethernet Controller	Not started	G:\WINDOWS\system32\DRIVERS\DTVNet.sys Script: Quarantine, Delete, Delete via BC	NDIS
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, Delete via BC
WISTechVIDCAP Driver: Unload, Delete, Disable	ADS DVD XPRESS DX2	Not started	G:\WINDOWS\system32\drivers\wisgostrm.sys Script: Quarantine, Delete, Delete via BC	ExtendedBase
xmasbus Driver: Unload, Delete, Disable	xmasbus	Not started	G:\WINDOWS\System32\DRIVERS\xmasbus.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
Detected - 242, recognized as trusted - 165

Autoruns

File name	Status	Startup method	Description
C:\Links 2003\dw15.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Links 2003, EventMessageFile Delete
G:\PROGRA~1\NORTON~1\AdvTools\UE32.EXE Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\NUEWizard, EventMessageFile Delete
G:\Program Files\FLAC\FLAC frontend.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\FLAC Frontend.lnk,
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Google Desktop Search Delete
G:\UTILIT~1\AVG\avglog.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\AVG7, EventMessageFile Delete
G:\Utilities\DVD Decrypter\DVDDecrypter.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Decrypter.lnk,
G:\Utilities\DVDZip Pro 3.0.1.1\DVDZipPro.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDZip Pro 3.0.1.1.lnk,
G:\Utilities\DivxToDVD\DivxToDVD.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\VSO DivxToDVD.lnk,
G:\Utilities\Easy Video Joiner\Joiner.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\Easy Video Joiner.lnk,
G:\Utilities\Easy Video Splitter\splitter.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\Easy Video Splitter.lnk,
G:\Utilities\Norton Ghost\Shared\PQNotify.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Norton Ghost 9.0, EventMessageFile Delete
G:\Utilities\Qtrax_20080125\songbird.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\Qtrax.lnk,
G:\Utilities\VSO\ConvertX\3\ConvertXtoDvd.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\ConvertXtoDvd.lnk,
G:\WINDOWS\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\All Users\Start Menu\Programs\Startup\, G:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2009.lnk,
G:\WINDOWS\Installer\{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}\SafariIco.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\, G:\Documents and Settings\Randy\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk,
G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\EventLogMessages.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\ACEEventLog\ACEEventLog, EventMessageFile Delete
G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\EventLogMessages.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\ACEEventLog\ACEEventLogSource, EventMessageFile Delete
G:\WINDOWS\System32\CTsvcCDA.EXE Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Creative Service for CDROM Access, EventMessageFile Delete
G:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile Delete
G:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
G:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile Delete
G:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile Delete
G:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile Delete
G:\WINDOWS\System32\mspmspsv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WmdmPmSp, EventMessageFile Delete
G:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile Delete
G:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile Delete
G:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile Delete
G:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile Delete
G:\WINDOWS\system32\IR21_R.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.IR21 Delete
G:\WINDOWS\system32\IR21_R.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, VIDC.RT21 Delete
G:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
G:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
G:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
G:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
G:\WINDOWS\system32\snti386.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, SENTINEL Delete
G:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile Delete
G:\WINDOWS\system32\xvid.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.XVID Delete
LCODCCMP.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, vidc.LEAD Delete
WgaLogon.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon, DLLName Delete
kbd101.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
vorbis.acm Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, msacm.vorbis Delete
Autoruns items found - 636, recognized as trusted - 586

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{02478d38-c3f9-4efb-9b51-7695eca05670} Delete
	BHO			{5C255C8A-E604-49b4-9D64-90988571CECB} Delete
	Extension module			{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} Delete
	Explorer Bar			{32683183-48a0-441b-a342-7c2a440a9478} Delete
Items found - 21, recognized as trusted - 17

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	HyperTerminal Icon Ext			{88895560-9AA2-1069-930E-00AA0030EBC8} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	Media Band			{32683183-48a0-441b-a342-7c2a440a9478} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
	AlcoholShellEx			{32020A01-506E-484D-A2A8-BE3CF17601C3} Delete
	Trojan Remover Shell Extension			{52B87208-9CCF-42C9-B88E-069281105805} Delete
	Ulead UDF Driver			{DBD8E168-244D-448C-9922-25508950D1DC} Delete
	CD Copy Shell Extension			{F5D92341-0A64-11D0-9956-0000E8096023} Delete
	CD Wizard Shell Extension			{F5D92342-0A64-11D0-9956-0000E8096023} Delete
	InstantWrite Shellextension			{F5D92344-0A64-11D0-9956-0000E8096023} Delete
	Image Converter and Editor menu			{EBCF1A16-C835-1B36-865F-3162AF3E95A6} Delete
	Multiscan			{D9872D13-7651-4471-9EEE-F0A00218BEBB} Delete
rundll32.exe G:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Script: Quarantine, Delete, Delete via BC	Autoplay for SlideShow			{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Delete
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
"G:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Autoplay Drop Target			{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Delete
"G:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Viewer Drop Target			{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Delete
"G:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe" /PhotoViewerComServer {00F374B7-B390-4884-B372-2FC349F2172B} Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Editor Drop Target			{00F374B7-B390-4884-B372-2FC349F2172B} Delete
Items found - 237, recognized as trusted - 217

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
G:\WINDOWS\system32\EBPMON24.DLL Script: Quarantine, Delete, Delete via BC	Monitor	EPSON V6 2KMonitor	EPSON Bi-directional Monitor	Copyright (C) SEIKO EPSON CORP. 2002-2003
Items found - 10, recognized as trusted - 9

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
Items found - 3, recognized as trusted - 3

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 4, recognized as trusted - 4

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 17, recognized as trusted - 17
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 39150 [988] g:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 61650 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 53 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
1032 LISTENING 0.0.0.0 51428 [1796] g:\program files\ati technologies\ati.ace\cli.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1034 ESTABLISHED 127.0.0.1 27015 [1984] g:\utilities\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1037 LISTENING 0.0.0.0 2085 [4020] g:\program files\ati technologies\ati.ace\cli.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1038 LISTENING 0.0.0.0 6156 [4028] g:\program files\ati technologies\ati.ace\cli.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1044 CLOSE_WAIT 91.199.212.171 80 [1056] c:\comodo\comodo internet security\cmdagent.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1045 CLOSE_WAIT 208.116.56.19 80 [1056] c:\comodo\comodo internet security\cmdagent.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5152 LISTENING 0.0.0.0 18499 [564] g:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 LISTENING 0.0.0.0 18580 [228] g:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 1034 [2032] g:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 18482 [2032] g:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123 LISTENING -- -- [1124] g:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
123 LISTENING -- -- [1124] g:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [744] g:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1025 LISTENING -- -- [228] g:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [744] g:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5353 LISTENING -- -- [228] g:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62981 LISTENING -- -- [228] g:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
DirectAnimation Java Classes
Delete file://G:\WINDOWS\Java\classes\dajava.cab
Garmin Communicator Plug-In
Delete https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
Microsoft XML Parser for Java
Delete file://G:\WINDOWS\Java\classes\xmldso.cab
{02BCC737-B171-4746-94C9-0D8A0B2C0089}
Delete http://office.microsoft.com/templates/ieawsdc.cab
{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}
Delete http://www.creative.com/su/ocx/15015/CTSUEng.cab
G:\WINDOWS\system32\legitcheckcontrol.dll
Script: Quarantine, Delete, Delete via BC Windows Genuine Advantage Validation © 1995-2007 Microsoft Corporation {17492023-C23A-453E-A040-C7C580BBF700}
Delete http://go.microsoft.com/fwlink/?linkid=39204
G:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll
Script: Quarantine, Delete, Delete via BC EPUWALControl Module Copyright 2003 - 2008 {4C39376E-FA9D-4349-BACC-D305C1750EF3}
Delete http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
{62475759-9E84-458E-A1AB-5D2C442ADFDE}
Delete http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
G:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX
Script: Quarantine, Delete, Delete via BC Eset OnlineScanner ActiveX Control NOD, NOD32, ESET are registered trademarks of Eset {7530bfb8-7293-4d34-9923-61a11451afc5}
Delete http://download.eset.com/special/eos/OnlineScanner.cab
{80DD2229-B8E4-4C77-B72F-F22972D723EA}
Delete http://www.bitdefender.com/scan/Msie/bitdefender.cab
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Delete http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Delete http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37982.8363310185
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
Delete http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
{F6ACF75C-C32C-447B-9BEF-46B766368D29}
Delete http://www.creative.com/su/ocx/15021/CTPID.cab
G:\WINDOWS\system32\FlashAX2\iefax.dll
Script: Quarantine, Delete, Delete via BC Microgaming Flash Casino Helper Control Copyright © Microgaming, 2008 {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65}
Delete https://plugins.valueactive.eu/flashax/iefax.cab
{FAE74270-E5EE-49C3-B816-EA8B4D55F38F}
Delete http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
Items found - 30, recognized as trusted - 14

Control Panel Applets (CPL)

File name Description Manufacturer
G:\WINDOWS\system32\javacpl.cpl
Script: Quarantine, Delete, Delete via BC Java(TM) Control Panel Copyright © 2004
Items found - 25, recognized as trusted - 24

Active Setup

File name Description Manufacturer CLSID
Items found - 15, recognized as trusted - 15

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Items found - 33, recognized as trusted - 30

Suspicious objects

File Description Type
G:\WINDOWS\System32\DRIVERS\cmdguard.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
G:\WINDOWS\system32\Drivers\sptd.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook

AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 11/09/2009 7:43:17 PM Database loaded: signatures - 248534, NN profile(s) - 2, malware removal microprograms - 56, signature database released 08.11.2009 14:41 Heuristic microprograms loaded: 374 PVS microprograms loaded: 9 Digital signatures of system files loaded: 153487 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: disabled Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:CopyFileA (64) intercepted, method - APICodeHijack.JmpTo[10001B66] Function kernel32.dll:CopyFileExA (65) intercepted, method - APICodeHijack.JmpTo[10001BA6] Function kernel32.dll:CopyFileExW (66) intercepted, method - APICodeHijack.JmpTo[10001BC6] Function kernel32.dll:CopyFileW (67) intercepted, method - APICodeHijack.JmpTo[10001B86] Function kernel32.dll:CreateFileA (80) intercepted, method - APICodeHijack.JmpTo[10001B26] Function kernel32.dll:CreateFileW (83) intercepted, method - APICodeHijack.JmpTo[10001B46] Function kernel32.dll:CreateProcessA (99) intercepted, method - APICodeHijack.JmpTo[10001A46] Function kernel32.dll:CreateProcessW (103) intercepted, method - APICodeHijack.JmpTo[10001A66] Function kernel32.dll:DeleteFileA (130) intercepted, method - APICodeHijack.JmpTo[10001CA6] Function kernel32.dll:DeleteFileW (131) intercepted, method - APICodeHijack.JmpTo[10001CC6] Function kernel32.dll:GetModuleHandleA (374) intercepted, method - APICodeHijack.JmpTo[10001CE6] Function kernel32.dll:GetModuleHandleW (377) intercepted, method - APICodeHijack.JmpTo[10001D06] Function kernel32.dll:GetProcAddress (408) intercepted, method - APICodeHijack.JmpTo[10001A86] Function kernel32.dll:LoadLibraryA (578) intercepted, method - APICodeHijack.JmpTo[10001D26] Function kernel32.dll:LoadLibraryExA (579) intercepted, method - APICodeHijack.JmpTo[10001AC6] Function kernel32.dll:LoadLibraryExW (580) intercepted, method - APICodeHijack.JmpTo[10001AE6] Function kernel32.dll:LoadLibraryW (581) intercepted, method - APICodeHijack.JmpTo[10001D46] Function kernel32.dll:LoadModule (582) intercepted, method - APICodeHijack.JmpTo[10001AA6] Function kernel32.dll:MoveFileA (606) intercepted, method - APICodeHijack.JmpTo[10001BE6] Function kernel32.dll:MoveFileExA (607) intercepted, method - APICodeHijack.JmpTo[10001C26] Function kernel32.dll:MoveFileExW (608) intercepted, method - APICodeHijack.JmpTo[10001C46] Function kernel32.dll:MoveFileW (609) intercepted, method - APICodeHijack.JmpTo[10001C06] Function kernel32.dll:MoveFileWithProgressA (610) intercepted, method - APICodeHijack.JmpTo[10001C66] Function kernel32.dll:MoveFileWithProgressW (611) intercepted, method - APICodeHijack.JmpTo[10001C86] Function kernel32.dll:OpenFile (622) intercepted, method - APICodeHijack.JmpTo[10001B06] Function kernel32.dll:WinExec (897) intercepted, method - APICodeHijack.JmpTo[10001D66] Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:LdrGetProcedureAddress (65) intercepted, method - APICodeHijack.JmpTo[100019E6] Function ntdll.dll:LdrLoadDll (70) intercepted, method - APICodeHijack.JmpTo[10004546] Function ntdll.dll:LdrUnloadDll (80) intercepted, method - APICodeHijack.JmpTo[10008A56] Function ntdll.dll:NtAllocateVirtualMemory (103) intercepted, method - APICodeHijack.JmpTo[10001946] Function ntdll.dll:NtClose (111) intercepted, method - APICodeHijack.JmpTo[10008B26] Function ntdll.dll:NtCreateFile (123) intercepted, method - APICodeHijack.JmpTo[100018C6] Function ntdll.dll:NtCreateProcess (134) intercepted, method - APICodeHijack.JmpTo[10001886] Function ntdll.dll:NtCreateProcessEx (135) intercepted, method - APICodeHijack.JmpTo[100019A6] Function ntdll.dll:NtDeleteFile (150) intercepted, method - APICodeHijack.JmpTo[10001906] Function ntdll.dll:NtFreeVirtualMemory (171) intercepted, method - APICodeHijack.JmpTo[10001A26] Function ntdll.dll:NtLoadDriver (185) intercepted, method - APICodeHijack.JmpTo[10001966] Function ntdll.dll:NtOpenFile (204) intercepted, method - APICodeHijack.JmpTo[100018E6] Function ntdll.dll:NtProtectVirtualMemory (226) intercepted, method - APICodeHijack.JmpTo[10001926] Function ntdll.dll:NtSetInformationProcess (319) intercepted, method - APICodeHijack.JmpTo[100019C6] Function ntdll.dll:NtUnloadDriver (353) intercepted, method - APICodeHijack.JmpTo[10001986] Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method - APICodeHijack.JmpTo[100018A6] Function ntdll.dll:RtlAllocateHeap (405) intercepted, method - APICodeHijack.JmpTo[10001A06] Function ntdll.dll:ZwAllocateVirtualMemory (914) intercepted, method - APICodeHijack.JmpTo[10001946] Function ntdll.dll:ZwClose (922) intercepted, method - APICodeHijack.JmpTo[10008B26] Function ntdll.dll:ZwCreateFile (934) intercepted, method - APICodeHijack.JmpTo[100018C6] Function ntdll.dll:ZwCreateProcess (945) intercepted, method - APICodeHijack.JmpTo[10001886] Function ntdll.dll:ZwCreateProcessEx (946) intercepted, method - APICodeHijack.JmpTo[100019A6] Function ntdll.dll:ZwDeleteFile (960) intercepted, method - APICodeHijack.JmpTo[10001906] Function ntdll.dll:ZwFreeVirtualMemory (981) intercepted, method - APICodeHijack.JmpTo[10001A26] Function ntdll.dll:ZwLoadDriver (995) intercepted, method - APICodeHijack.JmpTo[10001966] Function ntdll.dll:ZwOpenFile (1014) intercepted, method - APICodeHijack.JmpTo[100018E6] Function ntdll.dll:ZwProtectVirtualMemory (1036) intercepted, method - APICodeHijack.JmpTo[10001926] Function ntdll.dll:ZwSetInformationProcess (1129) intercepted, method - APICodeHijack.JmpTo[100019C6] Function ntdll.dll:ZwUnloadDriver (1163) intercepted, method - APICodeHijack.JmpTo[10001986] Function ntdll.dll:ZwWriteVirtualMemory (1179) intercepted, method - APICodeHijack.JmpTo[100018A6] Analysis: user32.dll, export table found in section .text Function user32.dll:EndTask (202) intercepted, method - APICodeHijack.JmpTo[100086F6] Analysis: advapi32.dll, export table found in section .text Function advapi32.dll:CreateServiceA (102) intercepted, method - APICodeHijack.JmpTo[10000FF6] Function advapi32.dll:CreateServiceW (103) intercepted, method - APICodeHijack.JmpTo[10001246] Function advapi32.dll:OpenServiceA (431) intercepted, method - APICodeHijack.JmpTo[10001636] Function advapi32.dll:OpenServiceW (432) intercepted, method - APICodeHijack.JmpTo[10001476] Analysis: ws2_32.dll, export table found in section .text Function ws2_32.dll:WSASocketA (82) intercepted, method - APICodeHijack.JmpTo[10001E66] Function ws2_32.dll:WSASocketW (83) intercepted, method - APICodeHijack.JmpTo[10001E86] Analysis: wininet.dll, export table found in section .text Function wininet.dll:InternetConnectA (231) intercepted, method - APICodeHijack.JmpTo[10001E26] Function wininet.dll:InternetConnectW (232) intercepted, method - APICodeHijack.JmpTo[10001E46] Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Function urlmon.dll:URLDownloadToCacheFileA (216) intercepted, method - APICodeHijack.JmpTo[10001EE6] Function urlmon.dll:URLDownloadToCacheFileW (217) intercepted, method - APICodeHijack.JmpTo[10001F06] Function urlmon.dll:URLDownloadToFileA (218) intercepted, method - APICodeHijack.JmpTo[10001EA6] Function urlmon.dll:URLDownloadToFileW (219) intercepted, method - APICodeHijack.JmpTo[10001EC6] Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=082700) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 80559700 KiST = 804E26A8 (284) Function NtAdjustPrivilegesToken (0B) intercepted (8058EC01->F1B4AD46), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtConnectPort (1F) intercepted (8058A87C->F1B4A250), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreateFile (25) intercepted (8056FC68->F1B4A8EA), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreateKey (29) intercepted (8056E819->F1B4B2C2), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreatePort (2E) intercepted (80597561->F1B4A132), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreateSection (32) intercepted (8056469B->F1B4C254), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreateSymbolicLinkObject (34) intercepted (805A0CE9->F1B4C52C), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtCreateThread (35) intercepted (8057C51B->F1B49CF8), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtDeleteKey (3F) intercepted (805951B2->F1B4AF2C), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtDeleteValueKey (41) intercepted (80593B28->F1B4B0DC), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtDuplicateObject (44) intercepted (80572B96->F1B49A5A), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtEnumerateKey (47) intercepted (8056EF20->F8689D48), hook G:\WINDOWS\system32\Drivers\sptd.sys Function NtEnumerateValueKey (49) intercepted (8057FBF4->F868A0C0), hook G:\WINDOWS\system32\Drivers\sptd.sys Function NtLoadDriver (61) intercepted (805A40FA->F1B4BED6), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtMakeTemporaryObject (69) intercepted (805A11A7->F1B4A4D4), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtOpenFile (74) intercepted (8056FC03->F1B4AB2E), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtOpenKey (77) intercepted (80567D6B->F8689AE2), hook G:\WINDOWS\system32\Drivers\sptd.sys Function NtOpenProcess (7A) intercepted (80572D76->F1B4978A), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtOpenSection (7D) intercepted (8057677B->F1B4A764), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtOpenThread (80) intercepted (8058C882->F1B49902), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtQueryKey (A0) intercepted (8056EC29->F868A18A), hook G:\WINDOWS\system32\Drivers\sptd.sys Function NtQueryValueKey (B1) intercepted (8056B173->F868A022), hook G:\WINDOWS\system32\Drivers\sptd.sys Function NtRenameKey (C0) intercepted (8064D109->F1B4B688), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtRequestWaitReplyPort (C8) intercepted (80575F9A->F1B4B9F0), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtSecureConnectPort (D2) intercepted (8057EA6A->F1B4BC72), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtSetSystemInformation (F0) intercepted (805A26E4->F1B4C084), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtSetValueKey (F7) intercepted (80573CFD->F1B4B488), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtShutdownSystem (F9) intercepted (80645923->F1B4A46E), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtSystemDebugControl (FF) intercepted (80648481->F1B4A658), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtTerminateProcess (101) intercepted (805847BC->F1B49FFC), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Function NtTerminateThread (102) intercepted (8057BC34->F1B49ECA), hook G:\WINDOWS\System32\DRIVERS\cmdguard.sys, driver recognized as trusted Functions checked: 284, intercepted: 31, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8378DEB0 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8378DEB0 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 831709B0 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 831709B0 -> hook not defined \driver\disk[IRP_MJ_CREATE] = 8378D0E8 -> hook not defined \driver\disk[IRP_MJ_CLOSE] = 8378D0E8 -> hook not defined \driver\disk[IRP_MJ_READ] = 8378D0E8 -> hook not defined \driver\disk[IRP_MJ_WRITE] = 8378D0E8 -> hook not defined \driver\disk[IRP_MJ_PNP] = 8378D0E8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 41 Extended process analysis: 2496 C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe [ES]:Application has no visible windows Number of modules loaded: 423 Scanning RAM - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Latent DLL loading through AppInit_DLLs suspected: "G:\WINDOWS\system32\guard32.dll" Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry) >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Messenger (Messenger) >> Services: potentially dangerous service allowed: Alerter (Alerter) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> Service termination timeout is out of admissible values >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 465, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 11/09/2009 7:43:59 PM Time of scanning: 00:00:45 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Remove traces of deleted files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Messenger (Messenger)
Performance tweaking: disable service Alerter (Alerter)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	39150	[988] g:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	61650	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	53	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
1032	LISTENING	0.0.0.0	51428	[1796] g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate
1034	ESTABLISHED	127.0.0.1	27015	[1984] g:\utilities\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
1037	LISTENING	0.0.0.0	2085	[4020] g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate
1038	LISTENING	0.0.0.0	6156	[4028] g:\program files\ati technologies\ati.ace\cli.exe Script: Quarantine, Delete, Delete via BC, Terminate
1044	CLOSE_WAIT	91.199.212.171	80	[1056] c:\comodo\comodo internet security\cmdagent.exe Script: Quarantine, Delete, Delete via BC, Terminate
1045	CLOSE_WAIT	208.116.56.19	80	[1056] c:\comodo\comodo internet security\cmdagent.exe Script: Quarantine, Delete, Delete via BC, Terminate
5152	LISTENING	0.0.0.0	18499	[564] g:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	LISTENING	0.0.0.0	18580	[228] g:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	ESTABLISHED	127.0.0.1	1034	[2032] g:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	LISTENING	0.0.0.0	18482	[2032] g:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123	LISTENING	--	--	[1124] g:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
123	LISTENING	--	--	[1124] g:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[744] g:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
1025	LISTENING	--	--	[228] g:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[744] g:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
5353	LISTENING	--	--	[228] g:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
62981	LISTENING	--	--	[228] g:\program files\bonjour\mdnsresponder.exe Script: Quarantine, Delete, Delete via BC, Terminate