Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\windows\system32\atservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	1776	AFSS Service	Copyright (C) 2000-2008, AuthenTec. All rights reserved.	??	1641.24 kb, rsAh, created: 19.3.2009 5:48:34, modified: 19.3.2009 5:48:34 Command line: C:\WINDOWS\system32\AtService.exe
c:\program files\alwil software\avast5\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	1988	avast! Service	Copyright (c) 2010 ALWIL Software	??	39.44 kb, rsAh, created: 5.4.2010 14:48:15, modified: 9.3.2010 12:24:08 Command line: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
c:\progra~1\alwils~1\avast5\avastui.exe Script: Quarantine, Delete, Delete via BC, Terminate	3036	avast! Antivirus	Copyright (c) 2010 ALWIL Software	??	2704.43 kb, rsAh, created: 5.4.2010 14:48:15, modified: 9.3.2010 12:24:10 Command line: "C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe" /nogui
c:\program files\thinkpad\bluetooth software\bin\btwdins.exe Script: Quarantine, Delete, Delete via BC, Terminate	340	Bluetooth Support Server	Copyright 2000-2008, Broadcom Corporation.	??	334.59 kb, rsAh, created: 29.5.2008 0:23:00, modified: 29.5.2008 0:23:00 Command line: "C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe"
c:\windows\system32\ccm\ccmexec.exe Script: Quarantine, Delete, Delete via BC, Terminate	3920	CCM Executive	Copyright (C) Microsoft Corporation. 2004	??	565.22 kb, rsAh, created: 9.2.2006 11:50:00, modified: 9.2.2006 11:50:00 Command line: C:\WINDOWS\system32\CCM\CcmExec.exe
c:\windows\system32\dts.exe Script: Quarantine, Delete, Delete via BC, Terminate	1736	Data Transfer Service	©AuthenTec, Inc. All rights reserved.	??	96.00 kb, rsAh, created: 19.3.2009 5:53:02, modified: 19.3.2009 5:53:02 Command line: C:\WINDOWS\system32\DTS.exe
c:\windows\explorer.exe Script: Quarantine, Delete, Delete via BC, Terminate	3444	Windows Explorer	© Microsoft Corporation. All rights reserved.	??	1008.00 kb, rsah, created: 24.9.2009 4:50:45, modified: 4.8.2004 14:00:00 Command line: C:\WINDOWS\Explorer.EXE
c:\windows\temp\fdd447.exe Script: Quarantine, Delete, Delete via BC, Terminate	2732			??	168.07 kb, rsAh, created: 11.4.2010 14:02:58, modified: 7.2.2006 16:10:04 Command line: "C:\WINDOWS\TEMP\FDD447.EXE"
c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe Script: Quarantine, Delete, Delete via BC, Terminate	3056	pdfFactory	Copyright (c) 2001-2005 FinePrint Software, LLC	??	480.00 kb, rsAh, created: 8.8.2006 22:08:25, modified: 24.11.2005 11:12:34 Command line: "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKCU
c:\program files\common files\microsoft shared\vs7debug\mdm.exe Script: Quarantine, Delete, Delete via BC, Terminate	2068	Machine Debug Manager	© Microsoft Corporation. All rights reserved.	??	314.57 kb, rsAh, created: 20.6.2003 8:25:00, modified: 20.6.2003 8:25:00 Command line: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
c:\program files\pc connectivity solution\transports\nclbcbtsrv.exe Script: Quarantine, Delete, Delete via BC, Terminate	4424	Broadcomm Bluetooth Media Server	Copyright (c) 2007 - 2009 Nokia. All Rights Reserved.	??	156.00 kb, rsAh, created: 29.10.2009 14:03:34, modified: 29.10.2009 14:03:34 Command line: {29CD04CD-A72D-4231-B18B-B84D653A2C05}
c:\program files\thinkpad\utilities\pwmdbsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	3860	PWMDBSVC Module	Copyright 2008	??	92.00 kb, rsah, created: 16.12.2009 13:58:21, modified: 25.9.2008 2:47:00 Command line: "C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE"
c:\program files\common files\research in motion\auto update\rimautoupdate.exe Script: Quarantine, Delete, Delete via BC, Terminate	3052	RIM Auto Update	© 1997-2010 Research In Motion Limited.	??	633.34 kb, rsAh, created: 10.3.2010 22:32:26, modified: 10.3.2010 22:32:26 Command line: "C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" /background
c:\windows\system32\rundll32.exe Script: Quarantine, Delete, Delete via BC, Terminate	2024	Run a DLL as an App	© Microsoft Corporation. All rights reserved.	??	32.50 kb, rsAh, created: 24.9.2009 4:51:25, modified: 4.8.2004 14:00:00 Command line: "C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, Delete via BC, Terminate	1236	Spooler SubSystem App	© Microsoft Corporation. All rights reserved.	??	56.50 kb, rsah, created: 24.9.2009 4:51:29, modified: 11.6.2005 1:53:32 Command line: C:\WINDOWS\system32\spoolsv.exe
c:\program files\trend micro\officescan client\tmlisten.exe Script: Quarantine, Delete, Delete via BC, Terminate	3288		Copyright (C) 1998-2006 Trend Micro Incorporated. All rights reserved.	??	600.09 kb, rsAh, created: 7.2.2006 15:48:52, modified: 7.2.2006 15:48:52 Command line: "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
c:\program files\lenovo\npdirect\tpfnf7sp.exe Script: Quarantine, Delete, Delete via BC, Terminate	2136	Presentation Director Fn+F7 handler	Copyright (C) Lenovo 2006.	??	58.78 kb, rsah, created: 16.12.2009 13:58:34, modified: 31.7.2008 5:01:00 Command line: "C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" /r
c:\windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC, Terminate	1460	Windows NT Logon Application	© Microsoft Corporation. All rights reserved.	??	490.50 kb, rsah, created: 24.9.2009 4:51:39, modified: 4.8.2004 14:00:00 Command line: winlogon.exe
Detected:68, recognized as trusted 59

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Alwil Software\Avast5\1029\Base.dll Script: Quarantine, Delete, Delete via BC	1711800320	avast! Czech Basic Module	Copyright (c) 2010 ALWIL Software	--	1988, 3036
C:\Program Files\Alwil Software\Avast5\defs\10041001\algo.dll Script: Quarantine, Delete, Delete via BC	1665138688			--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	1678245888	Common functions	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	1678770176	Antivirus independent functions	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	1677721600	Antivirus HW dependent library	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswEngin.dll Script: Quarantine, Delete, Delete via BC	1680080896	High level antivirus engine	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswScan.dll Script: Quarantine, Delete, Delete via BC	1679818752	Low level antivirus engine	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\algo.dll Script: Quarantine, Delete, Delete via BC	130285568			--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	128712704	Common functions	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	90767360	Antivirus independent functions	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	90570752	Antivirus HW dependent library	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswEngin.dll Script: Quarantine, Delete, Delete via BC	127533056	High level antivirus engine	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswScan.dll Script: Quarantine, Delete, Delete via BC	104005632	Low level antivirus engine	Copyright (c) 2010 ALWIL Software	--	1988
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL Script: Quarantine, Delete, Delete via BC	1364721664	Active Debugging Proxy/Stub	© Microsoft Corporation. All rights reserved.	--	2068
C:\Program Files\Common Files\Research In Motion\Auto Update\AutoUpdateRes1029.dll Script: Quarantine, Delete, Delete via BC	268435456	RIM Auto Update	© 1997-2010 Research In Motion Limited.	--	3052
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe Script: Quarantine, Delete, Delete via BC	4194304	RIM Auto Update	© 1997-2010 Research In Motion Limited.	??	3052
C:\Program Files\Internet Explorer\mui\0405\browselc.dll Script: Quarantine, Delete, Delete via BC	1916862464	Shell Browser UI Library	© Microsoft Corporation. Vљechna prбva vyhrazena.	--	3444
C:\Program Files\Lenovo Fingerprint Software\ATCSSINT.DLL Script: Quarantine, Delete, Delete via BC	17301504	Fingerprint Authentication Interfaces	(C) AuthenTec Inc. All rights reserved.	--	1460
C:\Program Files\Lenovo Fingerprint Software\FPResource.dll Script: Quarantine, Delete, Delete via BC	21233664	Multilingual Resource Dynamic Link Library	© AuthenTec, Inc. All rights reserved.	--	1460
C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll Script: Quarantine, Delete, Delete via BC	15925248	Fingerprint Shared Resources Dynamic Link Library	Copyright (C) 2006	--	1460
C:\Program Files\Lenovo\NPDIRECT\tpfnf7.dll Script: Quarantine, Delete, Delete via BC	11403264	Presentation Director Fn+F7 handler	Copyright (C) Lenovo 2006.	--	2136
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe Script: Quarantine, Delete, Delete via BC	4194304	Presentation Director Fn+F7 handler	Copyright (C) Lenovo 2006.	??	2136
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe Script: Quarantine, Delete, Delete via BC	4194304	Bluetooth Support Server	Copyright 2000-2008, Broadcom Corporation.	??	340
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE Script: Quarantine, Delete, Delete via BC	4194304	PWMDBSVC Module	Copyright 2008	??	3860
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe Script: Quarantine, Delete, Delete via BC	4194304		Copyright (C) 1998-2006 Trend Micro Incorporated. All rights reserved.	??	3288
C:\PROGRA~1\ALWILS~1\Avast5\1029\UILangRes.dll Script: Quarantine, Delete, Delete via BC	1712062464	UILangRes	Copyright (c) 2010 ALWIL Software	--	3036
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL Script: Quarantine, Delete, Delete via BC	47579136			--	3444, 3860, 2024
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL Script: Quarantine, Delete, Delete via BC	45940736	ThinkPad Power Manager Background Monitor and Tray Battery Gauge	Copyright (C) Lenovo 2005,2007.	--	3444, 2024
C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL Script: Quarantine, Delete, Delete via BC	47513600			--	3444, 2024
C:\WINDOWS\system32\AFSSClientLib.dll Script: Quarantine, Delete, Delete via BC	26148864	AFSS Client Library	Copyright (C) 2000-2008, AuthenTec. All rights reserved.	--	1460
C:\WINDOWS\system32\ATGinaHook.dll Script: Quarantine, Delete, Delete via BC	268435456	Fingerprint system pass-through GINA	Copyright (C) 2009 AuthenTec Inc.	--	1460
C:\WINDOWS\system32\AtService.exe Script: Quarantine, Delete, Delete via BC	4194304	AFSS Service	Copyright (C) 2000-2008, AuthenTec. All rights reserved.	??	1776
C:\WINDOWS\system32\bthcrp.dll Script: Quarantine, Delete, Delete via BC	15532032	bthcrp DLL	Copyright 2000-2008, Broadcom Corporation.	--	1236
C:\WINDOWS\system32\CCM\ccmhttp.dll Script: Quarantine, Delete, Delete via BC	404160512	CCM HTTP Services	Copyright (C) Microsoft Corporation. 2004	--	3920
C:\WINDOWS\system32\DTS.exe Script: Quarantine, Delete, Delete via BC	4194304	Data Transfer Service	©AuthenTec, Inc. All rights reserved.	??	1736
C:\WINDOWS\system32\FpWinLogonNp.dll Script: Quarantine, Delete, Delete via BC	29229056	Fingerprint Winlogon Dynamic Link Library	©AuthenTec, Inc. All rights reserved.	--	1460
C:\WINDOWS\system32\lmdimon.dll Script: Quarantine, Delete, Delete via BC	12910592	Microsoft® Live Meeting	Copyright (C) Microsoft Corp. 2001-2004	--	1236
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe Script: Quarantine, Delete, Delete via BC	553648128	pdfFactory	Copyright (c) 2001-2005 FinePrint Software, LLC	??	3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppgraf2.dll Script: Quarantine, Delete, Delete via BC	603979776	pdfFactory	Copyright (c) 2001-2005 FinePrint Software, LLC	--	3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppint2.dll Script: Quarantine, Delete, Delete via BC	620756992	pdfFactory	Copyright (c) 2001-2005 FinePrint Software, LLC	--	3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppr232.dll Script: Quarantine, Delete, Delete via BC	1090519040	pdfFactory	Copyright (c) 2001-2005 FinePrint Software, LLC	--	3056
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\lmdippr.dll Script: Quarantine, Delete, Delete via BC	16711680	Microsoft® Live Meeting	Copyright (C) Microsoft Corp. 2001-2004	--	1236
C:\WINDOWS\system32\wbtapi.dll Script: Quarantine, Delete, Delete via BC	268435456	WBTApi DLL	Copyright 2000-2008, Broadcom Corporation.	--	4424, 1236
C:\WINDOWS\system32\WidcommSdk.dll Script: Quarantine, Delete, Delete via BC	21037056	WidcommSdk DLL	Copyright 2000-2008, Broadcom Corporation.	--	1236
C:\WINDOWS\TEMP\FDD447.EXE Script: Quarantine, Delete, Delete via BC	4194304			??	2732
Modules found:533, recognized as trusted 488

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, Delete via BC	AC4C9000	0DA000 (892928)
spfs.sys Script: Quarantine, Delete, Delete via BC	B9EB4000	0F3000 (995328)
C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys Script: Quarantine, Delete, Delete via BC	B8D9F000	005000 (20480)	ThinkPad Hotkey Driver	(C) Lenovo 2005-2008, (C) IBM Corporation 1999-2005.
Modules found - 215, recognized as trusted - 212

Services

Service	Description	Status	File	Group	Dependencies
ATService Service: Stop, Delete, Disable	AuthenTec Fingerprint Service	Running	C:\WINDOWS\system32\AtService.exe Script: Quarantine, Delete, Delete via BC	Pointer Class
btwdins Service: Stop, Delete, Disable	Bluetooth Service	Running	C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe Script: Quarantine, Delete, Delete via BC	PlugPlay
dtsvc Service: Stop, Delete, Disable	Data Transfer Service	Running	C:\WINDOWS\system32\DTS.exe Script: Quarantine, Delete, Delete via BC	Base
Power Manager DBC Service Service: Stop, Delete, Disable	Power Manager DBC Service	Running	C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE Script: Quarantine, Delete, Delete via BC		RPCSS
tmlisten Service: Stop, Delete, Disable	OfficeScanNT Listener	Running	C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe Script: Quarantine, Delete, Delete via BC
ADMonitor Service: Stop, Delete, Disable	AD Monitor	Not started	C:\WINDOWS\system32\ADMonitor.exe Script: Quarantine, Delete, Delete via BC	Base
FingerprintServer Service: Stop, Delete, Disable	Fingerprint Server	Not started	C:\WINDOWS\system32\FpLogonServ.exe Script: Quarantine, Delete, Delete via BC	Pointer Class
Roxio UPnP Renderer 9 Service: Stop, Delete, Disable	Roxio UPnP Renderer 9	Not started	C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe Script: Quarantine, Delete, Delete via BC
Roxio Upnp Server 9 Service: Stop, Delete, Disable	Roxio Upnp Server 9	Not started	C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe Script: Quarantine, Delete, Delete via BC
RoxLiveShare9 Service: Stop, Delete, Disable	LiveShare P2P Server 9	Not started	C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe Script: Quarantine, Delete, Delete via BC		RPCSS
RoxMediaDB9 Service: Stop, Delete, Disable	RoxMediaDB9	Not started	C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe Script: Quarantine, Delete, Delete via BC
RoxWatch9 Service: Stop, Delete, Disable	Roxio Hard Drive Watcher 9	Not started	C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe Script: Quarantine, Delete, Delete via BC
Detected - 120, recognized as trusted - 108

Drivers

Service	Description	Status	File	Group	Dependencies
sptd Driver: Unload, Delete, Disable	sptd	Running	C:\WINDOWS\System32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
TPHKDRV Driver: Unload, Delete, Disable	TPHKDRV	Running	C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys Script: Quarantine, Delete, Delete via BC
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
catchme Driver: Unload, Delete, Disable	catchme	Not started	C:\DOCUME~1\ROBERT~1.JAN\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, Delete via BC	Filter
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, Delete via BC	PCI Configuration
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, Delete via BC
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, Delete via BC
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, Delete via BC
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, Delete via BC
prepdrvr Driver: Unload, Delete, Disable	SMS Process Event Driver	Not started	C:\WINDOWS\system32\CCM\prepdrv.sys Script: Quarantine, Delete, Delete via BC
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, Delete via BC	Filter
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, Delete via BC
Detected - 251, recognized as trusted - 236

Autoruns

File name	Status	Startup method	Description
ATGinaHook.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, GinaDLL
C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\RapidShareManager.exe Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\RapidShareManager.exe,
C:\Documents and Settings\robert.janota\Local Settings\Temp\NEventMessages.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia Software Installer, EventMessageFile Delete
C:\Jean\jean.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\JEAN.lnk,
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, PWRMGRTR Delete
C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 6 FREE.lnk,
C:\Program Files\Bonjour\mDNSResponder.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile Delete
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BlackBerryAutoUpdate Delete
C:\Program Files\Essentials Codec Pack\update.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Media Codec Update Service Delete
C:\Program Files\Lenovo Fingerprint Software\fpapp.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, FingerPrintSoftware Delete
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPFNF7 Delete
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Synchronize, EventMessageFile Delete
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Manager.lnk,
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\BlackBerry Desktop Manager.lnk,
C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\RIMDeviceFileAccess, EventMessageFile Delete
C:\Program Files\Zoner\Photo Studio 9\Program\Zps9.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\Zoner Photo Studio 9.lnk,
C:\Program Files\pdaBusiness\Qlock\Qlock.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Qlock.lnk,
C:\WINDOWS\Installer\{075F852B-6A58-44D0-A46F-81B13589C637}\Icon075F852B.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Translator 2004.lnk,
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile Delete
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\System32\igmpv2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile Delete
C:\WINDOWS\System32\ipbootp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile Delete
C:\WINDOWS\System32\iprip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile Delete
C:\WINDOWS\System32\ospf.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile Delete
C:\WINDOWS\System32\ospfmib.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile Delete
C:\WINDOWS\System32\polagent.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile Delete
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, pdfFactory Pro Dispatcher v2 Delete
C:\WINDOWS\System32\tssdis.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile Delete
C:\WINDOWS\system Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ATService, EventMessageFile Delete
C:\WINDOWS\system32\FpWinLogonNp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATFUS, DLLName Delete
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\dfrg.msc %c: Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath,
C:\WINDOWS\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile Delete
SDEvents.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile Delete
kbd101.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN Delete
kbd101a.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items found - 631, recognized as trusted - 584

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\TRANSLAT\WEBIE.DL_ Script: Quarantine, Delete, Delete via BC	Toolbar	WebTranslator Module	Copyright 2002	{BFC32E1D-EE75-4A48-BC60-104E11EE2431} Delete
	Toolbar			{855F3B16-6D32-4FE6-8A56-BBB695989046} Delete
C:\TRANSLAT\WEBIE.DL_ Script: Quarantine, Delete, Delete via BC	Extension module	WebTranslator Module	Copyright 2002	{BFC32E1D-EE75-4A48-BC60-104E11EE2431} Delete
C:\TRANSLAT\WEBIE.DL_ Script: Quarantine, Delete, Delete via BC	Extension module	WebTranslator Module	Copyright 2002	{CC963627-B1DC-40E0-B52A-CF21EE748450} Delete
C:\TRANSLAT\WEBIE.DL_ Script: Quarantine, Delete, Delete via BC	Extension module	WebTranslator Module	Copyright 2002	{CC963627-B1DC-40E0-B52A-CF21EE748451} Delete
C:\TRANSLAT\WEBIE.DL_ Script: Quarantine, Delete, Delete via BC	Extension module	WebTranslator Module	Copyright 2002	{CC963627-B1DC-40E0-B52A-CF21EE748452} Delete
C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm Script: Quarantine, Delete, Delete via BC	Extension module			{CCA281CA-C863-46ef-9331-5C8D4460577F} Delete
	URLSearchHook			{855F3B16-6D32-4fe6-8A56-BBB695989046} Delete
Items found - 17, recognized as trusted - 9

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, Delete via BC	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Encryption Context Menu			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Taskbar and Start Menu			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Script: Quarantine, Delete, Delete via BC	Autoplay for SlideShow			{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Delete
	User Accounts			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete

C:\WINDOWS\system32\BTNEIG~1.DLL Script: Quarantine, Delete, Delete via BC	My Bluetooth Places	BTNeighborhood DLL	Copyright 2000-2008, Broadcom Corporation.	{6af09ec9-b429-11d4-a1fb-0090960218cb} Delete
C:\WINDOWS\system32\btncopy.dll Script: Quarantine, Delete, Delete via BC	Monitor	BTNCopy Module	Copyright 2000-2008, Broadcom Corporation.	{7842554E-6BED-11D2-8CDB-B05550C10000} Delete
	Microsoft Office Metadata Handler			{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} Delete
	Microsoft Office Thumbnail Handler			{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} Delete
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
Items found - 220, recognized as trusted - 208

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
C:\WINDOWS\system32\lmdimon.dll Script: Quarantine, Delete, Delete via BC	Monitor	Microsoft Office Live Meeting Document Writer Monitor	Microsoft® Live Meeting	Copyright (C) Microsoft Corp. 2001-2004
C:\WINDOWS\system32\bthcrp.dll Script: Quarantine, Delete, Delete via BC	Monitor	Port tiskбrny Bluetooth	bthcrp DLL	Copyright 2000-2008, Broadcom Corporation.
Items found - 13, recognized as trusted - 11

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE Script: Quarantine, Delete, Delete via BC	PMTask.job	The task will not run at the scheduled times because it has been disabled.
Items found - 4, recognized as trusted - 3

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 23, recognized as trusted - 23
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 18636 [1912] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 38974 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
1025 ESTABLISHED 127.0.0.1 5550 [1460] \??\c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1033 ESTABLISHED 127.0.0.1 27015 [3020] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1068 LISTENING 0.0.0.0 49273 [4192] c:\windows\system32\alg.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5550 LISTENING 0.0.0.0 24789 [1776] c:\windows\system32\atservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5550 ESTABLISHED 127.0.0.1 1025 [1776] c:\windows\system32\atservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 24792 [1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 1033 [1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62514 LISTENING 0.0.0.0 8300 [1140] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, Delete via BC, Terminate
65394 LISTENING 0.0.0.0 20716 [3288] c:\program files\trend micro\officescan client\tmlisten.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123 LISTENING -- -- [296] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [1520] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [980] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [1520] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62514 LISTENING -- -- [1140] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 4, recognized as trusted - 4

Control Panel Applets (CPL)

File name Description Manufacturer
C:\WINDOWS\system32\btcpl.cpl
Script: Quarantine, Delete, Delete via BC Bluetooth Control Panel Copyright 2000-2008, Broadcom Corporation.
Items found - 29, recognized as trusted - 28

Active Setup

File name Description Manufacturer CLSID
Items found - 15, recognized as trusted - 15

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Items found - 31, recognized as trusted - 28

Suspicious objects

File Description Type
C:\WINDOWS\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046811.exe
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046813.exe
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)

AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 11.4.2010 14:10:12 Database loaded: signatures - 270034, NN profile(s) - 2, malware removal microprograms - 56, signature database released 10.04.2010 22:53 Heuristic microprograms loaded: 382 PVS microprograms loaded: 9 Digital signatures of system files loaded: 194145 Heuristic analyzer mode: Medium heuristics mode Malware removal mode: enabled Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights System Restore: enabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=0846E0) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055B6E0 KiST = 80503960 (284) Functions checked: 284, intercepted: 0, restored: 0 1.3 Checking IDT and SYSENTER Analyzing CPU 1 Analyzing CPU 2 CmpCallCallBacks = 00092D3C Disable callback - ??? ??????????????? Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = AC5DFFEE -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_CLOSE] = AC5E002E -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_WRITE] = AC5E010A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = AC5E014A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A5C91F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8A5C91F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 892191F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 892191F8 -> hook not defined Checking - complete 2. Scanning RAM Number of processes found: 66 Number of modules loaded: 474 Scanning RAM - complete 3. Scanning disks C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046811.exe >>> suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960) C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046813.exe >>> suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960) Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000002.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000004.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000H.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000009.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000BX.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000P.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000005.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000006.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000W.msg Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000003O.msg Direct reading: C:\WINDOWS\system32\drivers\sptd.sys Direct reading: C:\WINDOWS\system32\kbdblrr.dll 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry) >> Services: potentially dangerous service allowed: TermService (Terminal Services) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed: TlntSvr (Telnet) >> Services: potentially dangerous service allowed: Schedule (Task Scheduler) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 173345, extracted from archives: 149714, malicious software found 0, suspicions - 2 Scanning finished at 11.4.2010 14:45:52 Time of scanning: 00:35:41 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
Remove traces of deleted files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	18636	[1912] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	38974	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
1025	ESTABLISHED	127.0.0.1	5550	[1460] \??\c:\windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC, Terminate
1033	ESTABLISHED	127.0.0.1	27015	[3020] c:\program files\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
1068	LISTENING	0.0.0.0	49273	[4192] c:\windows\system32\alg.exe Script: Quarantine, Delete, Delete via BC, Terminate
5550	LISTENING	0.0.0.0	24789	[1776] c:\windows\system32\atservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
5550	ESTABLISHED	127.0.0.1	1025	[1776] c:\windows\system32\atservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	LISTENING	0.0.0.0	24792	[1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	ESTABLISHED	127.0.0.1	1033	[1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
62514	LISTENING	0.0.0.0	8300	[1140] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, Delete via BC, Terminate
65394	LISTENING	0.0.0.0	20716	[3288] c:\program files\trend micro\officescan client\tmlisten.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123	LISTENING	--	--	[296] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[1520] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[980] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[1520] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
62514	LISTENING	--	--	[1140] c:\program files\cisco systems\vpn client\cvpnd.exe Script: Quarantine, Delete, Delete via BC, Terminate