Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\progra~1\agnitum\outpos~1\acs.exe Script: Quarantine, Delete, Delete via BC, Terminate	1628	Agnitum Outpost Service	Copyright (C) 1999-2010 Agnitum Ltd.	??	1306.80 kb, rsAh, created: 9.4.2009 7:26:30, modified: 9.2.2010 16:30:00 Command line: C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
c:\windows\system32\alg.exe Script: Quarantine, Delete, Delete via BC, Terminate	3444	Application Layer Gateway Service	© Microsoft Corporation. All rights reserved.	??	43.50 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:10 Command line: C:\WINDOWS\System32\alg.exe
c:\program files\avira\antivir desktop\avgnt.exe Script: Quarantine, Delete, Delete via BC, Terminate	2160	Antivirus System Tray Tool	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	276.16 kb, rsAh, created: 28.7.2010 0:11:22, modified: 2.3.2010 11:30:04 Command line: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
c:\program files\avira\antivir desktop\avguard.exe Script: Quarantine, Delete, Delete via BC, Terminate	1644	Antivirus On-Access Service	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	261.16 kb, rsAh, created: 28.7.2010 0:11:22, modified: 1.4.2010 13:34:01 Command line: "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
c:\program files\avira\antivir desktop\avmailc.exe Script: Quarantine, Delete, Delete via BC, Terminate	2640	Antivirus MailScanner Service	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	329.16 kb, rsAh, created: 28.7.2010 0:11:22, modified: 30.3.2010 12:40:18 Command line: "C:\Program Files\Avira\AntiVir Desktop\avmailc.exe"
c:\program files\avira\antivir desktop\avshadow.exe Script: Quarantine, Delete, Delete via BC, Terminate	1764	AntiVir shadow copy service	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	75.16 kb, rsAh, created: 28.7.2010 0:11:22, modified: 14.1.2010 22:12:21 Command line: "C:\Program Files\Avira\AntiVir Desktop\avshadow.exe" avshadowcontrol0_0000066c
c:\program files\avira\antivir desktop\avwebgrd.exe Script: Quarantine, Delete, Delete via BC, Terminate	2676	AntiVir WebGuard Service	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	396.16 kb, rsAh, created: 28.7.2010 0:11:23, modified: 1.4.2010 13:41:48 Command line: "C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE"
c:\program files\ati technologies\ati.ace\core-static\ccc.exe Script: Quarantine, Delete, Delete via BC, Terminate	3896	Catalyst Control Centre: Host application	2002-2006	??	48.00 kb, rsAh, created: 17.7.2007 11:13:34, modified: 17.7.2007 11:13:34 Command line: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe" 0
c:\windows\explorer.exe Script: Quarantine, Delete, Delete via BC, Terminate	1056	Prщzkumnнk Windows	© Microsoft Corporation. Vљechna prбva vyhrazena.	??	1010.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:24 Command line: C:\WINDOWS\Explorer.EXE
c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, Delete via BC, Terminate	1788	Java(TM) Quick Starter Service	Copyright © 2004	??	149.78 kb, rsAh, created: 30.4.2010 12:45:38, modified: 30.4.2010 12:45:38 Command line: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate	804	LSA Shell (Export Version)	© Microsoft Corporation. All rights reserved.	??	13.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:30 Command line: C:\WINDOWS\system32\lsass.exe
c:\program files\ati technologies\ati.ace\core-static\mom.exe Script: Quarantine, Delete, Delete via BC, Terminate	2296	Catalyst Control Center: Monitoring program	2002-2007	??	48.00 kb, rsAh, created: 17.7.2007 11:13:56, modified: 17.7.2007 11:13:56 Command line: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE"
c:\progra~1\agnitum\outpos~1\op_mon.exe Script: Quarantine, Delete, Delete via BC, Terminate	2120	Outpost User Interface	Copyright (C) 1999-2010 Agnitum Ltd.	??	2390.13 kb, rsAh, created: 9.4.2009 7:26:30, modified: 9.2.2010 15:30:02 Command line: "C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice
c:\program files\avira\antivir desktop\sched.exe Script: Quarantine, Delete, Delete via BC, Terminate	1516	Antivirus Scheduler	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	??	132.16 kb, rsAh, created: 28.7.2010 0:11:32, modified: 24.2.2010 10:29:26 Command line: "C:\Program Files\Avira\AntiVir Desktop\sched.exe"
c:\program files\microsoft\search enhancement pack\seaport\seaport.exe Script: Quarantine, Delete, Delete via BC, Terminate	1912	Microsoft SeaPort Search Enhancement Broker	© Microsoft Corporation. All rights reserved.	??	243.30 kb, rsAh, created: 14.5.2010 11:00:26, modified: 14.5.2010 11:00:26 Command line: "C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"
c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate	1132	Generic Host Process for Win32 Services	© Microsoft Corporation. All rights reserved.	??	14.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:50 Command line: C:\WINDOWS\system32\svchost -k rpcss
c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate	1196	Generic Host Process for Win32 Services	© Microsoft Corporation. All rights reserved.	??	14.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:50 Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate	1300	Generic Host Process for Win32 Services	© Microsoft Corporation. All rights reserved.	??	14.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:50 Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService
c:\windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC, Terminate	748	Windows NT Logon Application	© Microsoft Corporation. Vљechna prбva vyhrazena.	??	496.00 kb, rsAh, created: 29.10.2007 14:00:00, modified: 14.4.2008 8:52:54 Command line: winlogon.exe
Detected:37, recognized as trusted 31

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Avira\AntiVir Desktop\aecore.dll Script: Quarantine, Delete, Delete via BC	25690112	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aegen.dll Script: Quarantine, Delete, Delete via BC	35586048	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aehelp.dll Script: Quarantine, Delete, Delete via BC	35258368	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aeheur.dll Script: Quarantine, Delete, Delete via BC	32309248	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll Script: Quarantine, Delete, Delete via BC	31981568	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aepack.dll Script: Quarantine, Delete, Delete via BC	30998528	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aerdl.dll Script: Quarantine, Delete, Delete via BC	30277632	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aescript.dll Script: Quarantine, Delete, Delete via BC	26214400	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\aevdf.dll Script: Quarantine, Delete, Delete via BC	26017792	AntiVir Engine Module for Windows	Copyright © 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\avsda.dll Script: Quarantine, Delete, Delete via BC	268435456	AntiVir layered service provider	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	--	1628, 3444, 1644, 2640, 2676, 1788, 804, 1912, 1132, 1196, 1300
C:\Program Files\Avira\AntiVir Desktop\avwinll.dll Script: Quarantine, Delete, Delete via BC	55902208	avwinll	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	--	1644
C:\Program Files\Avira\AntiVir Desktop\mgrs.dll Script: Quarantine, Delete, Delete via BC	7405568	AntiVir MailGuard Cache Module	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	--	2640
C:\Program Files\Avira\AntiVir Desktop\rcimage.dll Script: Quarantine, Delete, Delete via BC	23789568	Avira AntiVir Workstation Image Master Resource File (Professional)	Copyright © 2000 - 2010 Avira GmbH. All rights reserved.	--	2160
C:\PROGRA~1\Agnitum\OUTPOS~1\log_converter.dll Script: Quarantine, Delete, Delete via BC	28180480	Log Converter	Copyright (C) 1999-2010 Agnitum Ltd.	--	2120
C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Systemtray.resources\2.0.2813.37069_cs_90ba9c70f846762e\CLI.Component.Systemtray.resources.dll Script: Quarantine, Delete, Delete via BC	97124352	SystemTray Component	2002-2006	--	3896
C:\WINDOWS\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_cs_b77a5c561934e089\mscorlib.resources.dll Script: Quarantine, Delete, Delete via BC	59834368	Knihovna tшнd modulu Microsoft CLR	© Microsoft Corporation. Vљechna prбva vyhrazena.	--	3896, 2296
C:\WINDOWS\assembly\GAC_MSIL\System.resources\2.0.0.0_cs_b77a5c561934e089\System.resources.dll Script: Quarantine, Delete, Delete via BC	67567616	.NET Framework	© Microsoft Corporation. Vљechna prбva vyhrazena.	--	2296
C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_cs_b77a5c561934e089\System.Runtime.Remoting.resources.dll Script: Quarantine, Delete, Delete via BC	75956224	Microsoft .NET Runtime Object Remoting	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms.resources\2.0.0.0_cs_b77a5c561934e089\System.Windows.Forms.resources.dll Script: Quarantine, Delete, Delete via BC	89980928	.NET Framework	© Microsoft Corporation. Vљechna prбva vyhrazena.	--	3896
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll Script: Quarantine, Delete, Delete via BC	2030829568	Microsoft Common Language Runtime Class Library	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\ab688d0f9f333ba117832726bfb589c1\System.Configuration.ni.dll Script: Quarantine, Delete, Delete via BC	1686700032	System.Configuration.dll	© Microsoft Corporation. All rights reserved.	--	3896
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\dcc0244092fe52e6885b50be25ef3b31\System.Drawing.ni.dll Script: Quarantine, Delete, Delete via BC	2061369344	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\3de39eb60b9d32af46f32f6c7a88fc7f\System.Runtime.Remoting.ni.dll Script: Quarantine, Delete, Delete via BC	1735852032	Microsoft .NET Runtime Object Remoting	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\411a627d6f5cb83509332253406988e5\System.Web.ni.dll Script: Quarantine, Delete, Delete via BC	1710358528	System.Web.dll	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\439c466b60614915587c5273eaf0ca7f\System.Windows.Forms.ni.dll Script: Quarantine, Delete, Delete via BC	2063400960	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\a6dbe24cbfe3ab6b318ed3095cc572d8\System.Xml.ni.dll Script: Quarantine, Delete, Delete via BC	1668939776	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3896
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll Script: Quarantine, Delete, Delete via BC	2051276800	.NET Framework	© Microsoft Corporation. All rights reserved.	--	3896, 2296
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll Script: Quarantine, Delete, Delete via BC	2045181952	Microsoft .NET Runtime Common Language Runtime - WorkStation	© Microsoft Corporation. All rights reserved.	--	3896, 1788, 2296
C:\WINDOWS\system32\WgaLogon.dll Script: Quarantine, Delete, Delete via BC	35323904	Windows Genuine Advantage Notification	© 1995-2008 Microsoft Corporation	--	748
E:\Program Files\Zoner\Photo Studio 10\Program\SHELLEXT.DLL Script: Quarantine, Delete, Delete via BC	41156608	Zoner Photo Studio 10	Copyright © 1995-2007	--	1056
Modules found:513, recognized as trusted 483

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\system32\DRIVERS\avipbb.sys Script: Quarantine, Delete, Delete via BC	BA4AA000	022000 (139264)	Avira Driver for Security Enhancement	Copyright © 1996-2009 Avira GmbH. All rights reserved.
C:\WINDOWS\system32\Drivers\hotcore2.sys Script: Quarantine, Delete, Delete via BC	F8D84000	004000 (16384)	Hotbackup helper driver	Copyright (C) Paragon Software Group 2003
C:\WINDOWS\system32\DRIVERS\StarPortLite.sys Script: Quarantine, Delete, Delete via BC	F816C000	015000 (86016)	StarPort Storage Controller Lite	Copyright (c) 2001-2007 Rocket Division Software. All rights reserved.
Modules found - 138, recognized as trusted - 135

Services

Service	Description	Status	File	Group	Dependencies
AntiVirMailService Service: Stop, Delete, Disable, Delete via BC	Avira AntiVir MailGuard	Running	C:\Program Files\Avira\AntiVir Desktop\avmailc.exe Script: Quarantine, Delete, Delete via BC		AntiVirService
AntiVirSchedulerService Service: Stop, Delete, Disable, Delete via BC	Avira AntiVir Scheduler	Running	C:\Program Files\Avira\AntiVir Desktop\sched.exe Script: Quarantine, Delete, Delete via BC	NetworkProvider
AntiVirService Service: Stop, Delete, Disable, Delete via BC	Avira AntiVir Guard	Running	C:\Program Files\Avira\AntiVir Desktop\avguard.exe Script: Quarantine, Delete, Delete via BC
AntiVirWebService Service: Stop, Delete, Disable, Delete via BC	Avira AntiVir WebGuard	Running	C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE Script: Quarantine, Delete, Delete via BC		AntiVirService
Detected - 105, recognized as trusted - 101

Drivers

Service	Description	Status	File	Group	Dependencies
avipbb Driver: Unload, Delete, Disable, Delete via BC	avipbb	Running	C:\WINDOWS\system32\DRIVERS\avipbb.sys Script: Quarantine, Delete, Delete via BC
hotcore2 Driver: Unload, Delete, Disable, Delete via BC	hotcore2	Running	C:\WINDOWS\system32\drivers\hotcore2.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
StarPortLite Driver: Unload, Delete, Disable, Delete via BC	StarPort Storage Controller (Lite)	Running	C:\WINDOWS\system32\DRIVERS\StarPortLite.sys Script: Quarantine, Delete, Delete via BC
Abiosdsk Driver: Unload, Delete, Disable, Delete via BC	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
abp480n5 Driver: Unload, Delete, Disable, Delete via BC	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
adpu160m Driver: Unload, Delete, Disable, Delete via BC	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Aha154x Driver: Unload, Delete, Disable, Delete via BC	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable, Delete via BC	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
aic78xx Driver: Unload, Delete, Disable, Delete via BC	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
AliIde Driver: Unload, Delete, Disable, Delete via BC	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
amsint Driver: Unload, Delete, Disable, Delete via BC	amsint	Not started	amsint.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc Driver: Unload, Delete, Disable, Delete via BC	asc	Not started	asc.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3350p Driver: Unload, Delete, Disable, Delete via BC	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
asc3550 Driver: Unload, Delete, Disable, Delete via BC	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Atdisk Driver: Unload, Delete, Disable, Delete via BC	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, Delete via BC	Primary disk
catchme Driver: Unload, Delete, Disable, Delete via BC	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
cd20xrnt Driver: Unload, Delete, Disable, Delete via BC	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Changer Driver: Unload, Delete, Disable, Delete via BC	Changer	Not started	Changer.sys Script: Quarantine, Delete, Delete via BC	Filter
CmdIde Driver: Unload, Delete, Disable, Delete via BC	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
cmuda3 Driver: Unload, Delete, Disable, Delete via BC	C-Media PCI Audio Interface	Not started	C:\WINDOWS\system32\drivers\cmuda3.sys Script: Quarantine, Delete, Delete via BC
Cpqarray Driver: Unload, Delete, Disable, Delete via BC	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dac960nt Driver: Unload, Delete, Disable, Delete via BC	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
dpti2o Driver: Unload, Delete, Disable, Delete via BC	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
hpn Driver: Unload, Delete, Disable, Delete via BC	hpn	Not started	hpn.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable, Delete via BC	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, Delete via BC	SCSI Class
i2omp Driver: Unload, Delete, Disable, Delete via BC	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ini910u Driver: Unload, Delete, Disable, Delete via BC	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
IntelIde Driver: Unload, Delete, Disable, Delete via BC	IntelIde	Not started	IntelIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
Lbd Driver: Unload, Delete, Disable, Delete via BC	Lbd	Not started	C:\WINDOWS\system32\DRIVERS\Lbd.sys Script: Quarantine, Delete, Delete via BC	FSFilter Activity Monitor	FltMgr
lbrtfdc Driver: Unload, Delete, Disable, Delete via BC	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
mraid35x Driver: Unload, Delete, Disable, Delete via BC	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
PCIDump Driver: Unload, Delete, Disable, Delete via BC	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, Delete via BC	PCI Configuration
PCIIde Driver: Unload, Delete, Disable, Delete via BC	PCIIde	Not started	PCIIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
PDCOMP Driver: Unload, Delete, Disable, Delete via BC	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, Delete via BC
PDFRAME Driver: Unload, Delete, Disable, Delete via BC	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, Delete via BC
PDRELI Driver: Unload, Delete, Disable, Delete via BC	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, Delete via BC
PDRFRAME Driver: Unload, Delete, Disable, Delete via BC	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, Delete via BC
perc2 Driver: Unload, Delete, Disable, Delete via BC	perc2	Not started	perc2.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
perc2hib Driver: Unload, Delete, Disable, Delete via BC	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, Delete via BC	Filter
ql1080 Driver: Unload, Delete, Disable, Delete via BC	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable, Delete via BC	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql12160 Driver: Unload, Delete, Disable, Delete via BC	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1240 Driver: Unload, Delete, Disable, Delete via BC	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
ql1280 Driver: Unload, Delete, Disable, Delete via BC	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
Simbad Driver: Unload, Delete, Disable, Delete via BC	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, Delete via BC	Filter
Sparrow Driver: Unload, Delete, Disable, Delete via BC	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sptd Driver: Unload, Delete, Disable, Delete via BC	sptd	Not started	C:\WINDOWS\system32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
sym_hi Driver: Unload, Delete, Disable, Delete via BC	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable, Delete via BC	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc810 Driver: Unload, Delete, Disable, Delete via BC	symc810	Not started	symc810.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
symc8xx Driver: Unload, Delete, Disable, Delete via BC	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
TosIde Driver: Unload, Delete, Disable, Delete via BC	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, Delete via BC	System Bus Extender
ultra Driver: Unload, Delete, Disable, Delete via BC	ultra	Not started	ultra.sys Script: Quarantine, Delete, Delete via BC	SCSI miniport
usbbus Driver: Unload, Delete, Disable, Delete via BC	LGE CDMA Composite USB Device	Not started	C:\WINDOWS\system32\DRIVERS\lgusbbus.sys Script: Quarantine, Delete, Delete via BC	Base
UsbDiag Driver: Unload, Delete, Disable, Delete via BC	LGE CDMA USB Serial Port	Not started	C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys Script: Quarantine, Delete, Delete via BC
USBModem Driver: Unload, Delete, Disable, Delete via BC	LGE CDMA USB Modem	Not started	C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys Script: Quarantine, Delete, Delete via BC
WDICA Driver: Unload, Delete, Disable, Delete via BC	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, Delete via BC
Detected - 198, recognized as trusted - 141

Autoruns

File name	Status	Startup method	Description
C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, Avira AntiVir Personal – Free Antivirus Delete
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Outpost Firewall Pro, EventMessageFile
C:\Program Files\Ashampoo\Ashampoo Burning Studio 2009 Advanced\burningstudio2009advanced.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 2009 Advanced.lnk,
C:\Program Files\Avira\AntiVir Desktop\avevtrc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Avira AntiVir, EventMessageFile
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, avgnt Delete
C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardevt.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\H+BEDV AntiVir, EventMessageFile
C:\Program Files\Mozilla Firefox\firefox.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk,
C:\Program Files\Opera\opera.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\Opera.lnk,
C:\Program Files\Seagate\DiscWizard\tishell.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {C539A15A-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\Seagate\DiscWizard\tishell.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {C539A15B-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\Windows Live\Messenger\msnmsgr.exe Script: Quarantine, Delete, Delete via BC	Disabled	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run-, msnmsgr Delete
C:\Program Files\rajce\rajce.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\rajиe.lnk,
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cs\aspnet_rc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ASP.NET 2.0.50727.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\CardSpace 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft.Transactions.Bridge 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ServiceModel Audit 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System.IdentityModel 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System.IO.Log 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System.Runtime.Serialization 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System.ServiceModel 3.0.0.0, EventMessageFile
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SMSvcHost 3.0.0.0, EventMessageFile
C:\WINDOWS\System32\Drivers\AliIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
C:\WINDOWS\System32\Drivers\CmdIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
C:\WINDOWS\System32\Drivers\IntelIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
C:\WINDOWS\System32\Drivers\PciIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\pciide, EventMessageFile
C:\WINDOWS\System32\Drivers\TosIde.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\drivers\StarPortLite.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\StarPortLite, EventMessageFile
C:\WINDOWS\System32\drivers\ati2erec.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ati2mtag, EventMessageFile
C:\WINDOWS\System32\drivers\avipbb.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\avipbb, EventMessageFile
C:\WINDOWS\System32\hidserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll Delete
C:\WINDOWS\system32\MsSip1.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL Delete
C:\WINDOWS\system32\MsSip2.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL Delete
C:\WINDOWS\system32\MsSip3.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL Delete
C:\WINDOWS\system32\icardres.dll.mui Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\CardSpace 3.0.0.0, EventMessageFile
C:\WINDOWS\system32\stisvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
E:\Program Files\Zoner\Photo Studio 10\Program\Zps.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\Administrator\Data aplikacн\Microsoft\Internet Explorer\Quick Launch\Zoner Photo Studio 10.lnk,
WgaLogon.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon, DLLName Delete
deskpan.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB Delete
mvfs32.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Control Panel\IOProcs, MVB Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items found - 924, recognized as trusted - 877

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	BHO			{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Delete
	Extension module			{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} Delete
	Extension module			{44627E97-789B-40d4-B5C2-58BD171129A1} Delete
Items found - 19, recognized as trusted - 16

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, Delete via BC	Rozљншenн panelu Zobrazenн pro panoramatickй zobrazenн			{42071714-76d4-11d1-8b24-00a0c9068ff3} Delete
	Rozљншenн prostшedн pro kompresi souborщ			{764BF0E1-F219-11ce-972D-00AA00A14F56} Delete
	Kontextovб nabнdka љifrovбnн			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} Delete
	Hlavnн panel a nabнdka Start			{0DF44EAA-FF21-4412-828E-260A8728E7F1} Delete
	Uћivatelskй ъиty			{7A9D77BD-5403-11d2-8785-2E0420524153} Delete
	Microsoft Browser Architecture			{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} Delete
	IE User Assist			{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} Delete
C:\Program Files\Seagate\DiscWizard\tishell.dll Script: Quarantine, Delete, Delete via BC	Acronis True Image Shell Context Menu Extension	Seagate DiscWizard Shell Extensions	Copyright (C) Acronis, 2000-2006.	{C539A15A-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\Seagate\DiscWizard\tishell.dll Script: Quarantine, Delete, Delete via BC	Acronis True Image Shell Extension	Seagate DiscWizard Shell Extensions	Copyright (C) Acronis, 2000-2006.	{C539A15B-3AF9-4c92-B771-50CB78F5C751} Delete
C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Autoplay Drop Target	Windows Live Fotogalerie	© 2008 Microsoft Corporation. Vљechna prбva vyhrazena.	{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Delete
C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Viewer Drop Target	Windows Live Fotogalerie	© 2008 Microsoft Corporation. Vљechna prбva vyhrazena.	{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Delete
C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Editor Drop Target	Windows Live Fotogalerie	© 2008 Microsoft Corporation. Vљechna prбva vyhrazena.	{00F374B7-B390-4884-B372-2FC349F2172B} Delete
	Zaшнzenн technologie UPnP			{e57ce731-33e8-4c51-8354-bb4de9d215d1} Delete
"C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" Script: Quarantine, Delete, Delete via BC	ColumnHandler			{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} Delete
Items found - 232, recognized as trusted - 218

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 8, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
Items found - 1, recognized as trusted - 1

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
AVSDA over [MSAFD Tcpip [TCP/IP]] C:\Program Files\Avira\AntiVir Desktop\avsda.dll
Script: Quarantine, Delete, Delete via BC Copyright © 2000 - 2010 Avira GmbH. All rights reserved.
AVSDA over [MSAFD Tcpip [UDP/IP]] C:\Program Files\Avira\AntiVir Desktop\avsda.dll
Script: Quarantine, Delete, Delete via BC Copyright © 2000 - 2010 Avira GmbH. All rights reserved.
AVSDA C:\Program Files\Avira\AntiVir Desktop\avsda.dll
Script: Quarantine, Delete, Delete via BC Copyright © 2000 - 2010 Avira GmbH. All rights reserved.
Detected - 16, recognized as trusted - 13
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 38990 [1132] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 32874 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
1026 LISTENING 0.0.0.0 57561 [3444] c:\windows\system32\alg.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5152 LISTENING 0.0.0.0 8252 [1788] c:\program files\java\jre6\bin\jqs.exe
Script: Quarantine, Delete, Delete via BC, Terminate
44080 LISTENING 0.0.0.0 47122 [2676] c:\program files\avira\antivir desktop\avwebgrd.exe
Script: Quarantine, Delete, Delete via BC, Terminate
44110 LISTENING 0.0.0.0 47233 [2640] c:\program files\avira\antivir desktop\avmailc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123 LISTENING -- -- [1196] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [804] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [804] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 4, recognized as trusted - 4

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 25, recognized as trusted - 25

Active Setup

File name Description Manufacturer CLSID
Items found - 15, recognized as trusted - 15

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 32, recognized as trusted - 29

Suspicious objects

File Description Type
C:\WINDOWS\system32\drivers\afwcore.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
E:\zabava\Numericon\Uninstall.exe
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Trojan-Downloader.Win32.Zlob.cca ( 0985E742 0F07A750 0022775D 0019CD11 70481)
H:\install\karty\Unofficial Spiderman Solitaire V1.3\digitalfan.EXE
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Trojan-Downloader.Win32.VB.cqq ( 003DAD07 00170123 00188CEC 0028F584 20480)

Attention !!! Database was last updated 8.7.2010 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.34
Scanning started at 14.8.2010 6:26:49
Database loaded: signatures - 275419, NN profile(s) - 2, malware removal microprograms - 56, signature database released 08.07.2010 09:40
Heuristic microprograms loaded: 383
PVS microprograms loaded: 9
Digital signatures of system files loaded: 213048
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=083220)
 Kernel ntoskrnl.exe found in memory at address 804D7000
   SDT = 8055A220
   KiST = 804E26B8 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
\driver\tcpip[IRP_MJ_CREATE] = F82AF652 -> C:\WINDOWS\system32\drivers\afwcore.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F82AFB76 -> C:\WINDOWS\system32\drivers\afwcore.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F82AF9B8 -> C:\WINDOWS\system32\drivers\afwcore.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLEANUP] = F82AF75E -> C:\WINDOWS\system32\drivers\afwcore.sys, driver recognized as trusted
 Checking - complete
2. Scanning RAM
 Number of processes found: 36
 Number of modules loaded: 513
Scanning RAM - complete
3. Scanning disks
E:\zabava\Numericon\Uninstall.exe >>> suspicion for Trojan-Downloader.Win32.Zlob.cca ( 0985E742 0F07A750 0022775D 0019CD11 70481)
H:\install\karty\Unofficial Spiderman Solitaire V1.3\digitalfan.EXE >>> suspicion for Trojan-Downloader.Win32.VB.cqq ( 003DAD07 00170123 00188CEC 0028F584 20480)
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Termin?lov? slu?ba)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Pl?nova? ?loh)
>> Services: potentially dangerous service allowed: RDSessMgr (Spr?vce relac? n?pov?dy ke vzd?len? plo?e)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Process termination timeout is out of admissible values
 >>  Service termination timeout is out of admissible values
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 89194, extracted from archives: 60203, malicious software found 0, suspicions - 2
Scanning finished at 14.8.2010 7:12:52
Time of scanning: 00:46:05
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Terminбlovб sluћba)
Performance tweaking: disable service TlntSvr (Telnet)
Performance tweaking: disable service Schedule (Plбnovaи ъloh)
Performance tweaking: disable service RDSessMgr (Sprбvce relacн nбpovмdy ke vzdбlenй ploљe)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	38990	[1132] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	32874	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
1026	LISTENING	0.0.0.0	57561	[3444] c:\windows\system32\alg.exe Script: Quarantine, Delete, Delete via BC, Terminate
5152	LISTENING	0.0.0.0	8252	[1788] c:\program files\java\jre6\bin\jqs.exe Script: Quarantine, Delete, Delete via BC, Terminate
44080	LISTENING	0.0.0.0	47122	[2676] c:\program files\avira\antivir desktop\avwebgrd.exe Script: Quarantine, Delete, Delete via BC, Terminate
44110	LISTENING	0.0.0.0	47233	[2640] c:\program files\avira\antivir desktop\avmailc.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123	LISTENING	--	--	[1196] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[804] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[804] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate