Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\windows\explorer.exe Script: Quarantine, Delete, Delete via BC, Terminate	2108	Prщzkumnнk Windows	© Microsoft Corporation. Vљechna prбva vyhrazena.	??	2555.00 kb, rsAh, created: 27.04.2011 22:19:11, modified: 25.02.2011 07:30:54 Command line: C:\Windows\Explorer.EXE
c:\program files\samsung\kies\external\firmwareupdate\kiespdlr.exe Script: Quarantine, Delete, Delete via BC, Terminate	4000	KiesPDLR	Copyright © 2011	??	20.39 kb, rsAh, created: 29.09.2011 16:19:26, modified: 29.09.2011 16:19:26 Command line: "C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe"
c:\program files\samsung\kies\kiestrayagent.exe Script: Quarantine, Delete, Delete via BC, Terminate	3412	Kies TrayAgent Application	(c) Samsung Electronics Co., Ltd. All rights reserved.	??	3425.89 kb, rsAh, created: 29.09.2011 16:19:16, modified: 29.09.2011 16:19:16 Command line: "C:\Program Files\Samsung\Kies\KiesTrayAgent.exe"
c:\program files\windows sidebar\sidebar.exe Script: Quarantine, Delete, Delete via BC, Terminate	3576	Windows Desktop Gadgets	© Microsoft Corporation. Vљechna prбva vyhrazena.	??	1146.50 kb, rsAh, created: 23.02.2011 23:24:47, modified: 20.11.2010 05:17:42 Command line: "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
c:\program files\superantispyware\superantispyware.exe Script: Quarantine, Delete, Delete via BC, Terminate	3932	SUPERAntiSpyware Application	Copyright (C) 2005-2010 by SUPERAntiSpyware.com and SUPERAdBlocker.com	??	2367.73 kb, rsAh, created: 22.11.2010 18:29:41, modified: 22.11.2010 18:29:41 Command line: "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate	3592	Windows Media Player Network Sharing Service	© Microsoft Corporation. Vљechna prбva vyhrazena.	??	1095.50 kb, rsAh, created: 23.02.2011 23:25:27, modified: 20.11.2010 05:17:58 Command line: "C:\Program Files\Windows Media Player\wmpnetwk.exe"
Detected:65, recognized as trusted 62

Module name	Handle	Description	Copyright	MD5	Used by processes
\\?\C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-20\Indiv01.key Script: Quarantine, Delete, Delete via BC	180355072	Individualized Black Box DLL	© Microsoft Corporation. All rights reserved.	--	3592
C:\Program Files\Microsoft Office\Office12\1029\GrooveIntlResource.dll Script: Quarantine, Delete, Delete via BC	1607532544	GrooveIntlResource Module	© 2007 Microsoft Corporation. Vљechna prбva vyhrazena.	--	2108
C:\Program Files\Samsung\Kies\External\DeviceModules\UPNPDevice_Kies.dll Script: Quarantine, Delete, Delete via BC	268435456	UPnP SDK Device Host Kies Device	© Microsoft Corporation. All rights reserved.	--	3412
C:\Users\Petr\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll Script: Quarantine, Delete, Delete via BC	63307776			--	3932
C:\Users\Petr\Desktop\JR2010\JRcm.dll Script: Quarantine, Delete, Delete via BC	77922304			--	2108
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\2b1af7649e57195b4b85bbf4c5cb7c90\mscorlib.ni.dll Script: Quarantine, Delete, Delete via BC	1664417792	Microsoft Common Language Runtime Class Library	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\b540398c49e7c32ab58666de7f09f645\PresentationCore.ni.dll Script: Quarantine, Delete, Delete via BC	1639776256	PresentationCore.dll	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\401a9dbeaad6b6ca70c90ae4fbd2e0b8\PresentationFramework.ni.dll Script: Quarantine, Delete, Delete via BC	1621688320	PresentationFramework.dll	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\af091a68303117ca2166aa13bcbfbbd0\PresentationFramework.Aero.ni.dll Script: Quarantine, Delete, Delete via BC	1569259520	PresentationFramework.Aero.dll	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\90223e809b1ff291a7f65509702e2fa1\System.Core.ni.dll Script: Quarantine, Delete, Delete via BC	1590558720	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\fd0f015bc4324d8b9716ae38083a4e4d\System.Drawing.ni.dll Script: Quarantine, Delete, Delete via BC	1695219712	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\ab1a41d184118635218d38da3f4bcae8\System.Management.ni.dll Script: Quarantine, Delete, Delete via BC	1565655040	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\dabeb21f09f88576c2cce838280c7f44\System.Runtime.Remoting.ni.dll Script: Quarantine, Delete, Delete via BC	1567424512	Microsoft .NET Runtime Object Remoting	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\fa45e7d581b80c34cb0d5518491c7387\System.Windows.Forms.ni.dll Script: Quarantine, Delete, Delete via BC	1608515584	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\2b0b477db8f5a19d6365b93106b26651\System.Xaml.ni.dll Script: Quarantine, Delete, Delete via BC	1707147264	System.Xaml.dll	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\a48e483c6b13da563725d72ec518a0bb\System.Xml.ni.dll Script: Quarantine, Delete, Delete via BC	1689124864	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\69adb8f9940fa1330f6f1b706e3dc31e\System.ni.dll Script: Quarantine, Delete, Delete via BC	1655242752	.NET Framework	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\c0afb5fbfbc7a8d670b430672c5fd578\WindowsBase.ni.dll Script: Quarantine, Delete, Delete via BC	1651310592	WindowsBase.dll	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll Script: Quarantine, Delete, Delete via BC	1812856832	Microsoft .NET Runtime Common Language Runtime - WorkStation	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll Script: Quarantine, Delete, Delete via BC	1705050112	Microsoft .NET Runtime Just-In-Time Compiler	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll Script: Quarantine, Delete, Delete via BC	1821114368	Microsoft .NET Runtime Execution Engine	© Microsoft Corporation. All rights reserved.	--	4000, 3576
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll Script: Quarantine, Delete, Delete via BC	1664352256	Microsoft Collation Support	© Microsoft Corporation. All rights reserved.	--	4000
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll Script: Quarantine, Delete, Delete via BC	1705443328	wpfgfx_v0400.dll	© Microsoft Corporation. All rights reserved.	--	4000
Modules found:622, recognized as trusted 599

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, Delete via BC	963DE000	009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys Script: Quarantine, Delete, Delete via BC	963D3000	00B000 (45056)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, Delete via BC	963E7000	011000 (69632)
C:\Windows\System32\Drivers\spgs.sys Script: Quarantine, Delete, Delete via BC	88EA6000	0F3000 (995328)
Modules found - 195, recognized as trusted - 191

Services

Service	Description	Status	File	Group	Dependencies
Detected - 157, recognized as trusted - 157

Drivers

Service	Description	Status	File	Group	Dependencies
sptd Driver: Unload, Delete, Disable, Delete via BC	sptd	Running	C:\Windows\System32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
DrvSnSht Driver: Unload, Delete, Disable, Delete via BC	DrvSnSht	Not started	C:\Program Files\R-Drive Image\DrvSnSht.sys Script: Quarantine, Delete, Delete via BC
fssfltr Driver: Unload, Delete, Disable, Delete via BC	fssfltr	Not started	C:\Windows\system32\DRIVERS\fssfltr.sys Script: Quarantine, Delete, Delete via BC	NDIS	tcpip
MpKsl069e0fad Driver: Unload, Delete, Disable, Delete via BC	MpKsl069e0fad	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A48303E9-3E0E-4EE9-818D-689A6FD59B83}\MpKsl069e0fad.sys Script: Quarantine, Delete, Delete via BC
MpKsl071f5a08 Driver: Unload, Delete, Disable, Delete via BC	MpKsl071f5a08	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F612CA21-AB1C-47F2-AA39-6F6999A62612}\MpKsl071f5a08.sys Script: Quarantine, Delete, Delete via BC
MpKsl27a1e390 Driver: Unload, Delete, Disable, Delete via BC	MpKsl27a1e390	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{83AD759C-9127-4A36-B040-BE54CAA01559}\MpKsl27a1e390.sys Script: Quarantine, Delete, Delete via BC
MpKsl54b3080e Driver: Unload, Delete, Disable, Delete via BC	MpKsl54b3080e	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{413A7523-CBD5-48BA-A79E-98C5086E107B}\MpKsl54b3080e.sys Script: Quarantine, Delete, Delete via BC
MpKsl6c34c1b6 Driver: Unload, Delete, Disable, Delete via BC	MpKsl6c34c1b6	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D3BC3AD5-6F38-452A-A497-1E0BF77D5399}\MpKsl6c34c1b6.sys Script: Quarantine, Delete, Delete via BC
MpKsla2fe7fe2 Driver: Unload, Delete, Disable, Delete via BC	MpKsla2fe7fe2	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{66F15F9E-B779-4A46-BFF7-93353DC060F4}\MpKsla2fe7fe2.sys Script: Quarantine, Delete, Delete via BC
MpKsla4d8677a Driver: Unload, Delete, Disable, Delete via BC	MpKsla4d8677a	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E614534E-C004-46F2-9B81-67D1975E8315}\MpKsla4d8677a.sys Script: Quarantine, Delete, Delete via BC
MpKsla91a5e57 Driver: Unload, Delete, Disable, Delete via BC	MpKsla91a5e57	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0164F599-B718-4A68-872F-1028F0750AA4}\MpKsla91a5e57.sys Script: Quarantine, Delete, Delete via BC
MpKslc8bdbb5f Driver: Unload, Delete, Disable, Delete via BC	MpKslc8bdbb5f	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DAF505D1-91C5-492D-8C79-B85506A560EA}\MpKslc8bdbb5f.sys Script: Quarantine, Delete, Delete via BC
MpKslda02d70d Driver: Unload, Delete, Disable, Delete via BC	MpKslda02d70d	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B8CD4F32-28CC-4F8C-BB4D-4D064AB89EB7}\MpKslda02d70d.sys Script: Quarantine, Delete, Delete via BC
MpKsle5200296 Driver: Unload, Delete, Disable, Delete via BC	MpKsle5200296	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F164106A-A8BC-4AFF-BC54-CA50C9F1BCBD}\MpKsle5200296.sys Script: Quarantine, Delete, Delete via BC
MpKslef8e60e9 Driver: Unload, Delete, Disable, Delete via BC	MpKslef8e60e9	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A805C945-823C-4842-80B8-BFD06D68C79D}\MpKslef8e60e9.sys Script: Quarantine, Delete, Delete via BC
MpKslfd546990 Driver: Unload, Delete, Disable, Delete via BC	MpKslfd546990	Not started	c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{52A7B41D-2F5A-4FC8-B768-72F49D61F99F}\MpKslfd546990.sys Script: Quarantine, Delete, Delete via BC
R-ImageDisk Driver: Unload, Delete, Disable, Delete via BC	R-ImageDisk	Not started	C:\Program Files\R-Drive Image\R-ImageDisk.sys Script: Quarantine, Delete, Delete via BC
Detected - 274, recognized as trusted - 257

Autoruns

File name	Status	Startup method	Description
C:\PROGRA~1\MIF5BA~1\Office12\1029\MAPIR.DLL Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Outlook, EventMessageFile
C:\Program Files\MyPlayCity.com\Turtix - Rescue Adventures\Turtix - Rescue Adventures.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Turtix - Rescue Adventures.lnk,
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware Delete
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, KiesPDLR Delete
C:\Program Files\Samsung\Kies\Kies.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk,
C:\Program Files\Samsung\Kies\KiesHelper.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, KiesHelper Delete
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, KiesTrayAgent Delete
C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk,
C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk Script: Quarantine, Delete, Delete via BC	Active	File in Startup folder	C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Petr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk,
C:\Users\Petr\Desktop\JR2010\JRcm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {C20B9A7B-ED5B-4CEB-B2A6-F1F62E99C539} Delete
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\System32\drivers\avipbb.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\avipbb, EventMessageFile
C:\Windows\System32\drivers\ss_bbus.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ss_bbus, EventMessageFile
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
rdpclip Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
vgafix.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon Delete
vgaoem.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon Delete
vgasys.fon Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon Delete
Autoruns items found - 653, recognized as trusted - 634

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
	URLSearchHook			{855F3B16-6D32-4fe6-8A56-BBB695989046} Delete
Items found - 10, recognized as trusted - 7

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	WLMD Message Handler			{0563DB41-F538-4B37-A92D-4659049B7766} Delete
				{1984DD45-52CF-49cd-AB77-18F378FEA264} {000214e8-0000-0000-c000-000000000046} 0x401 Delete
	Context Menu Shell Extension			{84058084-7609-44D1-B3CC-7A9436CB6D92} Delete
	{B9B9F083-2B04-452A-8691-83694AC1037B}			Logitech Setpoint Extension Delete
	Shell Extension for Malware scanning			{45AC2688-0253-4ED8-97DE-B5370FA7D48A} Delete
C:\Users\Petr\Desktop\JR2010\JRcm.dll Script: Quarantine, Delete, Delete via BC	JRcm			{C20B9A7B-ED5B-4CEB-B2A6-F1F62E99C539} Delete
Items found - 47, recognized as trusted - 41

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 8, recognized as trusted - 8

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
Items found - 4, recognized as trusted - 4

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 9, recognized as trusted - 9

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 35, recognized as trusted - 35
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [780] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 0 [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
554 LISTENING 0.0.0.0 0 [3592] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
2559 LISTENING 0.0.0.0 0 [5804] c:\program files\nvidia corporation\nvidia updatus\daemonu.exe
Script: Quarantine, Delete, Delete via BC, Terminate
2869 LISTENING 0.0.0.0 0 [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
5357 LISTENING 0.0.0.0 0 [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
10243 LISTENING 0.0.0.0 0 [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
49152 LISTENING 0.0.0.0 0 [432] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49153 LISTENING 0.0.0.0 0 [916] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49154 LISTENING 0.0.0.0 0 [988] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49155 LISTENING 0.0.0.0 0 [496] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49157 LISTENING 0.0.0.0 0 [480] c:\windows\system32\services.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49659 CLOSE_WAIT 174.35.7.25 80 [3412] c:\program files\samsung\kies\kiestrayagent.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50118 TIME_WAIT 69.171.242.12 443 [0]
50235 TIME_WAIT 69.171.229.39 443 [0]
50284 TIME_WAIT 209.85.173.97 443 [0]
50395 CLOSE_WAIT 89.108.66.156 80 [1652] c:\users\petr\desktop\avz4\avz4\avz.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50403 TIME_WAIT 74.125.232.241 443 [0]
50407 ESTABLISHED 94.138.111.176 80 [3576] c:\program files\windows sidebar\sidebar.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137 LISTENING -- -- [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] SYSTEM
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [988] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [4336] c:\program files\opera\opera.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1172] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1172] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [988] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5004 LISTENING -- -- [3592] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5005 LISTENING -- -- [3592] c:\program files\windows media player\wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5355 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
48000 LISTENING -- -- [5804] c:\program files\nvidia corporation\nvidia updatus\daemonu.exe
Script: Quarantine, Delete, Delete via BC, Terminate
48001 LISTENING -- -- [3656] c:\program files\nvidia corporation\display\nvtray.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50732 LISTENING -- -- [1172] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
51264 LISTENING -- -- [1172] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
51266 LISTENING -- -- [3576] c:\program files\windows sidebar\sidebar.exe
Script: Quarantine, Delete, Delete via BC, Terminate
54736 LISTENING -- -- [4336] c:\program files\opera\opera.exe
Script: Quarantine, Delete, Delete via BC, Terminate
58342 LISTENING -- -- [3932] c:\program files\superantispyware\superantispyware.exe
Script: Quarantine, Delete, Delete via BC, Terminate
58789 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
58790 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
60575 LISTENING -- -- [1796] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 4, recognized as trusted - 4

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 24, recognized as trusted - 24

Active Setup

File name Description Manufacturer CLSID
Items found - 10, recognized as trusted - 10

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 19, recognized as trusted - 16

Suspicious objects

File Description Type

AVZ Antiviral Toolkit log; AVZ version is 4.37
Scanning started at 27.10.2011 19:54:50
Database loaded: signatures - 294598, NN profile(s) - 2, malware removal microprograms - 56, signature database released 27.10.2011 16:00
Heuristic microprograms loaded: 388
PVS microprograms loaded: 9
Digital signatures of system files loaded: 302280
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 6.1.7601, Service Pack 1 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=169B00)
 Kernel ntkrnlpa.exe found in memory at address 82E4B000
   SDT = 82FB4B00
   KiST = 82EC9D5C (401)
Functions checked: 401, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
\FileSystem\ntfs[IRP_MJ_CREATE] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 84E7C1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 84E7C1F8 -> hook not defined
 Checking - complete
2. Scanning RAM
 Number of processes found: 69
Extended process analysis: 4000 C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
 Number of modules loaded: 641
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
 Checking - disabled by user
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Vzd?len? plocha)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Pl?nova? ?loh)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 710, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 27.10.2011 19:55:51
Time of scanning: 00:01:02
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Vzdбlenб plocha)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Plбnovaи ъloh)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[780] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	0	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
554	LISTENING	0.0.0.0	0	[3592] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
2559	LISTENING	0.0.0.0	0	[5804] c:\program files\nvidia corporation\nvidia updatus\daemonu.exe Script: Quarantine, Delete, Delete via BC, Terminate
2869	LISTENING	0.0.0.0	0	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
5357	LISTENING	0.0.0.0	0	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
10243	LISTENING	0.0.0.0	0	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
49152	LISTENING	0.0.0.0	0	[432] c:\windows\system32\wininit.exe Script: Quarantine, Delete, Delete via BC, Terminate
49153	LISTENING	0.0.0.0	0	[916] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49154	LISTENING	0.0.0.0	0	[988] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49155	LISTENING	0.0.0.0	0	[496] c:\windows\system32\lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
49157	LISTENING	0.0.0.0	0	[480] c:\windows\system32\services.exe Script: Quarantine, Delete, Delete via BC, Terminate
49659	CLOSE_WAIT	174.35.7.25	80	[3412] c:\program files\samsung\kies\kiestrayagent.exe Script: Quarantine, Delete, Delete via BC, Terminate
50118	TIME_WAIT	69.171.242.12	443	[0]
50235	TIME_WAIT	69.171.229.39	443	[0]
50284	TIME_WAIT	209.85.173.97	443	[0]
50395	CLOSE_WAIT	89.108.66.156	80	[1652] c:\users\petr\desktop\avz4\avz4\avz.exe Script: Quarantine, Delete, Delete via BC, Terminate
50403	TIME_WAIT	74.125.232.241	443	[0]
50407	ESTABLISHED	94.138.111.176	80	[3576] c:\program files\windows sidebar\sidebar.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137	LISTENING	--	--	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] SYSTEM Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[988] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[4336] c:\program files\opera\opera.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1172] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1172] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[988] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
5004	LISTENING	--	--	[3592] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5005	LISTENING	--	--	[3592] c:\program files\windows media player\wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5355	LISTENING	--	--	[1312] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
48000	LISTENING	--	--	[5804] c:\program files\nvidia corporation\nvidia updatus\daemonu.exe Script: Quarantine, Delete, Delete via BC, Terminate
48001	LISTENING	--	--	[3656] c:\program files\nvidia corporation\display\nvtray.exe Script: Quarantine, Delete, Delete via BC, Terminate
50732	LISTENING	--	--	[1172] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
51264	LISTENING	--	--	[1172] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
51266	LISTENING	--	--	[3576] c:\program files\windows sidebar\sidebar.exe Script: Quarantine, Delete, Delete via BC, Terminate
54736	LISTENING	--	--	[4336] c:\program files\opera\opera.exe Script: Quarantine, Delete, Delete via BC, Terminate
58342	LISTENING	--	--	[3932] c:\program files\superantispyware\superantispyware.exe Script: Quarantine, Delete, Delete via BC, Terminate
58789	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
58790	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
60575	LISTENING	--	--	[1796] c:\windows\system32\svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate