Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
Detected:64, recognized as trusted 64

Module name	Handle	Description	Copyright	MD5	Used by processes
Modules found:486, recognized as trusted 486

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, Delete via BC	8254A000	011000 (69632)
C:\Windows\System32\Drivers\dump_iaStor.sys Script: Quarantine, Delete, Delete via BC	8DE24000	101000 (1052672)
C:\Windows\system32\DRIVERS\rixdptsk.sys Script: Quarantine, Delete, Delete via BC	9254E000	052000 (335872)	RICOH XD SM Driver	Copyright c 2001-2009, Ricoh Company Ltd.,
C:\Windows\system32\drivers\{55318141-dabf-4786-b4b2-f50790587c26}Gw.sys Script: Quarantine, Delete, Delete via BC	90B80000	00D000 (53248)	StdLib	Copyright © 2013 StdLib
Modules found - 205, recognized as trusted - 201

Services

Service	Description	Status	File	Group	Dependencies
gupdate Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdate)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC		RPCSS
gupdatem Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdatem)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC		RPCSS
Steam Client Service Service: Stop, Delete, Disable, Delete via BC	Steam Client Service	Not started	C:\Program Files\Common Files\Steam\SteamService.exe Script: Quarantine, Delete, Delete via BC
Update Service for advPlugin Service: Stop, Delete, Disable, Delete via BC	Update Service for advPlugin	Not started	C:\Program Files\advPlugin\Basement\ExtensionUpdaterService.exe Script: Quarantine, Delete, Delete via BC
Update Service for VK Downloader Service: Stop, Delete, Disable, Delete via BC	Update Service for VK Downloader	Not started	C:\Program Files\VK Downloader\Basement\ExtensionUpdaterService.exe Script: Quarantine, Delete, Delete via BC
WiseBootAssistant Service: Stop, Delete, Disable, Delete via BC	Wise Boot Assistant	Not started	C:\Program Files\Wise\Wise Care 365\BootTime.exe Script: Quarantine, Delete, Delete via BC
Detected - 165, recognized as trusted - 159

Drivers

Service	Description	Status	File	Group	Dependencies
rismxdp Driver: Unload, Delete, Disable, Delete via BC	Ricoh xD-Picture Card Driver	Running	C:\Windows\system32\DRIVERS\rixdptsk.sys Script: Quarantine, Delete, Delete via BC	SmartMedia/XD
ATSWPDRV Driver: Unload, Delete, Disable, Delete via BC	AuthenTec TruePrint USB Driver (SwipeSensor)	Not started	C:\Windows\system32\DRIVERS\ATSwpDrv.sys Script: Quarantine, Delete, Delete via BC
VGPU Driver: Unload, Delete, Disable, Delete via BC	VGPU	Not started	C:\Windows\system32\drivers\rdvgkmd.sys Script: Quarantine, Delete, Delete via BC
Detected - 278, recognized as trusted - 275

Autoruns

File name	Status	Startup method	Description
C:\Program Files\Borland\CBuilder6\Bin\bordbg61.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\AeDebug, Debugger
C:\Program Files\Common Files\Steam\SteamService.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Steam Client Service, EventMessageFile
C:\Program Files\Google\Chrome\Application\chrome.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk,
C:\Windows\System32\drivers\ATSwpDrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ATSWPDRV, EventMessageFile
D:\Program\NLClient\NLClient.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\HP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\NLClient.lnk,
cmd /c start http://simsimotkroysia.ru/ Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, jkrcrqmist Delete
progman.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
Autoruns items found - 733, recognized as trusted - 726

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} Delete
C:\Program Files\advPlugin\Toolbar32.dll Script: Quarantine, Delete, Delete via BC	Extension module			{7CE987D5-11B3-44FC-9C3D-03069360D462} Delete
	URLSearchHook			{D8278076-BC68-4484-9233-6E7F1628B56C} Delete
Items found - 9, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
Items found - 34, recognized as trusted - 34

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 7, recognized as trusted - 7

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line
C:\Users\HP\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE Script: Quarantine, Delete, Delete via BC	Digital Sites.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Users\HP\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE /Check
C:\Program Files\Driver Script: Quarantine, Delete, Delete via BC	Driver Robot.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Driver Robot\Driver Robot.lnk --scan --stack=from-scheduler
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1cf272df765cabc.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1d0426b9cb3bcac.job Script: Delete	The task has not yet run.				C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA1cf8b8bed287aa8.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
C:\Program Files\Microsoft Data\nsi.exe Script: Quarantine, Delete, Delete via BC	chrome5 Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"C:\Program Files\Microsoft Data\nsi.exe" /reinstall=1
C:\Program Files\Microsoft Script: Quarantine, Delete, Delete via BC	chrome5_logon Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Microsoft Data\nsi.exe /reinstall=1
Data\nsi.exe Script: Quarantine, Delete, Delete via BC	chrome5_logon Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Microsoft Data\nsi.exe /reinstall=1
C:\Users\HP\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE Script: Quarantine, Delete, Delete via BC	Digital Sites Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Users\HP\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE /Check
C:\Program Files\Driver Script: Quarantine, Delete, Delete via BC	Driver Robot Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Driver Robot\Driver Robot.lnk --scan --stack=from-scheduler
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1cf272df765cabc Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore1d0426b9cb3bcac Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /c
C:\Program Files\Google\Update\GoogleUpdate.exe Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA1cf8b8bed287aa8 Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
C:\Users\HP\AppData\Local\Mail.Ru\MailRuUpdater.exe Script: Quarantine, Delete, Delete via BC	MailRuUpdateTask Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Users\HP\AppData\Local\Mail.Ru\MailRuUpdater.exe --scheduler
aitagent Script: Quarantine, Delete, Delete via BC	AitAgent Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Application Experience\	aitagent
C:\Windows\ehome\mcupdate Script: Quarantine, Delete, Delete via BC	mcupdate Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\mcupdate $(Arg0)
C:\Windows\ehome\ehrec Script: Quarantine, Delete, Delete via BC	RecordingRestart Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\ehrec /RestartRecording
C:\Windows\ehome\ehrec Script: Quarantine, Delete, Delete via BC	StartRecording Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\ehrec /StartRecording
C:\Users\HP\AppData\Local\SystemDir\nethost.exe Script: Quarantine, Delete, Delete via BC	nethost task Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Users\HP\AppData\Local\SystemDir\nethost.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe Script: Quarantine, Delete, Delete via BC	SpyHunter4Startup Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe" /s
C:\Users\HP\Downloads\g2m_codec.exe Script: Quarantine, Delete, Delete via BC	{B37FDF90-6292-4BBE-A35F-1D72E7BC1CAA} Script: Delete	The task is ready to run at its next scheduled time.	GoToMeeting Installer Extractor	Copyright © 1997-2014 Citrix Systems, Inc.	C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a C:\Users\HP\Downloads\g2m_codec.exe -d C:\Users\HP\Downloads
C:\Program Files\Uninstall Information\97\4446\uninstall.exe Script: Quarantine, Delete, Delete via BC	{BF5F8BD7-E085-42F2-8D3D-A1BE3806A7E6} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "C:\Program Files\Uninstall Information\97\4446\uninstall.exe" -d "C:\Program Files\Uninstall Information\97\4446"
C:\Program Files\Uninstall Information\97\4446 Script: Quarantine, Delete, Delete via BC	{BF5F8BD7-E085-42F2-8D3D-A1BE3806A7E6} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "C:\Program Files\Uninstall Information\97\4446\uninstall.exe" -d "C:\Program Files\Uninstall Information\97\4446"
D:\гамес\mu\Bless MuOnline Orion Project.exe Script: Quarantine, Delete, Delete via BC	{FE074CB2-9880-42A7-94A4-E672602BA712} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "D:\гамес\mu\Bless MuOnline Orion Project.exe" -d D:\гамес\mu
D:\гамес\mu Script: Quarantine, Delete, Delete via BC	{FE074CB2-9880-42A7-94A4-E672602BA712} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Windows\system32\pcalua.exe -a "D:\гамес\mu\Bless MuOnline Orion Project.exe" -d D:\гамес\mu
Items found - 87, recognized as trusted - 62

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 25, recognized as trusted - 25
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
139 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49734 TIME_WAIT 8.36.120.226 443 [0]
UDP ports
137 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 22, recognized as trusted - 22

Active Setup

File name Description Manufacturer CLSID
C:\Program Files\Google\Chrome\Application\41.0.2272.118\Installer\chrmstp.exe
Script: Quarantine, Delete, Delete via BC {8A69D345-D564-463c-AFF1-A69D9E530F96}
Delete
Items found - 10, recognized as trusted - 9

HOSTS file

Hosts file record

Protocols and handlers

File name Type Description Manufacturer CLSID
Items found - 18, recognized as trusted - 18

Shared resources

Network name Path Notes
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
D$ D:\ Default share
IPC$ Remote IPC

Suspicious objects

File Description Type
C:\Windows\system32\DRIVERS\ehdrv.sys
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
C:\Users\HP\appdata\local\microsoft\windows\toolbar.exe
Script: Quarantine, Delete, Delete via BC Suspicion by Heuristic analysis HSC: suspicion for File with suspicious name (CH)

AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 06.04.2015 21:04:44
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 06.04.2015 04:00
Heuristic microprograms loaded: 410
PVS microprograms loaded: 9
Digital signatures of system files loaded: 729510
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=16A9C0)
 Kernel ntkrnlpa.exe found in memory at address 82C1A000
   SDT = 82D849C0
   KiST = 82C98D9C (401)
Function NtCreateThread (57) intercepted (82EF7C02->90AE3260), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtLoadDriver (9B) intercepted (82DE1B78->90AE3320), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtSetSystemInformation (15E) intercepted (82E6A0EE->90AE32E0), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Function NtSystemDebugControl (170) intercepted (82EA1464->90AE32A0), hook C:\Windows\system32\DRIVERS\ehdrv.sys, driver recognized as trusted
Functions checked: 401, intercepted: 4, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 65
 Number of modules loaded: 493
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Hidden startup suspected:  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShadowPlay="C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart"
>>> C:\Users\HP\appdata\local\microsoft\windows\toolbar.exe HSC: suspicion for File with suspicious name (CH)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Планувальник завдань)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 558, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 06.04.2015 21:06:10
Time of scanning: 00:01:30
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
System Analysis in progress
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="87.250.251.11,87.250.250.8,93.158.134.8,77.88.21.11", Ping=Error (11010,0,0.0.0.0)
  Host="google.ru", IP="216.58.209.163", Ping=Error (11010,0,0.0.0.0)
  Host="google.com", IP="173.194.112.201,173.194.112.197,173.194.112.193,173.194.112.198,173.194.112.200,173.194.112.199,173.194.112.192,173.194.112.206,173.194.112.196,173.194.112.194,173.194.112.195", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.com", IP="4.59.181.209", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.ru", IP="4.59.181.212", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-03.geo.kaspersky.com", IP="4.28.136.42", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-11.geo.kaspersky.com", IP="38.117.98.202", Ping=Error (11010,0,0.0.0.0)
  Host="activation-v2.kaspersky.com", IP="195.27.252.50", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.147.94", Ping=Error (11010,0,0.0.0.0)
  Host="vk.com", IP="87.240.131.120,87.240.131.119,87.240.131.118", Ping=Error (11010,0,0.0.0.0)
  Host="vkontakte.ru", IP="95.213.4.247,95.213.4.248,95.213.4.246", Ping=Error (11010,0,0.0.0.0)
  Host="twitter.com", IP="185.45.5.43,185.45.5.32", Ping=Error (11010,0,0.0.0.0)
  Host="facebook.com", IP="173.252.120.6", Ping=Error (11010,0,0.0.0.0)
  Host="ru-ru.facebook.com", IP="31.13.90.2", Ping=Error (11010,0,0.0.0.0)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=wininet.dll
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
 Network Persistent Routes

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Планувальник завдань)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
139	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
49734	TIME_WAIT	8.36.120.226	443	[0]
UDP ports
137	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate

Network name	Path	Notes
ADMIN$	C:\Windows	Remote Admin
C$	C:\	Default share
D$	D:\	Default share
IPC$		Remote IPC