Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	1296	avast! Service	Copyright (c) 2013 AVAST Software	73F5C13B431915BAE35254B4E95DFB71	49.16 kb, rsAh,created: 10.08.2014 12:33:09,modified: 10.08.2014 12:33:09 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
c:\program files\avast software\avast\avastui.exe Script: Quarantine, Delete, Delete via BC, Terminate	1920	avast! Antivirus	Copyright (c) 2013 AVAST Software	26B558B2D31C7425B455B00E562EAD93	3990.13 kb, rsAh,created: 10.08.2014 12:33:09,modified: 10.08.2014 12:33:50 Command line: "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
c:\windows\system32\dwm.exe Script: Quarantine, Delete, Delete via BC, Terminate	1432	Диспетчер окон рабочего стола	© Корпорация Майкрософт. все права защищены.	A13F28AC30EDCEEF74E7F0FE06724FBB	90.50 kb, rsAh,created: 14.07.2009 01:24:23,modified: 14.07.2009 03:14:19 Command line: "C:\Windows\system32\Dwm.exe"
c:\program files\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate	3640	Firefox	©Firefox and Mozilla Developers; available under the MPL 2 license.	94AE5F7ADA16ABF26CFC0D0B225AA0EB	382.95 kb, rsAh,created: 04.01.2017 13:35:00,modified: 26.07.2016 20:05:58 Command line: "C:\Program Files\Mozilla Firefox\firefox.exe"
c:\windows\kmsem\kmservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	112			D8A9988AF10484BD37A2B85630848134	148.07 kb, rsAh,created: 12.01.2014 15:41:49,modified: 12.01.2014 15:41:49 Command line: C:\Windows\kmsem\KMService.exe
c:\program files\xiaomi\miwifi\miwifi.exe Script: Quarantine, Delete, Delete via BC, Terminate	2380	MiWiFi	Copyright(c) 2014, XIAOMI CORPORATION	5B0330251BE1711E07994FA70A2C8735	8466.80 kb, rsAh,created: 03.01.2016 12:52:57,modified: 03.01.2016 12:52:58 Command line: "C:\Program Files\XiaoMi\MiWiFi\MiWifi.exe"
c:\program files\xiaomi\miwifi\miwifimonitor.exe Script: Quarantine, Delete, Delete via BC, Terminate	1948			54DE087F3A569099921E763577168E8F	323.80 kb, rsAh,created: 03.01.2016 12:52:54,modified: 03.01.2016 12:52:54 Command line: "C:\Program Files\XiaoMi\MiWiFi\MiWiFiMonitor.exe"
c:\program files\xiaomi\miwifi\raregistry.exe Script: Quarantine, Delete, Delete via BC, Terminate	272	MediatekRegistryWriter	(c) Copyright 2014, Mediatek Inc.	46C1A9B32A9A82B70A25DE11D0811879	390.23 kb, rsAh,created: 03.01.2016 12:52:55,modified: 03.01.2016 12:52:55 Command line: "C:\Program Files\XiaoMi\MiWiFi\RaRegistry.exe"
Detected:39, recognized as trusted 33

Module name	Handle	Description	Copyright	AVZ0311	Used by processes
C:\Program Files\AVAST Software\Avast\defs\16120400\algo.dll Script: Quarantine, Delete, Delete via BC	1845428224			MD5=23F5FB2C15261D6D92A12475D2FA055E 2995.00 kb, rsAh, created: 04.12.2016 12:39:51, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\aswCleanerDLL.dll Script: Quarantine, Delete, Delete via BC	1875443712	Virus/Worm Cleaner Application for avast!	Copyright (c) 2011 AVAST Software	MD5=F93C6D08D7E8C4FC641C89FCCB0011C7 515.39 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	1878589440	Common functions	Copyright (c) 2014 AVAST Software	MD5=70ACA08AC1015B2AA5D8CDD92584D297 480.80 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296, 1920
C:\Program Files\AVAST Software\Avast\defs\16120400\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	1879310336	Antivirus independent functions	Copyright (c) 2014 AVAST Software	MD5=E45BC2102550F488AC014B36620D94A7 448.84 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296, 1920
C:\Program Files\AVAST Software\Avast\defs\16120400\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	1879113728	Antivirus HW dependent library	Copyright (c) 2014 AVAST Software	MD5=C80C97B087E94D734ED07C855E127BD0 136.32 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296, 1920
C:\Program Files\AVAST Software\Avast\defs\16120400\aswEngin.dll Script: Quarantine, Delete, Delete via BC	1882849280	High level antivirus engine	Copyright (c) 2014 AVAST Software	MD5=23AAE6DAB9D38066B7E1B729EF918880 1343.23 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\aswFiDb.dll Script: Quarantine, Delete, Delete via BC	1875968000	File information database access	Copyright (c) 2014 AVAST Software	MD5=7ECF50933C421BFD55BC9338C3C798A4 649.70 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\aswRep.dll Script: Quarantine, Delete, Delete via BC	1877278720	Reputation services access	Copyright (c) 2014 AVAST Software	MD5=0B1FE062344EA3AE354F86C040639C3F 432.54 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\aswScan.dll Script: Quarantine, Delete, Delete via BC	1878392832	Low level antivirus engine	Copyright (c) 2014 AVAST Software	MD5=0FF9FF74FE9C732B2E471AB55C8E9AB8 196.20 kb, rsAh, created: 04.12.2016 12:39:52, modified: 04.12.2016 12:39:52	1296
C:\Program Files\AVAST Software\Avast\defs\16120400\uiExt.dll Script: Quarantine, Delete, Delete via BC	1810169856	avast! UI extension library	Copyright (c) 2014 AVAST Software	MD5=2BB76F90473DA666FF531CEA11898FF5 64.71 kb, rsAh, created: 04.12.2016 12:39:53, modified: 04.12.2016 12:39:53	1920
C:\Program Files\Mozilla Firefox\browser\components\browsercomps.dll Script: Quarantine, Delete, Delete via BC	1782906880		License: MPL 2	MD5=54D35388822D6FFECC9A3DAD871DD3D5 49.95 kb, rsAh, created: 15.10.2014 19:45:32, modified: 26.07.2016 20:07:07	3640
C:\Program Files\Mozilla Firefox\freebl3.dll Script: Quarantine, Delete, Delete via BC	1669267456	NSS freebl Library		MD5=C36430A643F2C51297E12FBD6762B0C9 335.95 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:06:01	3640
C:\Program Files\Mozilla Firefox\lgpllibs.dll Script: Quarantine, Delete, Delete via BC	1724710912		License: MPL 2	MD5=3C2B5A64224C1BA8C2E1DA31C359B244 57.45 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:06:02	3640
C:\Program Files\Mozilla Firefox\mozavcodec.dll Script: Quarantine, Delete, Delete via BC	1775501312		License: MPL 2	MD5=299E87A2AD2C4CC41D334B2E25872B5B 1509.95 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:14	3640
C:\Program Files\Mozilla Firefox\mozavutil.dll Script: Quarantine, Delete, Delete via BC	1777074176		License: MPL 2	MD5=6C5A2A8B79F41F3F8F5708FE4A7732FA 166.95 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:16	3640
C:\Program Files\Mozilla Firefox\mozglue.dll Script: Quarantine, Delete, Delete via BC	1781923840		License: MPL 2	MD5=F578FB34F2B5E509C5F97CC9325A523C 110.95 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:17	3640
C:\Program Files\Mozilla Firefox\nss3.dll Script: Quarantine, Delete, Delete via BC	1725497344		License: MPL 2	MD5=04F8A6C84284F1997F386E3895620D30 1670.45 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:21	3640
C:\Program Files\Mozilla Firefox\nssckbi.dll Script: Quarantine, Delete, Delete via BC	1668808704	NSS Builtin Trusted Root CAs		MD5=44B1D226591B1902E2D282660B6ABBBF 393.45 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:23	3640
C:\Program Files\Mozilla Firefox\nssdbm3.dll Script: Quarantine, Delete, Delete via BC	1669922816	Legacy Database Driver		MD5=109AE13B2E6010C1E87AE42B855925A4 91.45 kb, rsAh, created: 04.01.2017 13:35:01, modified: 26.07.2016 20:06:25	3640
C:\Program Files\Mozilla Firefox\sandboxbroker.dll Script: Quarantine, Delete, Delete via BC	1729167360		License: MPL 2	MD5=34BC152547647E215B13B11B772658DB 205.45 kb, rsAh, created: 15.10.2014 19:46:06, modified: 26.07.2016 20:06:31	3640
C:\Program Files\Mozilla Firefox\softokn3.dll Script: Quarantine, Delete, Delete via BC	1670053888	NSS PKCS #11 Library		MD5=C4EB52D53BFDCB132714494B1C26648D 143.95 kb, rsAh, created: 04.01.2017 13:35:02, modified: 26.07.2016 20:06:33	3640
C:\Program Files\Mozilla Firefox\xul.dll Script: Quarantine, Delete, Delete via BC	1671823360		License: MPL 2	MD5=246846E6E02F74210E36C181CDC73873 51404.95 kb, rsAh, created: 04.01.2017 13:35:02, modified: 26.07.2016 20:07:05	3640
C:\Program Files\XiaoMi\MiWiFi\ICSDHCP.dll Script: Quarantine, Delete, Delete via BC	44498944	ICSDHCP DLL	Copyright(c) 2014, Mediatek Inc. All rights reserved.	MD5=D5E44298E6A026B26EE0F1AEE011CE06 599.64 kb, rsAh, created: 03.01.2016 12:52:55, modified: 03.01.2016 12:52:55	2380, 272
C:\Program Files\XiaoMi\MiWiFi\RaAPAPI.dll Script: Quarantine, Delete, Delete via BC	268435456	RaAPAPI DLL	(c) Copyright 2014, Mediatek Inc. All rights reserved.	MD5=183AF52B4C0CBDA0BD298526E8234129 1071.64 kb, rsAh, created: 03.01.2016 12:52:55, modified: 03.01.2016 12:52:55	2380
Modules found:467, recognized as trusted 443

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys error getting file info Script: Quarantine, Delete, Delete via BC	81E18000	009000 (36864)
C:\Windows\System32\Drivers\dump_dumpata.sys error getting file info Script: Quarantine, Delete, Delete via BC	81E0D000	00B000 (45056)
C:\Windows\System32\Drivers\dump_dumpfve.sys error getting file info Script: Quarantine, Delete, Delete via BC	99351000	011000 (69632)
C:\Windows\system32\drivers\hfFilter.sys 21.13 kb, rsAh, created: 28.11.2014 20:11:32, modified: 30.11.2016 09:43:46 Script: Quarantine, Delete, Delete via BC	99400000	006000 (24576)
C:\Windows\system32\drivers\{7012eec1-4f37-42d4-a2cd-26727494d248}Gw.sys 42.15 kb, rsAh, created: 12.10.2014 20:12:10, modified: 12.10.2014 06:45:34 Script: Quarantine, Delete, Delete via BC	92A00000	00D000 (53248)	StdLib	Copyright © 2013 StdLib
Modules found - 205, recognized as trusted - 200

Services

Service	Description	Status	File	Group	Dependencies
MiRalinkRegistryWriter Service: Stop, Delete, Disable, Delete via BC	MiRalinkRegistryWriter	Running	C:\Program Files\XiaoMi\MiWiFi\RaRegistry.exe 390.23 kb, rsAh, created: 03.01.2016 12:52:55, modified: 03.01.2016 12:52:55 Script: Quarantine, Delete, Delete via BC
AdobeFlashPlayerUpdateSvc Service: Stop, Delete, Disable, Delete via BC	Adobe Flash Player Update Service	Not started	C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe 264.59 kb, rsAh, created: 12.12.2013 00:25:03, modified: 10.01.2017 19:52:24 Script: Quarantine, Delete, Delete via BC
gupdate Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdate)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC		RPCSS
gupdatem Service: Stop, Delete, Disable, Delete via BC	Служба Оновлення Google (gupdatem)	Not started	C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC		RPCSS
MozillaMaintenance Service: Stop, Delete, Disable, Delete via BC	Mozilla Maintenance Service	Not started	C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe error getting file info Script: Quarantine, Delete, Delete via BC
Detected - 151, recognized as trusted - 146

Drivers

Service	Description	Status	File	Group	Dependencies
hfFilter Driver: Unload, Delete, Disable, Delete via BC	hfFilter	Running	C:\Windows\system32\drivers\hfFilter.sys 21.13 kb, rsAh, created: 28.11.2014 20:11:32, modified: 30.11.2016 09:43:46 Script: Quarantine, Delete, Delete via BC	FSFilter Activity Monitor	FltMgr
IObitUnlocker Driver: Unload, Delete, Disable, Delete via BC	IObitUnlocker	Not started	C:\Program Files\IObit\IObit Unlocker\IObitUnlocker.sys 29.21 kb, rsAh, created: 02.01.2016 19:33:17, modified: 30.09.2013 14:06:00 Script: Quarantine, Delete, Delete via BC
MoboroboAssDriver Driver: Unload, Delete, Disable, Delete via BC	MoboroboAssDrive	Not started	C:\Windows\system32\drivers\MoboroboAssDriver.sys error getting file info Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
nvlddmkm Driver: Unload, Delete, Disable, Delete via BC	nvlddmkm	Not started	C:\Windows\system32\DRIVERS\nvlddmkm.sys error getting file info Script: Quarantine, Delete, Delete via BC	Video
Detected - 267, recognized as trusted - 263

Autoruns

File name	Status	Startup method	Description
C:\Program Files\XiaoMi\MiWiFi\MiWiFiMonitor.exe 323.80 kb, rsAh, created: 03.01.2016 12:52:54, modified: 03.01.2016 12:52:54 Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, MiWiFi Delete
C:\Windows\system32\psxss.exe error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell Delete
C:\Users\impala25\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Photos Backup, command Delete
C:\Users\impala25\AppData\Roaming\uTorrent\uTorrent.exe error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\uTorrent, command Delete
C:\Windows\system32\dwm.exe 90.50 kb, rsAh, created: 14.07.2009 01:24:23, modified: 14.07.2009 03:14:19 Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Desktop Window Manager, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Users\impala25\AppData\Local\Temp\NEventMessages.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia M Platform, EventMessageFile
C:\Users\impala25\AppData\Local\Temp\NOSEventMessages.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia Suite, EventMessageFile
C:\Windows\System32\nvoglv32.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\NVIDIA OpenGL Driver, EventMessageFile
C:\40ab43b15b57bea655\DW\DW20.exe error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll error getting file info Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Program Files\NVIDIA Corporation\Display\nvui.dll error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {A70C977A-BF00-412C-90B7-034C51DA2439} Delete
C:\Windows\system32\nvshext.dll error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} Delete
C:\Program Files\Windows error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run, Sidebar Delete
Sidebar\Sidebar.exe error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run, Sidebar Delete
C:\Program Files\Windows error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run, Sidebar Delete
Sidebar\Sidebar.exe error getting file info Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run, Sidebar Delete
Autoruns items found - 651, recognized as trusted - 631

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Items found - 5, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
error getting file info	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
error getting file info				{06A2568A-CED6-4187-BB20-400B8C02BE5A} Delete
error getting file info				{00F33137-EE26-412F-8D71-F84E4C2C6625} Delete
error getting file info	Windows Live Photo Gallery Autoplay Drop Target			{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Delete
error getting file info	Windows Live Photo Gallery Viewer Drop Target			{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Delete
error getting file info	Windows Live Photo Gallery Editor Drop Target			{00F374B7-B390-4884-B372-2FC349F2172B} Delete
error getting file info	Windows Live Photo Gallery Viewer Drop Target Shim			{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} Delete
error getting file info	Windows Live Photo Gallery Editor Drop Target Shim			{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} Delete
error getting file info	Windows Live Photo Gallery Autoplay Drop Target Shim			{00F30F90-3E96-453B-AFCD-D71989ECC2C7} Delete
C:\Program Files\NVIDIA Corporation\Display\nvui.dll error getting file info Script: Quarantine, Delete, Delete via BC	NvCpl DesktopContext Class			{A70C977A-BF00-412C-90B7-034C51DA2439} Delete
C:\Windows\system32\nvshext.dll error getting file info Script: Quarantine, Delete, Delete via BC	NVIDIA Play On My TV Context Menu Extension			{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} Delete
Items found - 26, recognized as trusted - 15

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
Items found - 7, recognized as trusted - 7

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line	Type
C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe 264.59 kb, rsAh, created: 12.12.2013 00:25:03, modified: 10.01.2017 19:52:24 Script: Quarantine, Delete, Delete via BC	Adobe Flash Player Updater.job Script: Delete	The task is ready to run at its next scheduled time.	Adobe® Flash® Player Update Service 24.0 r0	Copyright © 1996-2017 Adobe Systems Incorporated		C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe	32
C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Google\Update\GoogleUpdate.exe /c	32
C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA.job Script: Delete	The task is ready to run at its next scheduled time.				C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler	32
C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe 264.59 kb, rsAh, created: 12.12.2013 00:25:03, modified: 10.01.2017 19:52:24 Script: Quarantine, Delete, Delete via BC	Adobe Flash Player Updater Script: Delete	The task is ready to run at its next scheduled time.	Adobe® Flash® Player Update Service 24.0 r0	Copyright © 1996-2017 Adobe Systems Incorporated	C:\Windows\system32\Tasks\	C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe	32
C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe 685.60 kb, rsAh, created: 03.12.2015 16:15:59, modified: 03.06.2016 19:27:13 Script: Quarantine, Delete, Delete via BC	Avast settings backup Script: Delete	The task is ready to run at its next scheduled time.	Avast Settings Backup	Copyright (c) 2014 AVAST Software	C:\Windows\system32\Tasks\AVAST Software\	C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe /backup /iavs	32
C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineCore Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /c	32
C:\Program Files\Google\Update\GoogleUpdate.exe error getting file info Script: Quarantine, Delete, Delete via BC	GoogleUpdateTaskMachineUA Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler	32
aitagent error getting file info Script: Quarantine, Delete, Delete via BC	AitAgent Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\Microsoft\Windows\Application Experience\	aitagent	32
D:\Установка\launcher.exe 688.54 kb, rsAh, created: 08.05.2016 21:13:41, modified: 28.04.2016 14:27:22, name contains national symbols Script: Quarantine, Delete, Delete via BC	Opera scheduled Autoupdate 1462734819 Script: Delete	The task is ready to run at its next scheduled time.	Opera Internet Browser	Copyright Opera Software 2016	C:\Windows\system32\Tasks\	D:\Установка\launcher.exe --scheduledautoupdate $(Arg0)	32
C:\Program Files\XiaoMi\MiWiFi\kuaipan\kuaipan_backup.exe 3821.84 kb, rsAh, created: 03.01.2016 12:52:54, modified: 03.01.2016 12:52:54 Script: Quarantine, Delete, Delete via BC	RunAsStdUser Task Script: Delete	The task is ready to run at its next scheduled time.	?U?	Copyright © 1988-2013 Kingsoft Corporation. All rights reserved.	C:\Windows\system32\Tasks\	C:\Program Files\XiaoMi\MiWiFi\kuaipan\kuaipan_backup.exe -wifi -wifiopen	32
"d:\Установка\firefox.exe" http://www.skype.com/go/downloading?source=installer&ver=6.21.85.104&LastError=-9 error getting file info, name contains national symbols Script: Quarantine, Delete, Delete via BC	{0074D634-0724-4AFC-929E-4C243BD95F44} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"d:\Установка\firefox.exe" http://www.skype.com/go/downloading?source=installer&ver=6.21.85.104&LastError=-9	32
d:\Установка\firefox.exe error getting file info, name contains national symbols Script: Quarantine, Delete, Delete via BC	{0074D634-0724-4AFC-929E-4C243BD95F44} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"d:\Установка\firefox.exe" http://www.skype.com/go/downloading?source=installer&ver=6.21.85.104&LastError=-9	32
"d:\Установка\firefox.exe" http://ui.skype.com/ui/0/6.21.85.104/uk/abandoninstall?page=tsMain error getting file info, name contains national symbols Script: Quarantine, Delete, Delete via BC	{87266CA2-0BF4-4533-9A9E-AEBBC3C521A5} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"d:\Установка\firefox.exe" http://ui.skype.com/ui/0/6.21.85.104/uk/abandoninstall?page=tsMain	32
d:\Установка\firefox.exe error getting file info, name contains national symbols Script: Quarantine, Delete, Delete via BC	{87266CA2-0BF4-4533-9A9E-AEBBC3C521A5} Script: Delete	The task is ready to run at its next scheduled time.			C:\Windows\system32\Tasks\	"d:\Установка\firefox.exe" http://ui.skype.com/ui/0/6.21.85.104/uk/abandoninstall?page=tsMain	32
Items found - 52, recognized as trusted - 38

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 27, recognized as trusted - 27
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
445 LISTENING 0.0.0.0 0 System.exe [4]
error getting file info
Script: Quarantine, Delete, Delete via BC, Terminate
1688 LISTENING 0.0.0.0 0 c:\windows\kmsem\kmservice.exe [112]
148.07 kb, rsAh, created: 12.01.2014 15:41:49, modified: 12.01.2014 15:41:49
Script: Quarantine, Delete, Delete via BC, Terminate
5357 LISTENING 0.0.0.0 0 System.exe [4]
error getting file info
Script: Quarantine, Delete, Delete via BC, Terminate
49170 ESTABLISHED 127.0.0.1 49171 c:\program files\xiaomi\miwifi\miwifi.exe [2380]
8466.80 kb, rsAh, created: 03.01.2016 12:52:57, modified: 03.01.2016 12:52:58
Script: Quarantine, Delete, Delete via BC, Terminate
49171 ESTABLISHED 127.0.0.1 49170 c:\program files\xiaomi\miwifi\miwifi.exe [2380]
8466.80 kb, rsAh, created: 03.01.2016 12:52:57, modified: 03.01.2016 12:52:58
Script: Quarantine, Delete, Delete via BC, Terminate
49177 ESTABLISHED 127.0.0.1 49178 c:\program files\mozilla firefox\firefox.exe [3640]
382.95 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:05:58
Script: Quarantine, Delete, Delete via BC, Terminate
49178 ESTABLISHED 127.0.0.1 49177 c:\program files\mozilla firefox\firefox.exe [3640]
382.95 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:05:58
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_194.ocx
19359.09 kb, RsAh, created: 10.01.2017 18:52:14, modified: 10.01.2017 18:52:15
Script: Quarantine, Delete, Delete via BC Adobe Flash Player 24.0 r0 Adobe® Flash® Player. Copyright © 1996-2017 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries. {D27CDB6E-AE6D-11CF-96B8-444553540000}
Delete http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
Items found - 1, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
141.09 kb, rsAh, created: 10.04.2013 08:42:32, modified: 10.01.2017 19:52:24
Script: Quarantine, Delete, Delete via BC Adobe Flash Player Control Panel Applet Copyright © 1996-2017 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Items found - 21, recognized as trusted - 20

Active Setup

File name Description Manufacturer CLSID
Items found - 8, recognized as trusted - 8

HOSTS file

Hosts file record
127.0.0.1 rad.msn.com
127.0.0.1 validation.sls.microsoft.com
127.0.0.1 clients2.google.com
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
Items found - 16, recognized as trusted - 16

Shared resources

Network name Path Notes
ADMIN$ C:\Windows Удаленный Admin
C$ C:\ Стандартный общий ресурс
D$ D:\ Стандартный общий ресурс
Downloads D:\Downloads
IPC$ Удаленный IPC
Photo D:\Photo

Suspicious objects

File Description Type
C:\Windows\system32\drivers\aswSnx.sys
761.27 kb, rsAh, created: 11.12.2013 00:13:35, modified: 21.11.2014 21:21:25
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
C:\Windows\system32\drivers\aswSP.sys
404.80 kb, rsAh, created: 11.12.2013 00:13:36, modified: 10.08.2014 12:33:48
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook

Attention !!! Database was last updated 01.03.2016 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.46
Scanning started at 15.01.2017 17:55:39
Database loaded: signatures - 297570, NN profile(s) - 2, malware removal microprograms - 56, signature database released 01.03.2016 12:37
Heuristic microprograms loaded: 412
PVS microprograms loaded: 9
Digital signatures of system files loaded: 790760
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: disabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Home Basic", install date 10.12.2013 23:50:23 ; AVZ is run with administrator rights (+)
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=169B00)
 Kernel ntkrnlpa.exe found in memory at address 82C43000
   SDT = 82DACB00
   KiST = 82CC143C (401)
Function NtAddBootEntry (09) intercepted (82F489D4->92A4DBA6), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtAssignProcessToJobObject (2B) intercepted (82E430CC->92A4E684), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateEvent (40) intercepted (82E848BE->92A5A6F8), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateEventPair (41) intercepted (82F4E6D4->92A5A744), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateIoCompletion (43) intercepted (82E9EA42->92A5A8DE), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateMutant (4A) intercepted (82E5435A->92A5A666), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateSection (54) intercepted (82E6713D->92B04DF0), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtCreateSemaphore (55) intercepted (82E49B6C->92A5A6AE), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtCreateThread (57) intercepted (82F1FFDA->92B05080), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtCreateThreadEx (58) intercepted (82EB44AB->92B0516A), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtCreateTimer (59) intercepted (82E424FF->92A5A898), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtDebugActiveProcess (60) intercepted (82EF1EDA->92A4F472), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtDeleteBootEntry (64) intercepted (82F48A07->92A4DC0C), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtDuplicateObject (6F) intercepted (82E75761->92A52C68), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtLoadDriver (9B) intercepted (82E09C40->92A4D7F8), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtMapViewOfSection (A8) intercepted (82E8A5F1->92B04ED0), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtModifyBootEntry (A9) intercepted (82F48BD8->92A4DC72), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtNotifyChangeKey (AC) intercepted (82E3DFBD->92A5305E), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtNotifyChangeMultipleKeys (AD) intercepted (82E3D0DF->92A4FF5A), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenEvent (B1) intercepted (82E53D56->92A5A722), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenEventPair (B2) intercepted (82F4E7D5->92A5A766), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenIoCompletion (B4) intercepted (82EFB057->92A5A902), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenMutant (BB) intercepted (82EA545D->92A5A68C), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenProcess (BE) intercepted (82E55BA1->92A52560), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenSection (C2) intercepted (82EAD9FB->92A5A816), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenSemaphore (C3) intercepted (82E29204->92A5A6D6), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenThread (C6) intercepted (82EA2102->92A5294C), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtOpenTimer (C9) intercepted (82F4E47B->92A5A8BC), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtProtectVirtualMemory (D7) intercepted (82E86651->92B04C6E), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtQueryObject (F8) intercepted (82E450B5->92A4FDCE), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtQueueApcThreadEx (10E) intercepted (82E3C00D->92A4FADC), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSetBootEntryOrder (13A) intercepted (82F492EB->92A4DCD8), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSetBootOptions (13B) intercepted (82F497D7->92A4DD3E), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSetContextThread (13C) intercepted (82F2184F->92B04FCC), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtSetSystemInformation (15E) intercepted (82E9237A->92A4D892), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSetSystemPowerState (15F) intercepted (82F65E4A->92A4DA64), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtShutdownSystem (168) intercepted (82F46C19->92A4D9F2), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSuspendProcess (16E) intercepted (82F21CDF->92A4F63C), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSuspendThread (16F) intercepted (82ED91CB->92A4F79E), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtSystemDebugControl (170) intercepted (82EC9802->92A4DAEC), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtTerminateProcess (172) intercepted (82E9ED9A->92B04D3C), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Function NtTerminateThread (173) intercepted (82EBC6CB->92A4F2CC), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtVdmControl (182) intercepted (82F3BD35->92A4DDA4), hook C:\Windows\system32\drivers\aswSnx.sys, driver recognized as trusted
Function NtWriteVirtualMemory (18F) intercepted (82EA3A97->92B04BA0), hook C:\Windows\system32\drivers\aswSP.sys, driver recognized as trusted
Functions checked: 401, intercepted: 44, restored: 0
1.3 Checking IDT and SYSENTER
 Analyzing CPU 1
 Analyzing CPU 2
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Driver loaded successfully
 Checking - complete
2. Scanning RAM
 Number of processes found: 39
 Number of modules loaded: 478
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: SSDPSRV (Обнаружение SSDP)
>> Services: potentially dangerous service allowed: Schedule (Планировщик заданий)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: automatic logon is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Process termination timeout is out of admissible values
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
 >>  Start -> Run menu item is blocked
Checking - complete
Files scanned: 518, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 15.01.2017 17:57:00
Time of scanning: 00:01:24
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="google.ru", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="google.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.ru", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-03.geo.kaspersky.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-11.geo.kaspersky.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="activation-v2.kaspersky.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="vk.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="vkontakte.ru", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="twitter.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="facebook.com", IP="", Ping=Error (11010,0,0.0.0.0)
  Host="ru-ru.facebook.com", IP="", Ping=Error (11010,0,0.0.0.0)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=wininet.dll
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
 Network Persistent Routes

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service SSDPSRV (Обнаружение SSDP)
Performance tweaking: disable service Schedule (Планировщик заданий)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security tweaking: disable automatic logon

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
445	LISTENING	0.0.0.0	0	System.exe [4] error getting file info Script: Quarantine, Delete, Delete via BC, Terminate
1688	LISTENING	0.0.0.0	0	c:\windows\kmsem\kmservice.exe [112] 148.07 kb, rsAh, created: 12.01.2014 15:41:49, modified: 12.01.2014 15:41:49 Script: Quarantine, Delete, Delete via BC, Terminate
5357	LISTENING	0.0.0.0	0	System.exe [4] error getting file info Script: Quarantine, Delete, Delete via BC, Terminate
49170	ESTABLISHED	127.0.0.1	49171	c:\program files\xiaomi\miwifi\miwifi.exe [2380] 8466.80 kb, rsAh, created: 03.01.2016 12:52:57, modified: 03.01.2016 12:52:58 Script: Quarantine, Delete, Delete via BC, Terminate
49171	ESTABLISHED	127.0.0.1	49170	c:\program files\xiaomi\miwifi\miwifi.exe [2380] 8466.80 kb, rsAh, created: 03.01.2016 12:52:57, modified: 03.01.2016 12:52:58 Script: Quarantine, Delete, Delete via BC, Terminate
49177	ESTABLISHED	127.0.0.1	49178	c:\program files\mozilla firefox\firefox.exe [3640] 382.95 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:05:58 Script: Quarantine, Delete, Delete via BC, Terminate
49178	ESTABLISHED	127.0.0.1	49177	c:\program files\mozilla firefox\firefox.exe [3640] 382.95 kb, rsAh, created: 04.01.2017 13:35:00, modified: 26.07.2016 20:05:58 Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports

Network name	Path	Notes
ADMIN$	C:\Windows	Удаленный Admin
C$	C:\	Стандартный общий ресурс
D$	D:\	Стандартный общий ресурс
Downloads	D:\Downloads
IPC$		Удаленный IPC
Photo	D:\Photo