Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\users\aldair\desktop\avz4\avz.exe Script: Quarantine, Delete, Delete via BC, Terminate	4356	???????????? ??????? AVZ	???????????? ??????? AVZ	??	747.00 kb, rsAh, created: 04.05.2013 09:52:17, modified: 20.05.2012 10:51:48 Command line: "C:\Users\Aldair\Desktop\avz4\avz.exe"
c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate	3436	Firefox	©Firefox and Mozilla Developers; available under the MPL 2 license.	??	898.90 kb, rsAh, created: 15.04.2013 22:14:08, modified: 15.04.2013 22:14:15 Command line: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
c:\windows\syswow64\macromed\flash\flashplayerplugin_11_7_700_169.exe Script: Quarantine, Delete, Delete via BC, Terminate	2372	Adobe Flash Player 11.7 r700	Adobe® Flash® Player. Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.	??	1812.38 kb, rsAh, created: 15.04.2013 20:50:46, modified: 15.04.2013 20:50:46 Command line: "C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe" --proxy-stub-channel=Flash2536.6B111D90.4150 --host-broker-channel=Flash2536.6B111D90.8855 --host-pid=2536 --host-npapi-version=27 --plugin-path="C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll"
c:\windows\syswow64\macromed\flash\flashplayerplugin_11_7_700_169.exe Script: Quarantine, Delete, Delete via BC, Terminate	2884	Adobe Flash Player 11.7 r700	Adobe® Flash® Player. Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.	??	1812.38 kb, rsAh, created: 15.04.2013 20:50:46, modified: 15.04.2013 20:50:46 Command line: "C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_169.exe" --channel=2372.002EF2A4.1934849410 --proxy-stub-channel=Flash2536.6B111D90.4150 --plugin-path="C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll" --host-npapi-version=27 --type=renderer
c:\program files (x86)\ati technologies\hydravision\hydradm.exe Script: Quarantine, Delete, Delete via BC, Terminate	2620	HydraDM	Copyright © AMD 2006-2009	??	372.00 kb, rsAh, created: 23.11.2009 23:13:12, modified: 23.11.2009 23:13:12 Command line: "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe Script: Quarantine, Delete, Delete via BC, Terminate	2800	HydraDMH64	Copyright © AMD 2007-2009	??	276.00 kb, rsAh, created: 23.11.2009 23:14:08, modified: 23.11.2009 23:14:08 Command line:
c:\program files (x86)\samsung\kies\kies.exe Script: Quarantine, Delete, Delete via BC, Terminate	2648	Kies	Copyright © 2009 SAMSUNG.	??	1473.86 kb, rsAh, created: 20.12.2012 19:44:26, modified: 13.02.2013 12:38:14 Command line: "C:\Program Files (x86)\Samsung\Kies\Kies.exe" /preload
c:\program files (x86)\samsung\kies\external\firmwareupdate\kiespdlr.exe Script: Quarantine, Delete, Delete via BC, Terminate	2640	KiesPDLR	Copyright (c) 2012 Samsung Electronics Co.	??	824.36 kb, rsAh, created: 20.12.2012 19:44:32, modified: 13.02.2013 12:38:24 Command line: "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe"
c:\program files (x86)\samsung\kies\kiestrayagent.exe Script: Quarantine, Delete, Delete via BC, Terminate	2052	Kies TrayAgent Application	(c) Samsung Electronics Co., Ltd. All rights reserved.	??	302.86 kb, rsAh, created: 20.12.2012 19:44:28, modified: 13.02.2013 12:38:18 Command line: "C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe"
c:\program files (x86)\mozilla firefox\plugin-container.exe Script: Quarantine, Delete, Delete via BC, Terminate	2536	Plugin Container for Firefox	License: MPL 2	??	16.90 kb, rsAh, created: 15.04.2013 22:14:08, modified: 15.04.2013 22:14:14 Command line: "C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel=3436.5ab6800.437597499 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll" -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox" E7CF176E110C211B 3436 "\\.\pipe\gecko-crash-server-pipe.3436" plugin
c:\program files\samsung\samsung link\utils\samsung link launcher.exe Script: Quarantine, Delete, Delete via BC, Terminate	2564	Samsung Link Launcher	Copyright 2013 SAMSUNG	??	397.84 kb, rsAh, created: 27.04.2013 21:31:09, modified: 23.04.2013 14:05:38 Command line: "C:\Program Files\Samsung\Samsung Link\utils\Samsung Link Launcher.exe"
C:\Program Files\Samsung\Samsung Link\Samsung Link Service.exe Script: Quarantine, Delete, Delete via BC, Terminate	2036	Samsung Link Service	Copyright 2013 SAMSUNG	??	591.57 kb, rsAh, created: 27.04.2013 21:31:07, modified: 23.04.2013 14:05:40 Command line:
C:\Program Files\Samsung\Samsung Link\Samsung Link Service.exe Script: Quarantine, Delete, Delete via BC, Terminate	2004	Samsung Link Service	Copyright 2013 SAMSUNG	??	591.57 kb, rsAh, created: 27.04.2013 21:31:07, modified: 23.04.2013 14:05:40 Command line:
C:\Program Files\Samsung\Samsung Link\Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate	3036	Samsung Link	Copyright 2013 SAMSUNG	??	585.07 kb, rsAh, created: 27.04.2013 21:31:07, modified: 23.04.2013 14:05:40 Command line:
Detected:53, recognized as trusted 47

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraCsy.dll Script: Quarantine, Delete, Delete via BC	268435456			--	2620
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDMH.dll Script: Quarantine, Delete, Delete via BC	268435456	HydraDMH	Copyright © AMD 2006-2009	--	4356, 3436, 2372, 2884, 2620, 2648, 2640, 2052, 2536, 2564
Modules found:193, recognized as trusted 191

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
Modules found - 195, recognized as trusted - 195

Services

Service	Description	Status	File	Group	Dependencies
PnkBstrA Service: Stop, Delete, Disable, Delete via BC	PnkBstrA	Running	C:\Windows\system32\PnkBstrA.exe Script: Quarantine, Delete, Delete via BC
Samsung Link Service Service: Stop, Delete, Disable, Delete via BC	Samsung Link Service	Running	C:\Program Files\Samsung\Samsung Link\Samsung Link Service.exe Script: Quarantine, Delete, Delete via BC
MozillaMaintenance Service: Stop, Delete, Disable, Delete via BC	Mozilla Maintenance Service	Not started	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Script: Quarantine, Delete, Delete via BC
Detected - 165, recognized as trusted - 162

Drivers

Service	Description	Status	File	Group	Dependencies
sptd Driver: Unload, Delete, Disable, Delete via BC	sptd	Running	C:\Windows\SystemRoot\System32\Drivers\sptd.sys Script: Quarantine, Delete, Delete via BC	Boot Bus Extender
AODDriver Driver: Unload, Delete, Disable, Delete via BC	AODDriver	Not started	C:\Program Files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys Script: Quarantine, Delete, Delete via BC
MODRC Driver: Unload, Delete, Disable, Delete via BC	PCTV Dib Infrared Receiver	Not started	C:\Windows\system32\DRIVERS\modrc.sys Script: Quarantine, Delete, Delete via BC
Synth3dVsc Driver: Unload, Delete, Disable, Delete via BC	Synth3dVsc	Not started	C:\Windows\system32\drivers\synth3dvsc.sys Script: Quarantine, Delete, Delete via BC
tsusbhub Driver: Unload, Delete, Disable, Delete via BC	tsusbhub	Not started	C:\Windows\system32\drivers\tsusbhub.sys Script: Quarantine, Delete, Delete via BC
VGPU Driver: Unload, Delete, Disable, Delete via BC	VGPU	Not started	C:\Windows\system32\drivers\rdvgkmd.sys Script: Quarantine, Delete, Delete via BC
Detected - 270, recognized as trusted - 264

Autoruns

File name	Status	Startup method	Description
C:\PROGRA~2\MICROS~1\Office12\1029\MAPIR.DLL Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Outlook, EventMessageFile
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, HydraVisionDesktopManager Delete
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\DWA\resources\libraries\EventMessages.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Adobe Setup, EventMessageFile
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IPSEventLogMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Handwriting Recognition, EventMessageFile
C:\Program Files (x86)\Common Files\soft602\602updsvc\602updsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\602XML Updater, EventMessageFile
C:\Program Files (x86)\Saint Paint\SaintPaint.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\Aldair\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\Aldair\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Saint Paint.lnk,
C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, KiesAirMessage Delete
C:\Program Files (x86)\\DVD Maker\DVDMaker.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Dvd Maker, EventMessageFile
C:\Program Files (x86)\\Windows Defender\MpEvMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WinDefend, EventMessageFile
C:\Program Files (x86)\\Windows Defender\mpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinDefend\Parameters, ServiceDll Delete
C:\Users\Aldair\AppData\Local\Temp\NOSEventMessages.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\OviSuite, EventMessageFile
C:\Users\Aldair\AppData\Roaming\Obwu\uzepy.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Ythyicxip Delete
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cs\aspnet_rc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ASP.NET 4.0.30319.0, EventMessageFile
C:\Windows\System32\Audiosrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\Parameters, ServiceDll Delete
C:\Windows\System32\Audiosrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AudioSrv\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSV.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AxInstSV\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-AxInstallService, EventMessageFile
C:\Windows\System32\DFDTS.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Disk Diagnostic, EventMessageFile
C:\Windows\System32\DispCI.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Display, EventMessageFile
C:\Windows\System32\Drivers\Pcmcia.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\pcmcia, EventMessageFile
C:\Windows\System32\Drivers\VolSnap.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Volsnap, EventMessageFile
C:\Windows\System32\Drivers\acpi.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ACPI, EventMessageFile
C:\Windows\System32\Drivers\hidbth.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\HidBth, EventMessageFile
C:\Windows\System32\RpcEpMap.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcEptMapper\Parameters, ServiceDll Delete
C:\Windows\System32\SCardSvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters, ServiceDll Delete
C:\Windows\System32\SDRSVC.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SDRSVC\Parameters, ServiceDll Delete
C:\Windows\System32\TabSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TabletInputService\Parameters, ServiceDll Delete
C:\Windows\System32\UI0Detect.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Interactive Services detection, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSS, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\VSSAudit, EventMessageFile
C:\Windows\System32\WUDFSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wudfsvc\Parameters, ServiceDll Delete
C:\Windows\System32\WerSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WerSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AeLookupSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AeLookupSvc, EventMessageFile
C:\Windows\System32\appidsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppIDSvc\Parameters, ServiceDll Delete
C:\Windows\System32\appinfo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Appinfo\Parameters, ServiceDll Delete
C:\Windows\System32\bdesvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BDESVC\Parameters, ServiceDll Delete
C:\Windows\System32\bfe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BFE\Parameters, ServiceDll Delete
C:\Windows\System32\browser.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Browser\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CertPropSvc\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCPolicySvc\Parameters, ServiceDll Delete
C:\Windows\System32\cscsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CscService\Parameters, ServiceDll Delete
C:\Windows\System32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\defragsvc\Parameters, ServiceDll Delete
C:\Windows\System32\dnsrslvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Dnscache\Parameters, ServiceDll Delete
C:\Windows\System32\dot3svc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\dot3svc\Parameters, ServiceDll Delete
C:\Windows\System32\drivers\MTConfig.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MTConfig, EventMessageFile
C:\Windows\System32\drivers\Wdf01000.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wdf01000, EventMessageFile
C:\Windows\System32\drivers\amdk8.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdK8, EventMessageFile
C:\Windows\System32\drivers\amdppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdPPM, EventMessageFile
C:\Windows\System32\drivers\ati2erec.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\ATIeRecord, EventMessageFile
C:\Windows\System32\drivers\ati2erec.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\amdkmdag, EventMessageFile
C:\Windows\System32\drivers\ati2erec.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\amdkmdap, EventMessageFile
C:\Windows\System32\drivers\ati2erec.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\atikmdag, EventMessageFile
C:\Windows\System32\drivers\b57nd60a.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\b57nd60a, EventMessageFile
C:\Windows\System32\drivers\bxvbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\b06bdrv, EventMessageFile
C:\Windows\System32\drivers\evbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ebdrv, EventMessageFile
C:\Windows\System32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\FltMgr, EventMessageFile
C:\Windows\System32\drivers\i8042prt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\i8042prt, EventMessageFile
C:\Windows\System32\drivers\iaStorV.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iaStorV, EventMessageFile
C:\Windows\System32\drivers\intelppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelppm, EventMessageFile
C:\Windows\System32\drivers\ipmidrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPMIDRV, EventMessageFile
C:\Windows\System32\drivers\isapnp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\isapnp, EventMessageFile
C:\Windows\System32\drivers\kbdclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdclass, EventMessageFile
C:\Windows\System32\drivers\kbdhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdhid, EventMessageFile
C:\Windows\System32\drivers\mouclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouclass, EventMessageFile
C:\Windows\System32\drivers\mouhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouhid, EventMessageFile
C:\Windows\System32\drivers\mpio.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mpio, EventMessageFile
C:\Windows\System32\drivers\nvstor.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\nvstor, EventMessageFile
C:\Windows\System32\drivers\parport.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Parport, EventMessageFile
C:\Windows\System32\drivers\processr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Processor, EventMessageFile
C:\Windows\System32\drivers\sbp2port.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sbp2port, EventMessageFile
C:\Windows\System32\drivers\serial.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Serial, EventMessageFile
C:\Windows\System32\drivers\sermouse.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sermouse, EventMessageFile
C:\Windows\System32\drivers\tsusbflt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TsUsbFlt, EventMessageFile
C:\Windows\System32\drivers\vgapnp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vga, EventMessageFile
C:\Windows\System32\drivers\wacompen.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WacomPen, EventMessageFile
C:\Windows\System32\drivers\wd.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Wd, EventMessageFile
C:\Windows\System32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\EapHost\Parameters, ServiceDll Delete
C:\Windows\System32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\gpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\ikeext.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters, ServiceDll Delete
C:\Windows\System32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\ipnathlp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters, ServiceDll Delete
C:\Windows\System32\ipsecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters, ServiceDll Delete
C:\Windows\System32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MSiSCSI, EventMessageFile
C:\Windows\System32\iscsilog.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iScsiPrt, EventMessageFile
C:\Windows\System32\lltdsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lltdsvc\Parameters, ServiceDll Delete
C:\Windows\System32\lmhsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lmhosts\Parameters, ServiceDll Delete
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LsaSrv, EventMessageFile
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel, EventMessageFile
C:\Windows\System32\mctadmin.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce, mctadmin Delete
C:\Windows\System32\mctadmin.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_USERS, S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce, mctadmin Delete
C:\Windows\System32\mdsched.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Schedule, EventMessageFile
C:\Windows\System32\netman.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Netman\Parameters, ServiceDll Delete
C:\Windows\System32\nlasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\pcasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PcaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-User Profiles Service, EventMessageFile
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Profsvc, EventMessageFile
C:\Windows\System32\qmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BITS\Parameters, ServiceDll Delete
C:\Windows\System32\rasauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasAuto\Parameters, ServiceDll Delete
C:\Windows\System32\rasmans.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasMan\Parameters, ServiceDll Delete
C:\Windows\System32\relpost.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Results, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Directory-Services-SAM, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SAM, EventMessageFile
C:\Windows\System32\snmptrap.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SNMPTRAP, EventMessageFile
C:\Windows\System32\ssdpsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters, ServiceDll Delete
C:\Windows\System32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-RasSstp, EventMessageFile
C:\Windows\System32\swprv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\swprv\Parameters, ServiceDll Delete
C:\Windows\System32\tbssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TBS\Parameters, ServiceDll Delete
C:\Windows\System32\tcpmon.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TCPMon, EventMessageFile
C:\Windows\System32\termsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TermService\Parameters, ServiceDll Delete
C:\Windows\System32\trkwks.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TrkWks\Parameters, ServiceDll Delete
C:\Windows\System32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PlugPlayManager, EventMessageFile
C:\Windows\System32\umpo.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Power, EventMessageFile
C:\Windows\System32\umrdp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\UmRdpService\Parameters, ServiceDll Delete
C:\Windows\System32\umrdp.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\UmRdpService, EventMessageFile
C:\Windows\System32\uxsms.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\UxSms\Parameters, ServiceDll Delete
C:\Windows\System32\vds.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Virtual Disk Service, EventMessageFile
C:\Windows\System32\vmbusres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vmbus, EventMessageFile
C:\Windows\System32\vmictimeprovider.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider, DllName Delete
C:\Windows\System32\vmstorfltres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\storflt, EventMessageFile
C:\Windows\System32\wbiosrvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WbioSrvc\Parameters, ServiceDll Delete
C:\Windows\System32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wecsvc, EventMessageFile
C:\Windows\System32\wercplsupport.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters, ServiceDll Delete
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Hang, EventMessageFile
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WerSvc, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\stisvc\Parameters, ServiceDll Delete
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\StillImage, EventMessageFile
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Kmode
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Win32k, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Wlclntfy, EventMessageFile
C:\Windows\System32\wkssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters, ServiceDll Delete
C:\Windows\System32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters, ServiceDll Delete
C:\Windows\System32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wscsvc\Parameters, ServiceDll Delete
C:\Windows\System32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SecurityCenter, EventMessageFile
C:\Windows\System32\wwansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WwanSvc\Parameters, ServiceDll Delete
C:\Windows\system32\BlbEvents.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Backup, EventMessageFile
C:\Windows\system32\EventProviders\spcmsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Service Pack Installer, EventMessageFile
C:\Windows\system32\FntCache.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FontCache\Parameters, ServiceDll Delete
C:\Windows\system32\ListSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HomeGroupListener\Parameters, ServiceDll Delete
C:\Windows\system32\Mcx2Svc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Mcx2Svc\Parameters, ServiceDll Delete
C:\Windows\system32\WINSAT.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-WindowsSystemAssessmentTool, EventMessageFile
C:\Windows\system32\WUDFPlatform.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DriverFrameworks-UserMode, EventMessageFile
C:\Windows\system32\Wat\WatUX.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Activation Technologies, EventMessageFile
C:\Windows\system32\bthserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\bthserv\Parameters, ServiceDll Delete
C:\Windows\system32\certprop.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SCPNP, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Client, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Server, EventMessageFile
C:\Windows\system32\cscsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-OfflineFiles, EventMessageFile
C:\Windows\system32\csrsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Subsys-SMSS, EventMessageFile
C:\Windows\system32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Defrag, EventMessageFile
C:\Windows\system32\dfdts.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DiskDiagnostic, EventMessageFile
C:\Windows\system32\dps.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DPS\Parameters, ServiceDll Delete
C:\Windows\system32\drivers\HTTP.SYS Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HttpEvent, EventMessageFile
C:\Windows\system32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FilterManager, EventMessageFile
C:\Windows\system32\drivers\fvevol.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-Driver, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Ntfs, EventMessageFile
C:\Windows\system32\dwm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Desktop Window Manager, EventMessageFile
C:\Windows\system32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EapHost, EventMessageFile
C:\Windows\system32\fdPHost.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\fdPHost\Parameters, ServiceDll Delete
C:\Windows\system32\fdphost.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FunctionDiscoveryHost, EventMessageFile
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FDResPub\Parameters, ServiceDll Delete
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-ResourcePublication, EventMessageFile
C:\Windows\system32\fveapi.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-API, EventMessageFile
C:\Windows\system32\fxsevent.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Fax, EventMessageFile
C:\Windows\system32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-GroupPolicy, EventMessageFile
C:\Windows\system32\ipbusenum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\IPBusEnum\Parameters, ServiceDll Delete
C:\Windows\system32\ipbusenum.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-IPBusEnum, EventMessageFile
C:\Windows\system32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Iphlpsvc, EventMessageFile
C:\Windows\system32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MSiSCSI\Parameters, ServiceDll Delete
C:\Windows\system32\kmsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\hkmsvc\Parameters, ServiceDll Delete
C:\Windows\system32\lpksetup.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-LanguagePackSetup, EventMessageFile
C:\Windows\system32\lsm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LSM, EventMessageFile
C:\Windows\system32\lsm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager, EventMessageFile
C:\Windows\system32\microsoft-windows-hal-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HAL, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Power, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-processor-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Processor-Power, EventMessageFile
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MMCSS\Parameters, ServiceDll Delete
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\THREADORDER\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Firewall, EventMessageFile
C:\Windows\system32\msdtckrm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\KtmRm\Parameters, ServiceDll Delete
C:\Windows\system32\nsisvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\nsi\Parameters, ServiceDll Delete
C:\Windows\system32\oobe\winsetup.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Setup, EventMessageFile
C:\Windows\system32\p2psvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2psvc\Parameters, ServiceDll Delete
C:\Windows\system32\peerdistsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PeerDistSvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPAutoReg\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2pimsvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPsvc\Parameters, ServiceDll Delete
C:\Windows\system32\profsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters, ServiceDll Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\Windows\system32\qagentRT.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\napagent\Parameters, ServiceDll Delete
C:\Windows\system32\qmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Bits-Client, EventMessageFile
C:\Windows\system32\recovery.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Recovery, EventMessageFile
C:\Windows\system32\regsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters, ServiceDll Delete
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters, ServiceDll Delete
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcSs\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Schedule\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TaskScheduler, EventMessageFile
C:\Windows\system32\sdclt.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath,
C:\Windows\system32\sdengin2.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Backup, EventMessageFile
C:\Windows\system32\seclogon.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\seclogon\Parameters, ServiceDll Delete
C:\Windows\system32\sensrsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SensrSvc\Parameters, ServiceDll Delete
C:\Windows\system32\services.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Service Control Manager, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Protection Platform Service, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Key Management Service\KmsRequests, EventMessageFile
C:\Windows\system32\sppuinotify.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\sppuinotify\Parameters, ServiceDll Delete
C:\Windows\system32\srcore.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System Restore, EventMessageFile
C:\Windows\system32\srvsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, ServiceDll Delete
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters, ServiceDll Delete
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RasSstp, EventMessageFile
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SysMain\Parameters, ServiceDll Delete
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\rdyboost\Performance, Library Delete
C:\Windows\system32\tbssvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TBS, EventMessageFile
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-RemoteConnectionManager, EventMessageFile
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService, EventMessageFile
C:\Windows\system32\themeservice.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Themes\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PlugPlay\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-UserPnp, EventMessageFile
C:\Windows\system32\umpo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Power\Parameters, ServiceDll Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\Parameters, ServiceDll Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Time-Service, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\W32Time, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient, DllName Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer, DllName Delete
C:\Windows\system32\wbem\WMIsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters, ServiceDll Delete
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wecsvc\Parameters, ServiceDll Delete
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\HardwareEvents, DisplayNameFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Winlogon, EventMessageFile
C:\Windows\system32\winsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Winsrv, EventMessageFile
C:\Windows\system32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WLAN-AutoConfig, EventMessageFile
C:\Windows\system32\wpdbusenum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WPDBusEnum\Parameters, ServiceDll Delete
C:\Windows\system32\wsepno.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service Profile Notification, EventMessageFile
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wuauserv\Parameters, ServiceDll Delete
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WindowsUpdateClient, EventMessageFile
rdpclip Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms Delete
Autoruns items found - 751, recognized as trusted - 511

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\IB Updater\Extension32.dll Script: Quarantine, Delete, Delete via BC	BHO			{336D0C35-8A85-403a-B9D2-65C292C39087} Delete
	Toolbar			{D5D47440-0750-463D-BAEF-A47D02414806} Delete
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	URLSearchHook			{124d001a-bdcb-472f-aa59-bbe7e4bc3204} Delete
Items found - 14, recognized as trusted - 10

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	WinRAR shell extension			{B41DB860-64E4-11D2-9906-E49FADC173CA} Delete
	SPTHandler			{BD88A479-9623-4897-8546-BC62B9628F44} Delete
	System Guards Context Menu			{929EC980-BAC9-452C-84E3-FCA6DCB3BAC6} Delete
	DivX Thumbnail Provider			{83238FAE-D346-4E12-8734-D42F7554B3E6} Delete
	DivX Property Handler			{D8D1CE8C-B1EB-4E95-B63B-1531BA60E992} Delete
	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
	Catalyst Context Menu extension			{5E2121EE-0300-11D4-8D3B-444553540000} Delete
Items found - 35, recognized as trusted - 28

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
localspl.dll Script: Quarantine, Delete, Delete via BC	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Microsoft Shared Fax Monitor
tcpmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, Delete via BC	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, Delete via BC	Provider	HTTP Print Services
Items found - 7, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer
C:\Program Files (x86)\Norton Security Scan\Engine\2.7.3.34\Nss.exe Script: Quarantine, Delete, Delete via BC	Norton Security Scan for Aldair.job Script: Delete	The task is ready to run at its next scheduled time.
Items found - 7, recognized as trusted - 6

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 8, recognized as trusted - 8

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [740] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
554 LISTENING 0.0.0.0 0 [2668] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
3260 LISTENING 0.0.0.0 0 [1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3260 LISTENING 0.0.0.0 0 [1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3261 LISTENING 0.0.0.0 0 [1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5058 LISTENING 0.0.0.0 0 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
16716 LISTENING 0.0.0.0 0 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
16718 LISTENING 0.0.0.0 0 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
16720 LISTENING 0.0.0.0 0 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
16722 LISTENING 0.0.0.0 0 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
40628 LISTENING 0.0.0.0 0 [2036] Samsung Link Service.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49152 LISTENING 0.0.0.0 0 [436] wininit.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49153 LISTENING 0.0.0.0 0 [864] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49154 LISTENING 0.0.0.0 0 [548] lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49155 LISTENING 0.0.0.0 0 [928] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49156 LISTENING 0.0.0.0 0 [532] services.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49160 ESTABLISHED 127.0.0.1 49161 [3436] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49161 ESTABLISHED 127.0.0.1 49160 [3436] c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49225 ESTABLISHED 127.0.0.1 49226 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49226 ESTABLISHED 127.0.0.1 49225 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49227 ESTABLISHED 127.0.0.1 49228 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49228 ESTABLISHED 127.0.0.1 49227 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49229 ESTABLISHED 127.0.0.1 49230 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49230 ESTABLISHED 127.0.0.1 49229 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49231 ESTABLISHED 127.0.0.1 49232 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49232 ESTABLISHED 127.0.0.1 49231 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49243 ESTABLISHED 127.0.0.1 49244 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49244 ESTABLISHED 127.0.0.1 49243 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49268 ESTABLISHED 46.137.95.216 8080 [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49446 CLOSE_WAIT 89.108.67.190 80 [4356] c:\users\aldair\desktop\avz4\avz.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [928] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [300] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [300] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [928] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5004 LISTENING -- -- [2668] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5005 LISTENING -- -- [2668] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5355 LISTENING -- -- [620] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
44301 LISTENING -- -- [1520] c:\windows\syswow64\pnkbstra.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50748 LISTENING -- -- [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
50749 LISTENING -- -- [3036] Samsung Link.exe
Script: Quarantine, Delete, Delete via BC, Terminate
57341 LISTENING -- -- [300] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
58534 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62927 LISTENING -- -- [2640] c:\program files (x86)\samsung\kies\external\firmwareupdate\kiespdlr.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62928 LISTENING -- -- [300] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62932 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62933 LISTENING -- -- [1420] svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 4, recognized as trusted - 4

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 21, recognized as trusted - 21

Active Setup

File name Description Manufacturer CLSID
Items found - 9, recognized as trusted - 9

HOSTS file

Hosts file record

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 18, recognized as trusted - 15

Suspicious objects

File Description Type

AVZ Antiviral Toolkit log; AVZ version is 4.39
Scanning started at 04.05.2013 11:43:07
Database loaded: signatures - 297614, NN profile(s) - 2, malware removal microprograms - 56, signature database released 04.05.2013 04:00
Heuristic microprograms loaded: 402
PVS microprograms loaded: 9
Digital signatures of system files loaded: 548982
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: disabled
Windows version is: 6.1.7601, Service Pack 1 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Error loading driver - operation interrupted [C000036B]
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
 Number of processes found: 12
Extended process analysis: 2564 C:\Program Files\Samsung\Samsung Link\utils\Samsung Link Launcher.exe
[ES]:Application has no visible windows
Extended process analysis: 2620 C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
 Number of modules loaded: 193
Scanning RAM - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
 Checking - disabled by user
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Vzd?len? plocha)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Pl?nova? ?loh)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Process termination timeout is out of admissible values
 >>  Service termination timeout is out of admissible values
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 205, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 04.05.2013 11:44:00
Time of scanning: 00:00:55
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
System Analysis in progress

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Vzdбlenб plocha)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Plбnovaи ъloh)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	0	[740] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
554	LISTENING	0.0.0.0	0	[2668] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
2869	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
3260	LISTENING	0.0.0.0	0	[1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe Script: Quarantine, Delete, Delete via BC, Terminate
3260	LISTENING	0.0.0.0	0	[1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe Script: Quarantine, Delete, Delete via BC, Terminate
3261	LISTENING	0.0.0.0	0	[1404] c:\program files (x86)\alcohol soft\alcohol 120\starwind\starwindserviceae.exe Script: Quarantine, Delete, Delete via BC, Terminate
5058	LISTENING	0.0.0.0	0	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
5357	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
10243	LISTENING	0.0.0.0	0	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
16716	LISTENING	0.0.0.0	0	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
16718	LISTENING	0.0.0.0	0	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
16720	LISTENING	0.0.0.0	0	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
16722	LISTENING	0.0.0.0	0	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
40628	LISTENING	0.0.0.0	0	[2036] Samsung Link Service.exe Script: Quarantine, Delete, Delete via BC, Terminate
49152	LISTENING	0.0.0.0	0	[436] wininit.exe Script: Quarantine, Delete, Delete via BC, Terminate
49153	LISTENING	0.0.0.0	0	[864] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49154	LISTENING	0.0.0.0	0	[548] lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
49155	LISTENING	0.0.0.0	0	[928] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
49156	LISTENING	0.0.0.0	0	[532] services.exe Script: Quarantine, Delete, Delete via BC, Terminate
49160	ESTABLISHED	127.0.0.1	49161	[3436] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49161	ESTABLISHED	127.0.0.1	49160	[3436] c:\program files (x86)\mozilla firefox\firefox.exe Script: Quarantine, Delete, Delete via BC, Terminate
49225	ESTABLISHED	127.0.0.1	49226	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49226	ESTABLISHED	127.0.0.1	49225	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49227	ESTABLISHED	127.0.0.1	49228	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49228	ESTABLISHED	127.0.0.1	49227	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49229	ESTABLISHED	127.0.0.1	49230	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49230	ESTABLISHED	127.0.0.1	49229	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49231	ESTABLISHED	127.0.0.1	49232	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49232	ESTABLISHED	127.0.0.1	49231	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49243	ESTABLISHED	127.0.0.1	49244	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49244	ESTABLISHED	127.0.0.1	49243	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49268	ESTABLISHED	46.137.95.216	8080	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
49446	CLOSE_WAIT	89.108.67.190	80	[4356] c:\users\aldair\desktop\avz4\avz.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, Delete via BC, Terminate
500	LISTENING	--	--	[928] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
1900	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[300] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[300] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
4500	LISTENING	--	--	[928] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
5004	LISTENING	--	--	[2668] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5005	LISTENING	--	--	[2668] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5355	LISTENING	--	--	[620] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
44301	LISTENING	--	--	[1520] c:\windows\syswow64\pnkbstra.exe Script: Quarantine, Delete, Delete via BC, Terminate
50748	LISTENING	--	--	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
50749	LISTENING	--	--	[3036] Samsung Link.exe Script: Quarantine, Delete, Delete via BC, Terminate
57341	LISTENING	--	--	[300] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
58534	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
62927	LISTENING	--	--	[2640] c:\program files (x86)\samsung\kies\external\firmwareupdate\kiespdlr.exe Script: Quarantine, Delete, Delete via BC, Terminate
62928	LISTENING	--	--	[300] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
62932	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate
62933	LISTENING	--	--	[1420] svchost.exe Script: Quarantine, Delete, Delete via BC, Terminate