Results of system analysis

List of processes

File name	PID	Description	Copyright	MD5	Information
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe Script: Quarantine, Delete, BC delete, Terminate	2088	AVG Anti-Spyware	Copyright ? 2007 GRISOFT s.r.o.	??	6573.55 kb, rsAh, created: 2007-06-11 17:25:42, modified: 2007-06-11 17:25:42 Command line: "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
c:\program files\rising\rav\ccenter.exe Script: Quarantine, Delete, BC delete, Terminate	1244	CCenter	Copyright Rising 2002	??	108.00 kb, rsAh, created: 2006-10-10 10:40:55, modified: 2006-10-10 10:42:43 Command line:
c:\windows\explorer.exe Script: Quarantine, Delete, BC delete, Terminate	968	Windows Explorer	(C) Microsoft Corporation. All rights reserved.	??	955.00 kb, rsAh, created: 2004-08-08 11:33:53, modified: 2007-06-13 21:21:55 Command line: C:\WINDOWS\Explorer.EXE
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe Script: Quarantine, Delete, BC delete, Terminate	1768	AVG Anti-Spyware guard	Copyright ? 2007 GRISOFT s.r.o.	??	305.55 kb, rsAh, created: 2007-05-30 20:31:10, modified: 2007-05-30 20:31:10 Command line: "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe"
c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate	2056	Internet Explorer	(C) Microsoft Corporation. All rights reserved.	??	91.00 kb, rsAh, created: 2006-10-09 22:22:21, modified: 2004-08-08 11:33:53 Command line: "C:\Program Files\internet explorer\iexplore.exe"
c:\program files\java\jre1.5.0_09\bin\jucheck.exe Script: Quarantine, Delete, BC delete, Terminate	392	Java(TM) Update Checker	Copyright ? 2004	??	236.11 kb, rsAh, created: 2006-12-03 03:16:35, modified: 2006-10-12 03:10:54 Command line: -auto
c:\program files\rising\rav\ravmond.exe Script: Quarantine, Delete, BC delete, Terminate	1264	RavMond	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	??	272.00 kb, rsAh, created: 2006-10-10 10:41:01, modified: 2007-01-12 11:01:01 Command line:
c:\program files\rising\rav\ravservice.exe Script: Quarantine, Delete, BC delete, Terminate	1824		Copyright (C) 2005	??	1256.00 kb, rsAh, created: 2006-10-10 10:40:55, modified: 2007-05-21 08:31:25 Command line:
c:\program files\rising\rav\ravstub.exe Script: Quarantine, Delete, BC delete, Terminate	1920	Rising RavStub	Copyright (c) 1998-2005 Rising Corp.	??	88.00 kb, rsAh, created: 2006-10-10 10:41:01, modified: 2007-01-12 11:01:02 Command line:
c:\program files\rising\rav\ravtray.exe Script: Quarantine, Delete, BC delete, Terminate	548	RavNet Tray	Copyright (C) 2003	??	856.00 kb, rsAh, created: 2006-10-10 10:40:55, modified: 2007-03-20 08:31:02 Command line:
c:\windows\system32\spoolsv.exe Script: Quarantine, Delete, BC delete, Terminate	1656	Spooler SubSystem App	? Microsoft Corporation. All rights reserved.	??	56.50 kb, rsAh, created: 2004-08-08 11:33:53, modified: 2005-06-11 07:53:32 Command line: C:\WINDOWS\system32\spoolsv.exe
c:\program files\superantispyware\superantispyware.exe Script: Quarantine, Delete, BC delete, Terminate	2272	SUPERAntiSpyware	Copyright (C) 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com	??	1280.00 kb, rsAh, created: 2007-02-27 11:39:26, modified: 2007-02-27 11:39:26 Command line: "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
c:\windows\system32\winlogon.exe Script: Quarantine, Delete, BC delete, Terminate	716	Windows NT Logon Application	(C) Microsoft Corporation. All rights reserved.	??	476.00 kb, rsAh, created: 2004-08-08 11:33:53, modified: 2004-08-08 11:33:53 Command line: winlogon.exe
Detected:33, recognized as trusted 24

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.chs Script: Quarantine, Delete, BC delete	63635456	Adobe Acrobat Context Menu	Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.	--	968
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.CHS Script: Quarantine, Delete, BC delete	52953088	PDF Shell Extension	Copyright 2000-2004 Adobe Systems, Inc.	--	968
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AdistRes.CHS Script: Quarantine, Delete, BC delete	268435456			--	1656
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe Script: Quarantine, Delete, BC delete	4194304	AVG Anti-Spyware	Copyright ? 2007 GRISOFT s.r.o.	??	2088
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll Script: Quarantine, Delete, BC delete	40173568	Context-Menu (Shell Extension)	Copyright ? 2007 GRISOFT s.r.o.	--	968
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll Script: Quarantine, Delete, BC delete	268435456	AVG Anti-Spyware Scan Engine	Copyright ? 2007 GRISOFT s.r.o.	--	2088, 1768
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe Script: Quarantine, Delete, BC delete	4194304	AVG Anti-Spyware guard	Copyright ? 2007 GRISOFT s.r.o.	??	1768
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll Script: Quarantine, Delete, BC delete	31981568	AVG Anti-Spyware shellexecutehook	Copyright ? 2007 GRISOFT s.r.o.	--	968, 2272
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe Script: Quarantine, Delete, BC delete	4194304	Java(TM) Update Checker	Copyright ? 2004	??	392
C:\Program Files\Rising\Rav\BDEngine.dll Script: Quarantine, Delete, BC delete	17629184	BDEngine Dynamic Link Library	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	548
C:\Program Files\Rising\Rav\BDEX.dll Script: Quarantine, Delete, BC delete	17825792	BDEngine ¶ЇМ¬БґЅУїв	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	548
C:\Program Files\Rising\Rav\BDLib.dll Script: Quarantine, Delete, BC delete	18022400	BDLib	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	548
C:\Program Files\Rising\Rav\BWList.dll Script: Quarantine, Delete, BC delete	268435456	BWList DLL	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	1264
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE Script: Quarantine, Delete, BC delete	4194304	CCenter	Copyright Rising 2002	??	1244
C:\Program Files\Rising\Rav\CfgDll.dll Script: Quarantine, Delete, BC delete	147587072	CfgDll	Copyright ? 2004 - 2006	--	1264
C:\Program Files\Rising\Rav\DLCenter.dll Script: Quarantine, Delete, BC delete	268435456	DLCenter DLL	Copyright(C) 2005	--	1824
C:\Program Files\Rising\Rav\engine.dll Script: Quarantine, Delete, BC delete	161415168	engine	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\expscan.dll Script: Quarantine, Delete, BC delete	158334976	ExpScan.dll	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ExtFile.dll Script: Quarantine, Delete, BC delete	181272576	extFile Dynamic Link Library	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ExtMail.dll Script: Quarantine, Delete, BC delete	337707008	ExtMail	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ExtOLE.dll Script: Quarantine, Delete, BC delete	157155328	ExtOLE	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\HookCont.dll Script: Quarantine, Delete, BC delete	160628736	HookCont Dynamic Link Library	Copyright (C) 2007	--	1264
C:\Program Files\Rising\Rav\HOOKSYS.dll Script: Quarantine, Delete, BC delete	150536192	HOOKSYS Dynamic Link Library	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\HookWeb.dll Script: Quarantine, Delete, BC delete	156958720	HookWeb	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\libload.dll Script: Quarantine, Delete, BC delete	319815680	LibLoad	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264, 548
C:\Program Files\Rising\Rav\MemMon.dll Script: Quarantine, Delete, BC delete	158138368	MemMon	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\mPorts.dll Script: Quarantine, Delete, BC delete	158466048	mPorts.dll	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\NvFile.dll Script: Quarantine, Delete, BC delete	182190080	NVFile	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\PostTrt.dll Script: Quarantine, Delete, BC delete	172556288	PostTrt	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\psapi.dll Script: Quarantine, Delete, BC delete	1931149312	Process Status Helper	Copyright (C) Microsoft Corp. 1981-1996	--	1264
C:\Program Files\Rising\Rav\Ravmond.exe Script: Quarantine, Delete, BC delete	4194304	RavMond	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	??	1264
C:\Program Files\Rising\Rav\RavService.exe Script: Quarantine, Delete, BC delete	4194304		Copyright (C) 2005	??	1824
C:\Program Files\Rising\Rav\RavStub.exe Script: Quarantine, Delete, BC delete	4194304	Rising RavStub	Copyright (c) 1998-2005 Rising Corp.	??	1920
C:\Program Files\Rising\Rav\RavTray.exe Script: Quarantine, Delete, BC delete	4194304	RavNet Tray	Copyright (C) 2003	??	548
C:\Program Files\Rising\Rav\RavTray936.dll Script: Quarantine, Delete, BC delete	11993088	ИрРЗЙ±¶ѕИнјюНшВз°жНРЕМіМРт	°жИЁЛщУР (C) 2003	--	548
C:\Program Files\Rising\Rav\RavUILib.dll Script: Quarantine, Delete, BC delete	268435456	RavUILib DLL	All Rights Reserved	--	548
C:\Program Files\Rising\Rav\regmon.dll Script: Quarantine, Delete, BC delete	154533888	regmon	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\rfwctrl.dll Script: Quarantine, Delete, BC delete	10944512	RfwCtrl DLL	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\RSAPPMGR.DLL Script: Quarantine, Delete, BC delete	13238272	Rising Application Manager	Copyright ? 2004 - 2005	--	1264
C:\Program Files\Rising\Rav\RSCOMMON.DLL Script: Quarantine, Delete, BC delete	594542592	Rising Common Function Dynamic Link Library	Copyright (c) 1998-2007 Rising Corp.	--	968, 1264, 1920
C:\Program Files\Rising\Rav\RsCommX.dll Script: Quarantine, Delete, BC delete	7602176	RsCommX	Copyright ? 2002	--	1264, 1824, 1920, 548
C:\Program Files\Rising\Rav\RsLog.dll Script: Quarantine, Delete, BC delete	150470656	RsLog DLL	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\RsPPsys.dll Script: Quarantine, Delete, BC delete	12058624	RSPPSYS Dynamic Link Library	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\RsVM.dll Script: Quarantine, Delete, BC delete	202964992	RSVM Dynamic Link Library	Copyright (C) 2006	--	1264
C:\Program Files\Rising\Rav\ScanEx.dll Script: Quarantine, Delete, BC delete	184877056	ScanEX	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ScanExec.dll Script: Quarantine, Delete, BC delete	329973760	ScanExec	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ScanMac.dll Script: Quarantine, Delete, BC delete	330235904	ScanMac	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\Scanner.dll Script: Quarantine, Delete, BC delete	151781376	RsScanner	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ScanNet.dll Script: Quarantine, Delete, BC delete	186318848	ScanNet	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ScanPack.dll Script: Quarantine, Delete, BC delete	183369728	Unpack Engine	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\ScanSct.dll Script: Quarantine, Delete, BC delete	182714368	ScanSct	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\SpamEng.dll Script: Quarantine, Delete, BC delete	160759808	SpamEng Dynamic Link Library	Copyright (C) 2004	--	1264
C:\Program Files\Rising\Rav\UnExe.dll Script: Quarantine, Delete, BC delete	172818432	UnExe	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\Uroutine.dll Script: Quarantine, Delete, BC delete	266797056	Unpack Routine	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\Uscript.dll Script: Quarantine, Delete, BC delete	231211008	Unpack Script	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\Rising\Rav\VirusLib.dll Script: Quarantine, Delete, BC delete	153223168	VirusLib	Copyright(c) 1998-2006 Beijing Rising Technology Corporation Limited	--	1264
C:\Program Files\SUPERAntiSpyware\deupx.dll Script: Quarantine, Delete, BC delete	268435456	deupx.dll	Copyright (C) 2006 by SUPERAntiSpyware.com and SUPERAdBlocker.com	--	2272
C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL Script: Quarantine, Delete, BC delete	15204352	SUPERAntiSpyware Context Menu Extension	(C) Copyright 2006-2007 SUPERAdBlocker.com and SUPERAntiSpyware.com	--	968
C:\Program Files\SUPERAntiSpyware\SASSEH.DLL Script: Quarantine, Delete, BC delete	32112640	ShellExecuteHook	(c) Copyright 2004-2006 SuperAdBlocker.com	--	968, 2272
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll Script: Quarantine, Delete, BC delete	268435456	SUPERAntiSpyware WinLogon Processor	Copyright (C) 2005-2007 SUPERAntiSpyware.com and SUPERAdBlocker.com	--	716
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, BC delete	4194304	SUPERAntiSpyware	Copyright (C) 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com	??	2272
C:\Program Files\WinRAR\rarext.dll Script: Quarantine, Delete, BC delete	34865152			--	968
C:\WINDOWS\Fonts\kvdxmma.dll Script: Quarantine, Delete, BC delete	26935296			--	968, 2056, 2272
C:\WINDOWS\system32\PRTdlink.dll Script: Quarantine, Delete, BC delete	16515072			--	1656
C:\WINDOWS\system32\RavExt.dll Script: Quarantine, Delete, BC delete	268435456	Rising Shell Ext Module	Copyright (c) 1998-2007 Rising Corp.	--	968, 2272
C:\WINDOWS\system32\TudouUpload.dll Script: Quarantine, Delete, BC delete	33816576	DLL registration shell extension	Copyright 2000-2006 by Tudou.com	--	968
Modules detected:365, recognized as trusted 299

Kernel space modules

Module	Base address	Size in memory	Description	Manufacturer
C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys Script: Quarantine, Delete, BC delete	F982F000	001000 (4096)	AVG7 Clean Driver	Copyright ? 2006 GRISOFT, s.r.o.
C:\WINDOWS\system32\drivers\basetdi.sys Script: Quarantine, Delete, BC delete	F8547000	003000 (12288)	basetdi	Copyright(c) 1998-2007 Beijing Rising Technology Corporation Limited
C:\WINDOWS\System32\Drivers\DgiVecp.sys Script: Quarantine, Delete, BC delete	F83CE000	00F000 (61440)	Windows 2k,XP IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes	Copyright ? 1998, 1999 by Samsung Electronics Co., Ltd.
C:\WINDOWS\System32\Drivers\dump_atapi.sys Script: Quarantine, Delete, BC delete	F8A77000	018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Script: Quarantine, Delete, BC delete	F979E000	002000 (8192)
C:\Program Files\Rising\Rav\ExpScan.sys Script: Quarantine, Delete, BC delete	F846E000	015000 (86016)	ExpScan.sys	Copyright (C) 2004 Rising
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys Script: Quarantine, Delete, BC delete	F984E000	001000 (4096)
C:\Program Files\Rising\Rav\HOOKAPI.SYS Script: Quarantine, Delete, BC delete	F85EF000	00D000 (53248)	HOOKAPI Driver	Copyright (C) RFW Corp. 2000-2002
C:\Program Files\Rising\Rav\HOOKBASE.sys Script: Quarantine, Delete, BC delete	F8E49000	009000 (36864)	HookBase	Copyright (C) 2004
C:\Program Files\Rising\Rav\HOOKCONT.sys Script: Quarantine, Delete, BC delete	F97D4000	002000 (8192)	HookCont	Copyright (C) 2007
C:\Program Files\Rising\Rav\HookReg.sys Script: Quarantine, Delete, BC delete	F855B000	004000 (16384)		°жИЁЛщУР (@) 2003
C:\Program Files\Rising\Rav\HookSys.sys Script: Quarantine, Delete, BC delete	F84AB000	026000 (155648)	Hooksys	Copyright (C) 2007
C:\Program Files\Rising\Rav\MEMSCAN.sys Script: Quarantine, Delete, BC delete	F8553000	004000 (16384)	MemScan Driver	Rising Corp. All rights reserved.
C:\WINDOWS\system32\Drivers\RsNTGdi.sys Script: Quarantine, Delete, BC delete	F9829000	001000 (4096)	RsNTGDI	Copyright (c) 1998-2007 Rising Corp.
C:\Program Files\Rising\Rav\RSPPSYS.sys Script: Quarantine, Delete, BC delete	F853B000	003000 (12288)	RSPPSYS	Copyright (C) 2006
C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Script: Quarantine, Delete, BC delete	F95F0000	007000 (28672)	SASDIFSV	Copyright (C) 2006
C:\Program Files\SUPERAntiSpyware\SASENUM.SYS Script: Quarantine, Delete, BC delete	F9648000	005000 (20480)	SuperAntiSpyware	(C) Copyright 2004-2006
C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Script: Quarantine, Delete, BC delete	F9360000	00C000 (49152)	SASKUTIL.SYS	Copyright (C) 2006
Modules detected - 135, recognized as trusted - 117

Services

Service	Description	Status	File	Group	Dependencies
AVG Anti-Spyware Guard Service: Stop, Delete, Disable	AVG Anti-Spyware Guard	Running	C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe Script: Quarantine, Delete, BC delete
RavService Service: Stop, Delete, Disable	RavService	Running	C:\Program Files\Rising\Rav\RavService.exe Script: Quarantine, Delete, BC delete
RsCCenter Service: Stop, Delete, Disable	Rising Process Communication Center	Running	C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE Script: Quarantine, Delete, BC delete
RsRavMon Service: Stop, Delete, Disable	RsRavMon Service	Running	C:\Program Files\Rising\Rav\Ravmond.exe Script: Quarantine, Delete, BC delete	TDI	RsCCenter
Adobe LM Service Service: Stop, Delete, Disable	Adobe LM Service	Not started	C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe Script: Quarantine, Delete, BC delete
Detected - 87, recognized as trusted - 82

Drivers

Service	Description	Status	File	Group	Dependencies
AVG Anti-Spyware Driver Driver: Unload, Delete, Disable	AVG Anti-Spyware Driver	Running	C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys Script: Quarantine, Delete, BC delete
AvgAsCln Driver: Unload, Delete, Disable	AVG Anti-Spyware Clean Driver	Running	C:\WINDOWS\system32\DRIVERS\AvgAsCln.sys Script: Quarantine, Delete, BC delete	Base
BaseTDI Driver: Unload, Delete, Disable	BaseTDI	Running	C:\WINDOWS\system32\drivers\basetdi.sys Script: Quarantine, Delete, BC delete		Tcpip
DgiVecp Driver: Unload, Delete, Disable	Team MFP Comm Driver	Running	C:\WINDOWS\system32\Drivers\DgiVecp.sys Script: Quarantine, Delete, BC delete		+Parallel Arbitrator
ExpScaner Driver: Unload, Delete, Disable	ExpScaner	Running	C:\Program Files\Rising\Rav\ExpScan.sys Script: Quarantine, Delete, BC delete	TDI	BaseTDI
HookCont Driver: Unload, Delete, Disable	HookCont	Running	C:\Program Files\Rising\Rav\HOOKCONT.sys Script: Quarantine, Delete, BC delete	TDI
HookReg Driver: Unload, Delete, Disable	HookReg	Running	C:\Program Files\Rising\Rav\HookReg.sys Script: Quarantine, Delete, BC delete	TDI
HookSys Driver: Unload, Delete, Disable	HookSys	Running	C:\Program Files\Rising\Rav\HookSys.sys Script: Quarantine, Delete, BC delete	TDI
MEMSCAN Driver: Unload, Delete, Disable	MEMSCAN	Running	C:\Program Files\Rising\Rav\MEMSCAN.sys Script: Quarantine, Delete, BC delete	TDI
RsNTGDI Driver: Unload, Delete, Disable	RsNTGDI	Running	C:\WINDOWS\system32\Drivers\RsNTGdi.sys Script: Quarantine, Delete, BC delete
RSPPSYS Driver: Unload, Delete, Disable	RSPPSYS	Running	C:\Program Files\Rising\Rav\RSPPSYS.sys Script: Quarantine, Delete, BC delete	TDI	BaseTDI
SASDIFSV Driver: Unload, Delete, Disable	SASDIFSV	Running	C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Script: Quarantine, Delete, BC delete
SASENUM Driver: Unload, Delete, Disable	SASENUM	Running	C:\Program Files\SUPERAntiSpyware\SASENUM.SYS Script: Quarantine, Delete, BC delete
SASKUTIL Driver: Unload, Delete, Disable	SASKUTIL	Running	C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Script: Quarantine, Delete, BC delete
Abiosdsk Driver: Unload, Delete, Disable	Abiosdsk	Not started	Abiosdsk.sys Script: Quarantine, Delete, BC delete	Primary disk
abp480n5 Driver: Unload, Delete, Disable	abp480n5	Not started	abp480n5.sys Script: Quarantine, Delete, BC delete	SCSI miniport
adpu160m Driver: Unload, Delete, Disable	adpu160m	Not started	adpu160m.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Aha154x Driver: Unload, Delete, Disable	Aha154x	Not started	Aha154x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78u2 Driver: Unload, Delete, Disable	aic78u2	Not started	aic78u2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
aic78xx Driver: Unload, Delete, Disable	aic78xx	Not started	aic78xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
AliIde Driver: Unload, Delete, Disable	AliIde	Not started	AliIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
amsint Driver: Unload, Delete, Disable	amsint	Not started	amsint.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc Driver: Unload, Delete, Disable	asc	Not started	asc.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3350p Driver: Unload, Delete, Disable	asc3350p	Not started	asc3350p.sys Script: Quarantine, Delete, BC delete	SCSI miniport
asc3550 Driver: Unload, Delete, Disable	asc3550	Not started	asc3550.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Atdisk Driver: Unload, Delete, Disable	Atdisk	Not started	Atdisk.sys Script: Quarantine, Delete, BC delete	Primary disk
catchme Driver: Unload, Delete, Disable	catchme	Not started	C:\DOCUME~1\ke\LOCALS~1\Temp\catchme.sys Script: Quarantine, Delete, BC delete	Base
cd20xrnt Driver: Unload, Delete, Disable	cd20xrnt	Not started	cd20xrnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Changer Driver: Unload, Delete, Disable	Changer	Not started	Changer.sys Script: Quarantine, Delete, BC delete	Filter
CmdIde Driver: Unload, Delete, Disable	CmdIde	Not started	CmdIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
Cpqarray Driver: Unload, Delete, Disable	Cpqarray	Not started	Cpqarray.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dac960nt Driver: Unload, Delete, Disable	dac960nt	Not started	dac960nt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
dpti2o Driver: Unload, Delete, Disable	dpti2o	Not started	dpti2o.sys Script: Quarantine, Delete, BC delete	SCSI miniport
hpn Driver: Unload, Delete, Disable	hpn	Not started	hpn.sys Script: Quarantine, Delete, BC delete	SCSI miniport
i2omgmt Driver: Unload, Delete, Disable	i2omgmt	Not started	i2omgmt.sys Script: Quarantine, Delete, BC delete	SCSI Class
i2omp Driver: Unload, Delete, Disable	i2omp	Not started	i2omp.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ini910u Driver: Unload, Delete, Disable	ini910u	Not started	ini910u.sys Script: Quarantine, Delete, BC delete	SCSI miniport
lbrtfdc Driver: Unload, Delete, Disable	lbrtfdc	Not started	lbrtfdc.sys Script: Quarantine, Delete, BC delete	System Bus Extender
lbshndjh Driver: Unload, Delete, Disable	lbshndjh	Not started	C:\WINDOWS\\SystemRoot\System32\drivers\lbshndjh.sys Script: Quarantine, Delete, BC delete	DMN
mraid35x Driver: Unload, Delete, Disable	mraid35x	Not started	mraid35x.sys Script: Quarantine, Delete, BC delete	SCSI miniport
PCIDump Driver: Unload, Delete, Disable	PCIDump	Not started	PCIDump.sys Script: Quarantine, Delete, BC delete	PCI Configuration
PCIIde Driver: Unload, Delete, Disable	PCIIde	Not started	PCIIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
PDCOMP Driver: Unload, Delete, Disable	PDCOMP	Not started	PDCOMP.sys Script: Quarantine, Delete, BC delete
PDFRAME Driver: Unload, Delete, Disable	PDFRAME	Not started	PDFRAME.sys Script: Quarantine, Delete, BC delete
PDRELI Driver: Unload, Delete, Disable	PDRELI	Not started	PDRELI.sys Script: Quarantine, Delete, BC delete
PDRFRAME Driver: Unload, Delete, Disable	PDRFRAME	Not started	PDRFRAME.sys Script: Quarantine, Delete, BC delete
perc2 Driver: Unload, Delete, Disable	perc2	Not started	perc2.sys Script: Quarantine, Delete, BC delete	SCSI miniport
perc2hib Driver: Unload, Delete, Disable	perc2hib	Not started	perc2hib.sys Script: Quarantine, Delete, BC delete	Filter
ql1080 Driver: Unload, Delete, Disable	ql1080	Not started	ql1080.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Ql10wnt Driver: Unload, Delete, Disable	Ql10wnt	Not started	Ql10wnt.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql12160 Driver: Unload, Delete, Disable	ql12160	Not started	ql12160.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1240 Driver: Unload, Delete, Disable	ql1240	Not started	ql1240.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ql1280 Driver: Unload, Delete, Disable	ql1280	Not started	ql1280.sys Script: Quarantine, Delete, BC delete	SCSI miniport
Simbad Driver: Unload, Delete, Disable	Simbad	Not started	Simbad.sys Script: Quarantine, Delete, BC delete	Filter
Sparrow Driver: Unload, Delete, Disable	Sparrow	Not started	Sparrow.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_hi Driver: Unload, Delete, Disable	sym_hi	Not started	sym_hi.sys Script: Quarantine, Delete, BC delete	SCSI miniport
sym_u3 Driver: Unload, Delete, Disable	sym_u3	Not started	sym_u3.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc810 Driver: Unload, Delete, Disable	symc810	Not started	symc810.sys Script: Quarantine, Delete, BC delete	SCSI miniport
symc8xx Driver: Unload, Delete, Disable	symc8xx	Not started	symc8xx.sys Script: Quarantine, Delete, BC delete	SCSI miniport
TosIde Driver: Unload, Delete, Disable	TosIde	Not started	TosIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
ultra Driver: Unload, Delete, Disable	ultra	Not started	ultra.sys Script: Quarantine, Delete, BC delete	SCSI miniport
ViaIde Driver: Unload, Delete, Disable	ViaIde	Not started	ViaIde.sys Script: Quarantine, Delete, BC delete	System Bus Extender
WDICA Driver: Unload, Delete, Disable	WDICA	Not started	WDICA.sys Script: Quarantine, Delete, BC delete
Detected - 185, recognized as trusted - 122

Autoruns

File name	Status	Startup method	Description
C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IMSCMig
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ISUSPM Startup
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, !AVG Anti-Spyware
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {57B86673-276A-48B2-BAE7-C6DBB3020EB8}
C:\Program Files\MSN Messenger\MsnMsgr.Exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, msnmsgr
C:\Program Files\Rising\Rav\RavTray.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, RavTray
C:\Program Files\SUPERAntiSpyware\SASSEH.DLL Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon, DLLName
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware
C:\WINDOWS\Fonts\avwgjmn.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {AA1247C1-53DA-FF43-ABD3-345F323A48DA}
C:\WINDOWS\Fonts\avwlkmn.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {B960356A-458E-DE24-BD50-268F589A56AB}
C:\WINDOWS\Fonts\avzxnmn.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {E859245F-345D-BC13-AC4F-145D47DA34FE}
C:\WINDOWS\Fonts\gjcsdyc.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {4FA10261-B890-F432-A453-69F1023513F4}
C:\WINDOWS\Fonts\gjfhbyc.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {2D908534-AD45-920F-AC89-4024FA9D26D2}
C:\WINDOWS\Fonts\hookhelp.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {E159854F-6971-3456-6941-10235412974E}
C:\WINDOWS\Fonts\kaqhmzy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {D7D81718-1314-5200-2597-58790101807D}
C:\WINDOWS\Fonts\kawdjzy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {A8907901-1416-3389-9981-37217856998A}
C:\WINDOWS\Fonts\kvdxmma.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {DC87A354-ABC3-DEDE-FF33-3213FD7447CD}
C:\WINDOWS\Fonts\kvdxsoma.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {FD561258-45F3-A451-F908-A258458226DF}
C:\WINDOWS\Fonts\okmhfzy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {6A57CAD1-412F-9547-713F-9641FA3FC7A6}
C:\WINDOWS\Fonts\rarjfpi.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {6598FF45-DA60-F48A-BC43-10AC47853D56}
C:\WINDOWS\Fonts\ratbupi.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {67650011-3344-6688-4899-345FABCD1576}
C:\WINDOWS\Fonts\rsmykpm.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {BE32FA58-3453-FA2D-BC49-F340348ACCEB}
C:\WINDOWS\Fonts\swrcgzc.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {878A7521-FA87-34AB-34C2-4893F3AD34C8}
C:\WINDOWS\Fonts\wsmsfzx.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {892FADFA-BCDE-ACDF-CDEF-21054865CBA8}
C:\WINDOWS\system32\RavExt.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {32CD708B-60A7-4C00-9377-D73EAA495F0F}
C:\WINDOWS\system32\gjgfbyc.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {2D30695F-C54D-32AD-BC43-5810F301A1D2}
C:\WINDOWS\system32\raqjipi.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {94783410-4F90-34A0-7820-3230ACD05F49}
C:\WINDOWS\system32\sidjjzy.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {A8847374-8323-FADC-B443-4732ABCD378A}
C:\WINDOWS\system32\wszjdzx.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks, {45679330-4034-9021-7012-909856721374}
ImpsSensor.dll Script: Quarantine, Delete, BC delete	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ImpsSensor, DLLName
autocheck autochk * bsmain Script: Quarantine, Delete, BC delete	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager, BootExecute
Autoruns items detected - 90, recognized as trusted - 58

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
http://cn.widget.yahoo.com/index.htm?source=Cns Script: Quarantine, Delete, BC delete	Extension module			{6354ABE6-05F1-49ed-B850-E423120EC338} Delete
C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL Script: Quarantine, Delete, BC delete	Extension module	Skype add-on for IE	(c) Skype Technologies. All rights reserved.	{77BF5300-1474-4EC7-9980-D32B190E9B07} Delete
C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL Script: Quarantine, Delete, BC delete	Extension module	Skype add-on for IE	(c) Skype Technologies. All rights reserved.	{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL Script: Quarantine, Delete, BC delete	Extension module	Skype add-on for IE	(c) Skype Technologies. All rights reserved.	{9A687CA6-D585-4947-9ED9-BE96071F5CD9} Delete
Elements detected - 7, recognized as trusted - 3

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
deskpan.dll Script: Quarantine, Delete, BC delete	Display Panning CPL Extension			{42071714-76d4-11d1-8b24-00a0c9068ff3}
	Shell extensions for file compression			{764BF0E1-F219-11ce-972D-00AA00A14F56}
	јУГЬЙППВОДІЛµҐ			{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
	ИООсАёєНЎёїЄКјЎ№ІЛµҐ			{0DF44EAA-FF21-4412-828E-260A8728E7F1}
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4} Script: Quarantine, Delete, BC delete	Autoplay for SlideShow			{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
	УГ»§ХК»§			{7A9D77BD-5403-11d2-8785-2E0420524153}
C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL Script: Quarantine, Delete, BC delete	Microsoft Office Outlook Desktop Icon Handler	Microsoft Shell Extension Library	°жИЁЛщУР? 1995-2003 Microsoft CorporationЎЈ±ЈБфЛщУРИЁАыЎЈ	{00020D75-0000-0000-C000-000000000046}
C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL Script: Quarantine, Delete, BC delete	Microsoft Office Outlook Custom Icon Handler	Outlook Shell Hook for Start/Find	°жИЁЛщУР? 1995-2003 Microsoft CorporationЎЈ±ЈБфЛщУРИЁАыЎЈ	{0006F045-0000-0000-C000-000000000046}
C:\WINDOWS\system32\RavExt.dll Script: Quarantine, Delete, BC delete	RISING	Rising Shell Ext Module	Copyright (c) 1998-2007 Rising Corp.	{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}
C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll Script: Quarantine, Delete, BC delete	PowerWord ExplorerBar	PowerWord Web Dictionary Engine	Copyright 2002-2003	{47B92A27-8252-420D-9630-378EF61434D7}
C:\Program Files\WinRAR\rarext.dll Script: Quarantine, Delete, BC delete	WinRAR shell extension			{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\WINDOWS\system32\TudouUpload.dll Script: Quarantine, Delete, BC delete	DllRegShlExt extension	DLL registration shell extension	Copyright 2000-2006 by Tudou.com	{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}
Elements detected - 183, recognized as trusted - 171

Print system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
C:\WINDOWS\system32\PRTdlink.dll Script: Quarantine, Delete, BC delete	Monitor	PRTmate
Elements detected - 11, recognized as trusted - 10

Task Scheduler jobs

File name	Job name	Job status	Description	Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	Exe file	Description	GUID
Detected - 3, recognized as trusted - 3

Transport protocol providers (TSP, LSP)

Manufacturer Exe file Description
Detected - 18, recognized as trusted - 18
Automatic SPI settings check results
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 2160 [1016] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 8214 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 2064 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1030 LISTENING 0.0.0.0 12296 [688] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1979 LISTENING 0.0.0.0 4259 [1824] c:\program files\rising\rav\ravservice.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 149 [1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
2976 CLOSE_WAIT 89.108.66.156 80 [2248] c:\documents and settings\ke\ЧАГж\avz4\avz4\avz.exe
Script: Quarantine, Delete, BC delete, Terminate
6059 LISTENING 0.0.0.0 47175 [1264] c:\program files\rising\rav\ravmond.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [772] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1048 LISTENING -- -- [1052] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1055 LISTENING -- -- [1100] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1057 LISTENING -- -- [2056] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
1098 LISTENING -- -- [1100] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1104 LISTENING -- -- [1100] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1105 LISTENING -- -- [1100] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1208] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [772] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
C:\WINDOWS\Downloaded Program Files\MMCShell.dll
Script: Quarantine, Delete, BC delete {05C1004E-2596-48E5-8E26-39362985EEB9}
Delete http://p3p.sogou.com/MMCShell.cab
C:\WINDOWS\system32\CMBEdit.dll
Script: Quarantine, Delete, BC delete CMBHtmlControl Module Copyright 2004 {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D}
Delete https://www.sz1.cmbchina.com/download/CMBEdit.cab
C:\WINDOWS\Downloaded Program Files\safeInput4jh.dll
Script: Quarantine, Delete, BC delete {A3CD7F74-93C9-4BC4-B892-CCDF1514F714}
Delete https://pbank.95559.com.cn/personbank/ocx/safe.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000}
Delete http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
C:\WINDOWS\Downloaded Program Files\safeInput4jh.dll
Script: Quarantine, Delete, BC delete {ECCBA956-80E5-11D3-9285-0080ADB811C9}
Delete https://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
Elements detected - 8, recognized as trusted - 3

Control Panel Applets (CPL)

File name Description Manufacturer
Elements detected - 25, recognized as trusted - 25

Active Setup

File name Description Manufacturer CLSID
Elements detected - 12, recognized as trusted - 12

HOSTS file

Hosts file record
127.0.0.1 localhost

Protocols and handlers

File name Type Description Manufacturer CLSID
C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
Script: Quarantine, Delete, BC delete Handler PowerWord Web Dictionary Engine (dic: PowerWord Asychronous Pluggable Protocol Handler) Copyright 2002-2003 {C21F5C32-F57A-4A0D-8E0A-B672691C52D0}
Elements detected - 31, recognized as trusted - 30

Suspicious objects

File Description Type
C:\Program Files\Rising\Rav\HOOKBASE.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook
C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\avzxnmn.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.njp ( 0AE0FEF1 02AD8107 0025A5E4 002C666E 528470)
C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\swrcgzc.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.nim ( 0AC5AD0A 04EBCC91 00252B6C 0021B208 524910)
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073825.EXE
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.kpr ( 0D5E0829 0E1921B4 0027B2A7 0029A820 12088)
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073827.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.iec ( 0AD69F02 08CAD354 00222545 001D3208 24396)
C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074106.dll
Script: Quarantine, Delete, BC delete Suspicion by File scanner Suspicion for Trojan-PSW.Win32.OnLineGames.npb ( 0AE6631D 059194D3 0025558C 00204F54 527490)

AVZ Antiviral Toolkit log; AVZ version is 4.29 Scanning started at 2008-01-17 14:59:13 Database loaded: signatures - 145510, NN profile(s) - 2, microprograms of healing - 55, signature database released 16.01.2008 18:04 Heuristic microprograms loaded: 371 SPV microprograms loaded: 9 Digital signatures of system files loaded: 68572 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights System Recovery: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=082680) Kernel ntoskrnl.exe found in memory at address 804D8000 SDT = 8055A680 KiST = 804E36A8 (284) Function NtCreateKey (29) intercepted (8056F7A9->F8E4980D), hook C:\Program Files\Rising\Rav\HOOKBASE.sys >>> Function recovered successfully ! >>> Hook code blocked Function NtDeleteKey (3F) intercepted (80596136->F8E4983F), hook C:\Program Files\Rising\Rav\HOOKBASE.sys >>> Function recovered successfully ! >>> Hook code blocked Function NtDeleteValueKey (41) intercepted (80594AAC->F8E49826), hook C:\Program Files\Rising\Rav\HOOKBASE.sys >>> Function recovered successfully ! >>> Hook code blocked Function NtOpenProcess (7A) intercepted (80573D06->F8E497DB), hook C:\Program Files\Rising\Rav\HOOKBASE.sys >>> Function recovered successfully ! >>> Hook code blocked Function NtSetValueKey (F7) intercepted (80574C8D->F8E497F4), hook C:\Program Files\Rising\Rav\HOOKBASE.sys >>> Function recovered successfully ! >>> Hook code blocked Function NtTerminateProcess (101) intercepted (80585740->F984E812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys >>> Function recovered successfully ! >>> Hook code blocked Functions checked: 284, intercepted: 6, restored: 6 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: the extended monitoring driver (AVZPM) is not installed 2. Scanning memory Number of processes found: 32 Number of modules loaded: 337 Memory checking - complete 3. Scanning disks C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\avzxnmn.dll >>> suspicion for Trojan-PSW.Win32.OnLineGames.njp ( 0AE0FEF1 02AD8107 0025A5E4 002C666E 528470) File quarantined succesfully (C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\avzxnmn.dll) C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\swrcgzc.dll >>> suspicion for Trojan-PSW.Win32.OnLineGames.nim ( 0AC5AD0A 04EBCC91 00252B6C 0021B208 524910) File quarantined succesfully (C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\Fonts\swrcgzc.dll) File quarantined succesfully (C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\yipvpr.dll) C:\Documents and Settings\ke\ЧАГж\WinPFind3u\MovedFiles\WINDOWS\SYSTEM32\yipvpr.dll >>>>> Trojan-PSW.Win32.OnLineGames.kps deleted successfully File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073203.dll) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073203.dll >>>>> Trojan-PSW.Win32.OnLineGames.kwk deleted successfully File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073204.dll) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP323\A0073204.dll >>>>> Trojan-PSW.Win32.OnLineGames.kwk deleted successfully C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073825.EXE >>> suspicion for Trojan-PSW.Win32.OnLineGames.kpr ( 0D5E0829 0E1921B4 0027B2A7 0029A820 12088) File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073825.EXE) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073827.dll >>> suspicion for Trojan-PSW.Win32.OnLineGames.iec ( 0AD69F02 08CAD354 00222545 001D3208 24396) File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073827.dll) File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073842.dll) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP325\A0073842.dll >>>>> Trojan-PSW.Win32.OnLineGames.kps deleted successfully File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074097.exe) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074097.exe >>>>> Trojan-PSW.Win32.OnLineGames.nim deleted successfully C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074106.dll >>> suspicion for Trojan-PSW.Win32.OnLineGames.npb ( 0AE6631D 059194D3 0025558C 00204F54 527490) File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP326\A0074106.dll) File quarantined succesfully (C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP328\A0074251.dll) C:\System Volume Information\_restore{8152047B-A644-4F45-AEA3-2C176348448F}\RP328\A0074251.dll >>>>> Trojan-PSW.Win32.OnLineGames.kps deleted successfully File quarantined succesfully (C:\WINDOWS\Fonts\avzxnst.exe) C:\WINDOWS\Fonts\avzxnst.exe >>>>> Trojan-PSW.Win32.OnLineGames.nil deleted successfully Removing traces of deleted files... 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed RemoteRegistry (Remote Registry) >> Services: potentially dangerous service allowed TermService (Terminal Services) >> Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service) >> Services: potentially dangerous service allowed Schedule (Task Scheduler) >> Services: potentially dangerous service allowed mnmsrvc (NetMeeting Remote Desktop Sharing) >> Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled Checking complete 9. Troubleshooting wizard >> Adjustment of automatic updating is blocked Checking complete Files scanned: 96650, extracted from archives: 79842, malicious programs found 7, suspicions - 5 Scanning finished at 2008-01-17 15:26:30 !!! Attention !!! Recovered 6 KiST functions during Anti-Rootkit operation This may affect execution of several programs, so it is strongly recommended to reboot Time of scanning: 00:27:19 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Creating archive of files from Quarantine Creating archive of files from Quarantine - complete System Analysis in progress
Script commands

Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
BootCleaner - import list of deleted files
Registry cleanup after deleting files
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from the registry
Additional operations:
Performance tweaking: disable service RemoteRegistry (Remote Registry)
Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
Performance tweaking: disable service Schedule (Task Scheduler)
Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
Security tweaking: disable disk drives' autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
135	LISTENING	0.0.0.0	2160	[1016] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
139	LISTENING	0.0.0.0	8214	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	0.0.0.0	2064	[4] System Script: Quarantine, Delete, BC delete, Terminate
1030	LISTENING	0.0.0.0	12296	[688] c:\windows\system32\alg.exe Script: Quarantine, Delete, BC delete, Terminate
1979	LISTENING	0.0.0.0	4259	[1824] c:\program files\rising\rav\ravservice.exe Script: Quarantine, Delete, BC delete, Terminate
2869	LISTENING	0.0.0.0	149	[1208] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
2976	CLOSE_WAIT	89.108.66.156	80	[2248] c:\documents and settings\ke\ЧАГж\avz4\avz4\avz.exe Script: Quarantine, Delete, BC delete, Terminate
6059	LISTENING	0.0.0.0	47175	[1264] c:\program files\rising\rav\ravmond.exe Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123	LISTENING	--	--	[1052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
123	LISTENING	--	--	[1052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
137	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
138	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
445	LISTENING	--	--	[4] System Script: Quarantine, Delete, BC delete, Terminate
500	LISTENING	--	--	[772] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate
1048	LISTENING	--	--	[1052] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1055	LISTENING	--	--	[1100] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1057	LISTENING	--	--	[2056] c:\program files\internet explorer\iexplore.exe Script: Quarantine, Delete, BC delete, Terminate
1098	LISTENING	--	--	[1100] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1104	LISTENING	--	--	[1100] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1105	LISTENING	--	--	[1100] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1208] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
1900	LISTENING	--	--	[1208] c:\windows\system32\svchost.exe Script: Quarantine, Delete, BC delete, Terminate
4500	LISTENING	--	--	[772] c:\windows\system32\lsass.exe Script: Quarantine, Delete, BC delete, Terminate