Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\program files (x86)\acer\abdocs\abdocsdllloader.exe Script: Quarantine, Delete, Delete via BC, Terminate	4028			35B8CDACB318EEC3C7B33AD7A99F1BC3	88.75 kb, rsAh, created: 19.12.2014 21:59:52, modified: 19.12.2014 21:59:52 Command line: "C:\Program Files (x86)\Acer\abDocs\abDocsDllLoader.exe"
c:\program files (x86)\acer\abdocs\abdocsdllloadermonitor.exe Script: Quarantine, Delete, Delete via BC, Terminate	5036			E2E72A08C6578683C41908AECCDEFA80	87.25 kb, rsAh, created: 19.12.2014 21:59:52, modified: 19.12.2014 21:59:52 Command line: "C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe"
c:\users\franny\appdata\local\clear.fi\media\abmedia\abmediasetup.exe Script: Quarantine, Delete, Delete via BC, Terminate	6116	abMedia Setup	© All rights reserved	7A931E9038E8EAAD4C880E5E232F4F7F	error getting file info Command line:
c:\users\franny\appdata\local\clear.fi\media\abmediasetup.exe Script: Quarantine, Delete, Delete via BC, Terminate	2528	Acer Media Setup	@ All rights reserved	8D25BB44E7D3CF7C4240AE9DE4B8D28C	52899.55 kb, rsAh, created: 07.02.2015 17:59:23, modified: 07.01.2015 18:14:30 Command line:
c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	1524	MobileDeviceService	© 2014 Apple Inc. All rights reserved.	650D03E40F93FAE323CB841F80368E5C	59.32 kb, rsAh, created: 07.10.2014 15:09:50, modified: 07.10.2014 15:09:50 Command line: "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	1180	avast! Service	Copyright (c) 2014 AVAST Software	E3F7EC811923F3F1A77B185F22638E5E	49.16 kb, rsAh, created: 02.02.2015 12:20:27, modified: 02.02.2015 12:20:27 Command line: "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
c:\program files\avast software\avast\avastui.exe Script: Quarantine, Delete, Delete via BC, Terminate	4580	avast! Antivirus	Copyright (c) 2014 AVAST Software	44ADDA5FB88EE14F57A246285775AC2F	5104.60 kb, rsAh, created: 02.02.2015 12:20:48, modified: 02.02.2015 12:20:51 Command line: "C:\Program Files\AVAST Software\Avast\avastui.exe" /nogui
C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe Script: Quarantine, Delete, Delete via BC, Terminate	2692	AvastVirtualBox Interface	Copyright (C) 2009-2014 Oracle Corporation	4F4EBF6163D3A02D52A66BBD145B0069	3918.21 kb, rsAh, created: 02.02.2015 12:20:25, modified: 02.02.2015 12:20:25 Command line:
c:\users\franny\desktop\avz4\avz4\avz.exe Script: Quarantine, Delete, Delete via BC, Terminate	724	???????????? ??????? AVZ	???????????? ??????? AVZ	6497B6E363DCEBA3685AD960F8B84665	772.00 kb, rsAh, created: 23.02.2014 15:04:10, modified: 07.02.2015 17:40:03 Command line: "C:\Users\Franny\Desktop\avz4\avz4\avz.exe"
c:\program files (x86)\acer\aop framework\backgroundagent.exe Script: Quarantine, Delete, Delete via BC, Terminate	1028	Background Agent	Copyright (C) 2014	66EB26B4A0C2146ADD7828A5A4EC81E0	60.75 kb, rsAh, created: 19.12.2014 21:16:44, modified: 19.12.2014 21:16:44 Command line: "C:\Program Files (x86)\Acer\AOP Framework\BackgroundAgent.exe"
c:\program files (x86)\acer\aop framework\acer\ccd.exe Script: Quarantine, Delete, Delete via BC, Terminate	904	AcerCloud Client	(c) All rights reserved	9B470F58C888E1D21EF1AAB5A496C496	8975.75 kb, rsAh, created: 30.01.2015 15:43:01, modified: 19.12.2014 13:16:59 Command line: "C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe" "C:\Users\Franny\AppData\Local\AOP SDK\Acer Infra\acer\SyncAgent" S-1-5-21-786374595-2290240692-171548042-1001 496 473 "C:\ProgramData\acer\CCD"
c:\program files (x86)\acer\aop framework\ccdmonitorservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	5804	CCD Monitor Service	Copyright (C) 2014	1F8F20C36E7619152FF46F7703077922	2650.25 kb, rsAh, created: 30.01.2015 15:39:03, modified: 19.12.2014 13:15:49 Command line: "C:\Program Files (x86)\Acer\AOP Framework\CCDMonitorService.exe"
C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe Script: Quarantine, Delete, Delete via BC, Terminate	6260	ePowerEvent	(C) All rights reserved	9D6A4825A6B3C7EEA5576401775503CE	384.54 kb, rsAh, created: 05.07.2013 16:19:02, modified: 05.07.2013 16:19:02 Command line:
C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	2924	ePowerSvc	(C) All rights reserved	B5B5FC68BFB3F01267E54B236660E610	648.04 kb, rsAh, created: 05.07.2013 16:19:04, modified: 05.07.2013 16:19:04 Command line:
C:\Program Files\Acer\Acer Power Management\ePowerTray.exe Script: Quarantine, Delete, Delete via BC, Terminate	6008	ePowerTray	(C) All rights reserved	63FC3383151D90D4E7CF135661CE8342	5182.04 kb, rsAh, created: 05.07.2013 16:19:06, modified: 05.07.2013 16:19:06 Command line:
C:\Program Files (x86)\Acer\abMedia\MediaSharingSetting\FirewallSettings.exe Script: Quarantine, Delete, Delete via BC, Terminate	3364	clear.fi Client	Copyright © 2011	E7897E93CF910399146D8B977BEA76DD	17.75 kb, rsAh, created: 07.01.2015 18:09:22, modified: 07.01.2015 18:09:22 Command line:
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe Script: Quarantine, Delete, Delete via BC, Terminate	6952	Adobe® Flash® Player Utility	Copyright © 1996-2015 Adobe Systems Incorporated	A8BA555A3DA215FC0E96AC5B845B21AA	961.47 kb, rsAh, created: 20.12.2014 18:07:25, modified: 03.02.2015 19:31:19 Command line:
c:\program files (x86)\internet explorer\iexplore.exe Script: Quarantine, Delete, Delete via BC, Terminate	5688	Internet Explorer	© Microsoft Corporation. All rights reserved.	5F1B1148C830C0F149A476A58CE0D09D	796.14 kb, rsAh, created: 03.12.2014 19:45:32, modified: 31.10.2014 10:32:44 Command line: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4816 CREDAT:267521 /prefetch:2
C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC, Terminate	1036	iPodService Module (64-bit)	© 2003-2014 Apple Inc. All rights reserved.	7FAE5B6CDB18B0B2E81F32869F595022	628.79 kb, rsAh, created: 15.10.2014 05:42:08, modified: 15.10.2014 05:42:08 Command line:
c:\program files (x86)\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate	812	iTunesHelper	© 2003-2014 Apple Inc. All rights reserved.	0EF0822810009D58118CCDFD098FA9F4	153.79 kb, rsAh, created: 15.10.2014 05:42:34, modified: 15.10.2014 05:42:34 Command line: "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe Script: Quarantine, Delete, Delete via BC, Terminate	4528	Communications Service	© Microsoft Corporation. All rights reserved.	705EA99E940E7873B779258602EF22AE	136.50 kb, rsAh, created: 27.11.2014 23:18:36, modified: 27.11.2014 23:19:02 Command line:
C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe Script: Quarantine, Delete, Delete via BC, Terminate	3216	LMEvent	(C) ALL rights reserved	2F41B7382F80F967A7B45F6C28C4D846	455.54 kb, rsAh, created: 03.08.2013 01:47:40, modified: 03.08.2013 01:47:40 Command line:
C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	1476	LMSvc	(C) ALL rights reserved	FFDF8F07A900659CF927A273942926F8	447.04 kb, rsAh, created: 03.08.2013 01:47:44, modified: 03.08.2013 01:47:44 Command line:
C:\Program Files\Acer\Acer Launch Manager\LMTray.exe Script: Quarantine, Delete, Delete via BC, Terminate	3252	LMTray	(C) ALL rights reserved	6E0B176E2B51AF649D664E1887AA55A2	440.54 kb, rsAh, created: 03.08.2013 01:47:44, modified: 03.08.2013 01:47:44 Command line:
C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe Script: Quarantine, Delete, Delete via BC, Terminate	1580	SiteAdvisor	Copyright © 2014 McAfee, Inc.	A77B2711CBABEB7028DA40926F8BE9D1	151.73 kb, rsAh, created: 06.02.2015 17:32:04, modified: 30.01.2015 14:36:42 Command line:
C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe Script: Quarantine, Delete, Delete via BC, Terminate	2300	McAfee Core Firewall Service	Copyright© 1995-2014 McAfee, Inc. All Rights Reserved.	E7C6587AC8FB0BABEF6AB1733AFA8FEC	214.60 kb, rsAh, created: 15.10.2013 14:44:24, modified: 20.06.2014 10:23:12 Command line:
C:\Windows\System32\mfevtps.exe Script: Quarantine, Delete, Delete via BC, Terminate	1532	McAfee Process Validation Service	Copyright© 1995-2014 McAfee, Inc. All Rights Reserved.	64BAFB4E5377056CDD71531097D69F6E	error getting file info Command line:
c:\program files (x86)\windows live\messenger\msnmsgr.exe Script: Quarantine, Delete, Delete via BC, Terminate	3096	Windows Live Messenger	© Microsoft Corporation. All rights reserved.	83617B22205AE74AA31FF3CC145E2132	4172.70 kb, rsAh, created: 31.03.2014 21:41:40, modified: 31.03.2014 21:41:40 Command line: "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
C:\Program Files\AVAST Software\Avast\ng\ngservice.exe Script: Quarantine, Delete, Delete via BC, Terminate	3336	avast! NG service	Copyright (c) 2014 AVAST Software	04BADFD7FB4A26033ADF47489382DD40	165.34 kb, rsAh, created: 02.02.2015 12:20:25, modified: 02.02.2015 12:20:25 Command line:
C:\Program Files\Acer\Acer Quick Access\QAEvent.exe Script: Quarantine, Delete, Delete via BC, Terminate	5356	QAEvent	(C) ALL rights reserved	4A5FAAB8A66E510A76D192EC49A79849	494.04 kb, rsAh, created: 02.08.2013 18:33:10, modified: 02.08.2013 18:33:10 Command line:
C:\Program Files\Acer\Acer Quick Access\QAMsg.exe Script: Quarantine, Delete, Delete via BC, Terminate	3224	QAMsg	(C) ALL rights reserved	095284EBEDF1F2DFBF7DEE287284A1DA	293.54 kb, rsAh, created: 02.08.2013 18:33:12, modified: 02.08.2013 18:33:12 Command line:
C:\Program Files\Acer\Acer Quick Access\QASvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	4060	QASvc	(C) ALL rights reserved	C99D94151EDA07D418E14158E3C54A87	447.04 kb, rsAh, created: 02.08.2013 18:33:14, modified: 02.08.2013 18:33:14 Command line:
C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe Script: Quarantine, Delete, Delete via BC, Terminate	3268	Quick Access	(C) ALL rights reserved	E3515D3B7D07946B235AC90D55F3AED5	805.54 kb, rsAh, created: 02.08.2013 18:33:16, modified: 02.08.2013 18:33:16 Command line:
C:\Program Files\Acer\Acer Quick Access\RMSvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	3116	RMSvc	(C) ALL rights reserved	F3C0FACA2664136D9E101212BF31BA79	437.54 kb, rsAh, created: 02.08.2013 18:33:16, modified: 02.08.2013 18:33:16 Command line:
c:\windows\syswow64\rundll32.exe Script: Quarantine, Delete, Delete via BC, Terminate	992	Windows host process (Rundll32)	© Microsoft Corporation. All rights reserved.	BE1DAE43DFBCA94FB6B4157C1B16923E	48.50 kb, rsAh, created: 22.08.2013 03:40:23, modified: 22.08.2013 03:40:23 Command line: "C:\Windows\SysWOW64\rundll32.exe" "c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll", saHooker_Initialize_and_Wait
C:\Program Files\SUPERAntiSpyware\SASCore64.exe Script: Quarantine, Delete, Delete via BC, Terminate	1508	Core Service	Copyright (C) 2005-2012 by SUPERAntiSpyware.com and SUPERAdBlocker.com	970C70F6B2953ED43822D3797855D84C	168.30 kb, rsAh, created: 22.07.2014 23:31:23, modified: 22.07.2014 23:31:23 Command line:
c:\progra~2\mcafee\sitead~1\saui.exe Script: Quarantine, Delete, Delete via BC, Terminate	916	SiteAdvisor	Copyright © 2014 McAfee, Inc.	4AE8B6C28C6FDFAF4CB8F48343273030	1177.68 kb, rsAh, created: 06.02.2015 17:32:10, modified: 30.01.2015 14:33:32 Command line: "c:\PROGRA~2\mcafee\SITEAD~1\saui.exe" -Embedding
c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate	2140	Skype	© 2003 - 2012 Skype and/or Microsoft	630458699EEDA44B5AAE5DB467AF71A0	30155.09 kb, RsAh, created: 11.12.2014 13:03:22, modified: 11.12.2014 13:03:22 Command line: "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
c:\program files (x86)\spotify\data\spotifywebhelper.exe Script: Quarantine, Delete, Delete via BC, Terminate	1356	SpotifyWebHelper	Copyright (c) 2013, Spotify Ltd	DD9EAE1C80561C509A8B8801E16BAA38	1078.50 kb, rsAh, created: 21.03.2014 20:38:20, modified: 21.03.2014 20:38:20 Command line: "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe"
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, Delete via BC, Terminate	5024	SUPERAntiSpyware Application	Copyright (C) 2005-2014 SUPERAntiSpyware & Support.com	952E717574469A91BCC32B6B162BC2A0	7597.77 kb, rsAh, created: 22.01.2015 18:30:17, modified: 22.01.2015 18:30:17 Command line:
Detected:103, recognized as trusted 67

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files (x86)\Acer\abDocs\acpanel_win.dll Script: Quarantine, Delete, Delete via BC	1639907328		(c) All rights reserved	A1F1D0C3B6875BA6DFA6E49E4B5C4909	4028
C:\Program Files (x86)\Acer\abDocs\FileMonitor.dll Script: Quarantine, Delete, Delete via BC	1765539840		(c) All rights reserved	949395DB152FEC44427E8B0472F910A2	4028
C:\Program Files (x86)\Acer\abDocs\libcurl.dll Script: Quarantine, Delete, Delete via BC	268435456			6788E2820A0A8E0CC5FFD0E8267576EF	4028
C:\Program Files (x86)\Acer\abDocs\MSVCP100.dll Script: Quarantine, Delete, Delete via BC	1680670720	Microsoft® C Runtime Library	© Microsoft Corporation. All rights reserved.	65D0A36FAD65A581685ECE6778D97C56	4028, 5036
C:\Program Files (x86)\Acer\abDocs\MSVCR100.dll Script: Quarantine, Delete, Delete via BC	1666318336	Microsoft® C Runtime Library	© Microsoft Corporation. All rights reserved.	02A36C4A574B1AB7086ADB277E8C1292	4028, 5036
C:\Program Files (x86)\Acer\abDocs\zlib1.dll Script: Quarantine, Delete, Delete via BC	1639448576	Zlib: general purpose data compression / decompression library	© 2005 Jean-loup Gailly , Mark Adler	0E5C66657F67E27D26727B481EA8E458	4028
C:\Program Files (x86)\Acer\abMedia\UPMonitor.dll Script: Quarantine, Delete, Delete via BC	1597243392	Upload and Picstream Monitor	Copyright (C) 2014	7D32A6AFA1850C82EEEF65B37660038F	1028
C:\Program Files (x86)\Acer\abPhoto\curllib.dll Script: Quarantine, Delete, Delete via BC	1789198336			1B18F63412FA987AA6D4D69A1076DA72	1028
C:\Program Files (x86)\Acer\abPhoto\LIBEAY32.dll Script: Quarantine, Delete, Delete via BC	34734080	OpenSSL Shared Library	Copyright © 1998-2007 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.	364B9E5E917E8B089378B68FAB5657E4	1028
C:\Program Files (x86)\Acer\abPhoto\libsasl.dll Script: Quarantine, Delete, Delete via BC	4587520	CMU SASL API v2	Copyright (c) Carnegie Mellon University 2005	0627C8FF2F475F91EC00FE7E82201C8E	1028
C:\Program Files (x86)\Acer\abPhoto\OpenLDAP.dll Script: Quarantine, Delete, Delete via BC	4128768			3D957110DFED4904A2FDB8A6C1620F35	1028
C:\Program Files (x86)\Acer\abPhoto\sqlite3.dll Script: Quarantine, Delete, Delete via BC	1620049920			8BCB07E10C42952F24AD61E383A62A07	1028
C:\Program Files (x86)\Acer\abPhoto\SSLEAY32.dll Script: Quarantine, Delete, Delete via BC	268435456	OpenSSL Shared Library	Copyright © 1998-2007 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.	6D5F776D6584B23A86DDE7B30AE6E002	1028
C:\Program Files (x86)\Acer\abPhoto\tag.dll Script: Quarantine, Delete, Delete via BC	1769013248			29752ACE9F015D342C5A4347923A7808	1028
C:\Program Files (x86)\Acer\abPhoto\UPMonitor.dll Script: Quarantine, Delete, Delete via BC	1724907520	Upload and Picstream Monitor	Copyright (C) 2014	82A4A37DD1854E17B625580C97691600	1028
C:\Program Files (x86)\Acer\Acer Portal\IOAC.dll Script: Quarantine, Delete, Delete via BC	1605894144	TODO:	Copyright (C) 2014	1E203750F7D6EB1342DE719D4F57A7E5	1028
C:\Program Files (x86)\Acer\AOP Framework\acer\dnssd.dll Script: Quarantine, Delete, Delete via BC	1773535232	Bonjour Client Library	Copyright (C) 2003-2011 Apple Inc.	2E3A0C9643CFB13EAC6FA769FAAEF445	904
C:\Program Files (x86)\Acer\AOP Framework\AutoUpdate.dll Script: Quarantine, Delete, Delete via BC	1592328192		(c) All rights reserved	6D467EECC3ED6C742C32BC302F1AE226	1028
C:\Program Files (x86)\Acer\AOP Framework\Interop.WUApiLib.2.0.dll Script: Quarantine, Delete, Delete via BC	172359680			5FA1374C97DE3147EF70ED40EB1D6672	1028
C:\Program Files (x86)\Acer\AOP Framework\Ionic.Zip.dll Script: Quarantine, Delete, Delete via BC	172621824	Ionic's Zip Library	Copyright © Dino Chiesa 2006 - 2011	F6933BF7CEE0FD6C80CDF207FF15A523	1028
C:\Program Files (x86)\Acer\AOP Framework\libcurl.dll Script: Quarantine, Delete, Delete via BC	107020288			D560599FAB06A71F85010AD12614973E	1028
C:\Program Files (x86)\Acer\AOP Framework\ServiceInterface.dll Script: Quarantine, Delete, Delete via BC	94437376	ServiceInterface	Copyright © 2014	2BBE9BBFDDA825F4176BC779834551FE	1028
C:\Program Files (x86)\Acer\AOP Framework\zlib1.dll Script: Quarantine, Delete, Delete via BC	1639448576	Zlib: general purpose data compression / decompression library	© 2005 Jean-loup Gailly , Mark Adler	EE49CF58EB6B3BB382440C0FEAD5E905	1028
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\CFNetwork.dll Script: Quarantine, Delete, Delete via BC	1911881728	CFNetwork	Copyright (C) 2007-2011	5B9282F1BF7C34A93A282EC4D6918E12	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\CoreFoundation.dll Script: Quarantine, Delete, Delete via BC	1939931136	CoreFoundation	Copyright (C) 2007-2011, Apple Inc.	005D62E870F103E9EE427724D9DC3BF4	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libdispatch.dll Script: Quarantine, Delete, Delete via BC	1945042944	Dispatch Runtime Library	Copyright (c) 2009-2014 Apple Inc.	534DE277E2719093EB1AFC3EE3307A07	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll Script: Quarantine, Delete, Delete via BC	1907818496	libxml2		C0C76975DD290A1BD76141B8CE9A083F	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\objc.dll Script: Quarantine, Delete, Delete via BC	1945174016	Objective-C Runtime Library	Copyright (C) 2007-2009, Apple Inc.	8CA0A722526DE3FC8D09700B0E017ECA	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\pthreadVC2.dll Script: Quarantine, Delete, Delete via BC	1917386752	M	Copyright (C) Project contributors 2012	D67DAA3998EFC0982B051A16A83FDE14	1524, 812
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\YSCrashDump.DLL Script: Quarantine, Delete, Delete via BC	1945501696	YSCrashDump.dll	© 2014 Apple Inc. All rights reserved.	D97507C17A3351DB5632C620DE5FAD19	1524
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService_main.dll Script: Quarantine, Delete, Delete via BC	1917517824	Apple Mobile Device Service	© 2014 Apple Inc. All rights reserved.	C16F9A340AC46A8F835CC496B6F3A4E7	1524
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\iTunesMobileDevice.dll Script: Quarantine, Delete, Delete via BC	1729363968	iTunesMobileDevice	Copyright (C) 2009	137BAD1660B04BCA2CCC30295AB1F2AA	812
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\MobileDevice.dll Script: Quarantine, Delete, Delete via BC	1914044416	iTunesMobileDevice	Copyright (C) 2009	0BC87C153B7F8C0189F084894E670F3D	1524
C:\Program Files (x86)\iTunes\iTunesHelper.dll Script: Quarantine, Delete, Delete via BC	1768030208	iTunesHelper DLL	© 2003-2014 Apple Inc. All rights reserved.	536A4997067287E261D904E33F253578	812
C:\Program Files (x86)\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL Script: Quarantine, Delete, Delete via BC	1764818944	iTunesHelper Resource Library	© 2003-2014 Apple Inc. All rights reserved.	C65439FC97BE565644D20A159AA38C4A	812
C:\Program Files (x86)\iTunes\iTunesHelper.Resources\iTunesHelper.DLL Script: Quarantine, Delete, Delete via BC	1764687872	iTunesHelper Resource Library	© 2003-2014 Apple Inc. All rights reserved.	0750F7CC03CCAA673270DF11600CCAD6	812
C:\Program Files (x86)\Skype\Updater\Updater.dll Script: Quarantine, Delete, Delete via BC	1865482240	Skype Updater Library	(c) Skype Technologies. All rights reserved.	6272B4355CBA4DF9AE58DC4DD1DFC700	2140
C:\Program Files (x86)\Windows Live\Contacts\LiveNatTrav.dll Script: Quarantine, Delete, Delete via BC	1816854528	Windows Live Client Nat Traversal Code Module	© Microsoft Corporation. All rights reserved.	41F5A09215AAD9873E3243761A01AF99	3096
C:\Program Files (x86)\Windows Live\Contacts\LiveTransport.dll Script: Quarantine, Delete, Delete via BC	1817640960	Windows Live Client Transport Code Module	© Microsoft Corporation. All rights reserved.	11CA330F1EFC615A3321DEDFB5FD2B45	3096
C:\Program Files (x86)\Windows Live\Contacts\ObjectStore.dll Script: Quarantine, Delete, Delete via BC	1817182208	Windows Live Client ObjectStore Code Module	© Microsoft Corporation. All rights reserved.	C78E17133BC75FB2550FE640B0E24FD6	3096
C:\Program Files (x86)\Windows Live\Contacts\PresenceIM.dll Script: Quarantine, Delete, Delete via BC	1818361856	Windows Live Client Presence and IM Code Module	© Microsoft Corporation. All rights reserved.	563FB90B2824AC99883FA666257A27D0	3096
C:\Program Files (x86)\Windows Live\Messenger\shareanything.dll Script: Quarantine, Delete, Delete via BC	1848967168	Share Anything Control Module	© Microsoft Corporation. All rights reserved.	24CC014DE8D936D81BC8C3F77D5AF1D2	3096
C:\Program Files (x86)\Windows Live\Messenger\vvpltfrm.dll Script: Quarantine, Delete, Delete via BC	1815805952	Windows Live Client Voice Video Platform Module	© Microsoft Corporation. All rights reserved.	BB781745C2D93208065D25D5FC434608	3096
C:\Program Files (x86)\Windows Live\Shared\UXCalendar.dll Script: Quarantine, Delete, Delete via BC	1833238528	Windows Live Client UX Calendar Module	© Microsoft Corporation. All rights reserved.	B24CD961DAF298351D02412EB4A10290	3096
C:\Program Files (x86)\Windows Live\Shared\uxcontacts.dll Script: Quarantine, Delete, Delete via BC	1845559296	Windows Live Client Contacts UX Module	© Microsoft Corporation. All rights reserved.	BA49B68988DC4CCCDF4FD8904AF50CBA	3096
C:\Program Files (x86)\Windows Live\Shared\UXCore.dll Script: Quarantine, Delete, Delete via BC	1846214656	Windows Live Client UX Core Module	© Microsoft Corporation. All rights reserved.	3C87B532D87D3CA541B586FE2B3E7CB3	3096
C:\Program Files (x86)\Windows Live\Shared\uxctl.dll Script: Quarantine, Delete, Delete via BC	1842413568	Windows Live Client UX Controls Module	© Microsoft Corporation. All rights reserved.	BCB0D237DFA4A7CE3B3468B4D0E3E39A	3096
C:\Program Files (x86)\Windows Live\Shared\WLDCore.dll Script: Quarantine, Delete, Delete via BC	1848836096	Windows Live Client Shared Platform Module	© Microsoft Corporation. All rights reserved.	EA0364C8BE2733E5172F825E46B73886	3096
C:\Program Files (x86)\Windows Live\Shared\wldlog.dll Script: Quarantine, Delete, Delete via BC	1857814528	Windows Live Desktop Logging	© Microsoft Corporation. All rights reserved.	9FC11124700C98506E7A9D3158F82CA8	3096
C:\Program Files (x86)\Windows Live\Shared\wlidux.dll Script: Quarantine, Delete, Delete via BC	1835597824	Windows Live ID UI Module	© Microsoft Corporation. All rights reserved.	2230444319DA60BEC1C695D4801A6535	3096
C:\Program Files\AVAST Software\Avast\2057\Base.dll Script: Quarantine, Delete, Delete via BC	1951727616	Avast English Basic Module	Copyright (c) 2014 AVAST Software	9907B9BECF23FB3ACD1144C74DA9DA39	1180, 4580
C:\Program Files\AVAST Software\Avast\2057\UILangRes.dll Script: Quarantine, Delete, Delete via BC	1768554496	UILangRes	Copyright (c) 2014 AVAST Software	28869A34A8401E81333609508035D652	4580
C:\Program Files\AVAST Software\Avast\Aavm4h.dll Script: Quarantine, Delete, Delete via BC	1942421504	avast! Asynchronous Virus Monitor (AAVM)	Copyright (c) 2014 AVAST Software	399CC697B96C16B2B04397F0437BD8DF	1180, 4580
C:\Program Files\AVAST Software\Avast\AavmRpch.dll Script: Quarantine, Delete, Delete via BC	1946681344	avast! AAVM Remote Procedure Call Library	Copyright (c) 2014 AVAST Software	072A993B8CF192A635B044FF832E85AD	1180, 4580
C:\Program Files\AVAST Software\Avast\ahresmai.dll Script: Quarantine, Delete, Delete via BC	1900740608	avast! e-Mail Scanner AAVM Provider Library	Copyright (c) 2014 AVAST Software	7A83EC55BDE6AA2451E070C9D5E41AF0	1180
C:\Program Files\AVAST Software\Avast\ahresstd.dll Script: Quarantine, Delete, Delete via BC	1900544000	avast! Standard Shield AAVM Provider Library	Copyright (c) 2014 AVAST Software	010CBD9717B4C1F6C50D0377706C18D7	1180
C:\Program Files\AVAST Software\Avast\ahresws.dll Script: Quarantine, Delete, Delete via BC	1900150784	avast! HTTP Scanner AAVM Provider Library	Copyright (c) 2014 AVAST Software	644DEC5108500C452CDC3AB06FB1DA7F	1180
C:\Program Files\AVAST Software\Avast\ahresws2.dll Script: Quarantine, Delete, Delete via BC	1900019712	Web Shield Provider	Copyright (c) 2014 AVAST Software	D758AE391ECDAC7D2774CCF1FB1FDF80	1180
C:\Program Files\AVAST Software\Avast\ashBase.dll Script: Quarantine, Delete, Delete via BC	1962672128	Basic Functionality Module	Copyright (c) 2014 AVAST Software	0022F7F5FA0DDA99D71D500CD51CB98C	1180, 4580
C:\Program Files\AVAST Software\Avast\ashMaiSv.dll Script: Quarantine, Delete, Delete via BC	1889337344	avast! e-Mail Scanner Service	Copyright (c) 2014 AVAST Software	EDECCC28FFA0A31C5CEDDA250C9C67A4	1180
C:\Program Files\AVAST Software\Avast\ashServ.dll Script: Quarantine, Delete, Delete via BC	1944518656	avast! antivirus service	Copyright (c) 2014 AVAST Software	6AB16E7C77896D36AF74278F765C9818	1180
C:\Program Files\AVAST Software\Avast\ashTask.dll Script: Quarantine, Delete, Delete via BC	1948385280	Task Handling Module	Copyright (c) 2014 AVAST Software	652D7D4C2344309DDBA5E6554DBAAF15	1180, 4580
C:\Program Files\AVAST Software\Avast\ashTaskEx.dll Script: Quarantine, Delete, Delete via BC	1948778496	avast! TaskEx library	Copyright (c) 2014 AVAST Software	FA8AB483585CE87E2005B468FC558001	1180, 4580
C:\Program Files\AVAST Software\Avast\aswAra.dll Script: Quarantine, Delete, Delete via BC	1769668608	TightVNC Viewer	Copyright (C) 2011-2013 GlavSoft LLC.	E7911F1897B8A94235D69168AF0B3120	4580
C:\Program Files\AVAST Software\Avast\aswAux.dll Script: Quarantine, Delete, Delete via BC	1946943488	avast! Auxiliary Library		95E00420A2651717AACA9E6DB6FA915C	1180, 4580
C:\Program Files\AVAST Software\Avast\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	1963786240	Common functions	Copyright (c) 2014 AVAST Software	3879605A30CCA0782C6D8D28C058CCF9	1180, 4580
C:\Program Files\AVAST Software\Avast\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	1960640512	Antivirus independent functions	Copyright (c) 2014 AVAST Software	67CF2881C32E50741E69730ACB10E2B2	1180, 4580
C:\Program Files\AVAST Software\Avast\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	1960968192	Antivirus HW dependent library	Copyright (c) 2014 AVAST Software	DA1B7AB91A15A15A6EB5BFA1428DEF78	1180, 4580
C:\Program Files\AVAST Software\Avast\aswCommChannel.dll Script: Quarantine, Delete, Delete via BC	1959919616	Communication Channels	Copyright (c) 2014 AVAST Software	FACCEA2A2F5D5777A5CF088AC22BC167	1180, 4580
C:\Program Files\AVAST Software\Avast\aswData.dll Script: Quarantine, Delete, Delete via BC	1773993984	avast! UI Layer library	Copyright (c) 2014 AVAST Software	3D30ADBE817BAC5762A578825AD91A57	4580
C:\Program Files\AVAST Software\Avast\aswDnsCache.dll Script: Quarantine, Delete, Delete via BC	1888616448	avast! Property Storage library	Copyright (c) 2014 AVAST Software	6B0FA18AF3DE4342B9D99C570E70E45F	1180
C:\Program Files\AVAST Software\Avast\aswEngLdr.dll Script: Quarantine, Delete, Delete via BC	1959788544	Antivirus engine loader	Copyright (c) 2014 AVAST Software	DA3DCADB0AD2675250D83254F155BE01	1180, 4580
C:\Program Files\AVAST Software\Avast\aswJsFlt.dll Script: Quarantine, Delete, Delete via BC	1679556608	avast! Script Blocking filter library	Copyright (c) 2014 AVAST Software	40155B5F4053AB1CB7109D78F014F2FE	5688
C:\Program Files\AVAST Software\Avast\aswJSScan.dll Script: Quarantine, Delete, Delete via BC	1881407488	avast! GrimeFighter	Copyright (c) 2014 AVAST Software	4828D1242666C5FF4FF220851DACC7D2	1180, 4580
C:\Program Files\AVAST Software\Avast\aswLog.dll Script: Quarantine, Delete, Delete via BC	1949368320	avast! Log library	Copyright (c) 2014 AVAST Software	DCD2625A29B2A5E3B04163DCCDB63EC8	1180, 4580
C:\Program Files\AVAST Software\Avast\aswNg.dll Script: Quarantine, Delete, Delete via BC	1899364352	avast! NG core library	Copyright (c) 2014 AVAST Software	E3E2F533EA0698C6E3840C7EFCC1680F	1180
C:\Program Files\AVAST Software\Avast\aswpatchmgt.dll Script: Quarantine, Delete, Delete via BC	1871970304	Software Health framework library	Copyright (c) 2014 AVAST Software	AEA757AE582CFD71640FFAB8C8F0C3F1	1180
C:\Program Files\AVAST Software\Avast\aswProperty.dll Script: Quarantine, Delete, Delete via BC	1943928832	avast! Property Storage library	Copyright (c) 2014 AVAST Software	0329B24AD4ECD7B314CA0DD867AC55AA	1180, 4580
C:\Program Files\AVAST Software\Avast\aswRemoteCache.dll Script: Quarantine, Delete, Delete via BC	1814691840	RemoteCache	Copyright (c) 2014 AVAST Software	A61BE5A85B9DCA0D3EBA149CD656FF65	4580
C:\Program Files\AVAST Software\Avast\aswSqLt.dll Script: Quarantine, Delete, Delete via BC	1946091520	avast! SQLite library	Copyright (c) 2014 AVAST Software	3FE7F9619963EC5226B175E87F812F16	1180, 4580
C:\Program Files\AVAST Software\Avast\aswStreamFilter.dll Script: Quarantine, Delete, Delete via BC	1888747520	Stream Filter	Copyright (c) 2014 AVAST Software	B4E3E862F88B101063AD85D1259AE52B	1180
C:\Program Files\AVAST Software\Avast\aswStrm.dll Script: Quarantine, Delete, Delete via BC	1947926528	avast! Streaming Update library	Copyright (c) 2014 AVAST Software	BD5DE3D641C02E2623B767A9D3256B2E	1180
C:\Program Files\AVAST Software\Avast\aswUtil.dll Script: Quarantine, Delete, Delete via BC	1764163584	avast! Utility library	Copyright (c) 2014 AVAST Software	6017C69CACB589F929613AFC990A7850	4580
C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Script: Quarantine, Delete, Delete via BC	1566113792	IE Webrep plugin	Copyright (c) 2014 AVAST Software	DBACE317EE0D5BF6EC9CF351AFFD3D1B	5688
C:\Program Files\AVAST Software\Avast\aswWrcIEBroker32.dll Script: Quarantine, Delete, Delete via BC	1564606464	IE Webrep broker plugin	Copyright (c) 2014 AVAST Software	5D2E41F07F70E480AE6C960C304F119D	5688
C:\Program Files\AVAST Software\Avast\avastIP.dll Script: Quarantine, Delete, Delete via BC	1960378368	aswDld Dynamic Link Library	Copyright (c) 2014 AVAST Software	F296E6286DC207F2BB972D71B4AE373A	1180, 4580
C:\Program Files\AVAST Software\Avast\CommonRes.dll Script: Quarantine, Delete, Delete via BC	1624768512	Common UI resources	Copyright (c) 2014 AVAST Software	36CB833455AD5F4A30DFB3E475C30118	4580
C:\Program Files\AVAST Software\Avast\defs\15020700\algo.dll Script: Quarantine, Delete, Delete via BC	1902772224			D733F81E30FD33760D44478138AEB36A	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\aswCleanerDLL.dll Script: Quarantine, Delete, Delete via BC	1908932608	Virus/Worm Cleaner Application for avast!	Copyright (c) 2011 AVAST Software	477BF215B37675AE1D93C35FC79CF786	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	1910571008	Common functions	Copyright (c) 2013 AVAST Software	9747663B6E820C42BA3645B826F57746	1180, 4580
C:\Program Files\AVAST Software\Avast\defs\15020700\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	1911226368	Antivirus independent functions	Copyright (c) 2013 AVAST Software	8F981F2834D725D5808FAB5AA130BB53	1180, 4580
C:\Program Files\AVAST Software\Avast\defs\15020700\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	1911029760	Antivirus HW dependent library	Copyright (c) 2013 AVAST Software	19ACD53CB7BBAE5370F08331DC7B59A2	1180, 4580
C:\Program Files\AVAST Software\Avast\defs\15020700\aswEngin.dll Script: Quarantine, Delete, Delete via BC	1915158528	High level antivirus engine	Copyright (c) 2013 AVAST Software	0FDE6A8E43EAD343136B66F4721BD425	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\aswFiDb.dll Script: Quarantine, Delete, Delete via BC	1909456896	File information database access	Copyright (c) 2013 AVAST Software	5E32E7C5542D95E04E8ABE8B3F676D11	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\aswRep.dll Script: Quarantine, Delete, Delete via BC	1909981184	Reputation services access	Copyright (c) 2013 AVAST Software	1BEE62B3B23C201FBD0168FA6BD3D802	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\aswScan.dll Script: Quarantine, Delete, Delete via BC	1910374400	Low level antivirus engine	Copyright (c) 2013 AVAST Software	9E4FD705940D0C4F7B192ED162398FD7	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\swhealthex.dll Script: Quarantine, Delete, Delete via BC	1870331904	Software Health extension library	Copyright (c) 2013 AVAST Software	2AFAAC858BDC2DC6355252BC1BFBB0BC	1180
C:\Program Files\AVAST Software\Avast\defs\15020700\uiExt.dll Script: Quarantine, Delete, Delete via BC	1768423424	avast! UI extension library	Copyright (c) 2013 AVAST Software	661E33E9192DB4EB5E7FE9B7DFB5622B	4580
C:\Program Files\AVAST Software\Avast\HTMLayout.dll Script: Quarantine, Delete, Delete via BC	1670971392	HTMLayout - embeddable HTML rendering and layout component	Copyright (c) 2012 AVAST Software	67DCACDEA595375B6323F7C825BFE8DB	4580
C:\Program Files\AVAST Software\Avast\icudt.dll Script: Quarantine, Delete, Delete via BC	1566703616	ICU Data DLL	Copyright (C) 2010, International Business Machines Corporation and others. All Rights Reserved.	C9A6353BE335BB8328EAB70CC9827BDF	4580
C:\Program Files\AVAST Software\Avast\libcef.dll Script: Quarantine, Delete, Delete via BC	1681784832	Chromium Embedded Framework (CEF) Dynamic Link Library	Copyright (C) 2014 The Chromium Embedded Framework Authors	9CE64E22C0D6DE422512CB7D31B0FAE6	4580
C:\Program Files\AVAST Software\Avast\LIBEAY32.dll Script: Quarantine, Delete, Delete via BC	1950154752	OpenSSL Shared Library	Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.	C7B6D3CA8FF1B710D9A34204061B066E	1180, 4580
C:\Program Files\AVAST Software\Avast\ng\vbox\x86\VBoxClient-x86.dll Script: Quarantine, Delete, Delete via BC	1898577920	VirtualBox Interface (32-bit)	Copyright (C) 2009-2014 Oracle Corporation	C3134EEE83D2460223C5FFFF3D7BE8FE	1180
C:\Program Files\AVAST Software\Avast\ng\vbox\x86\VBoxRT-x86.dll Script: Quarantine, Delete, Delete via BC	1892810752			8B524E3E3DB9B3C212B5BE01AFF610BA	1180
C:\Program Files\AVAST Software\Avast\snxhk.dll Script: Quarantine, Delete, Delete via BC	1659633664	avast! snxhk	Copyright (c) 2014 AVAST Software	01C4311AFEAED41D19B5B7A3821FC4CF	5688
C:\Program Files\AVAST Software\Avast\ssleay32.dll Script: Quarantine, Delete, Delete via BC	1951399936	OpenSSL Shared Library	Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.	6D258DB9968228D96BE538F0E2BF5CA5	1180, 4580
C:\PROGRA~1\AVASTS~1\Avast\Aavm4h.dll Script: Quarantine, Delete, Delete via BC	1942421504	avast! Asynchronous Virus Monitor (AAVM)	Copyright (c) 2014 AVAST Software	399CC697B96C16B2B04397F0437BD8DF	5688
C:\PROGRA~1\AVASTS~1\Avast\AavmRpch.dll Script: Quarantine, Delete, Delete via BC	1946681344	avast! AAVM Remote Procedure Call Library	Copyright (c) 2014 AVAST Software	072A993B8CF192A635B044FF832E85AD	5688
C:\PROGRA~1\AVASTS~1\Avast\ashBase.dll Script: Quarantine, Delete, Delete via BC	1962672128	Basic Functionality Module	Copyright (c) 2014 AVAST Software	0022F7F5FA0DDA99D71D500CD51CB98C	5688
C:\PROGRA~1\AVASTS~1\Avast\ashTask.dll Script: Quarantine, Delete, Delete via BC	1948385280	Task Handling Module	Copyright (c) 2014 AVAST Software	652D7D4C2344309DDBA5E6554DBAAF15	5688
C:\PROGRA~1\AVASTS~1\Avast\aswAux.dll Script: Quarantine, Delete, Delete via BC	1946943488	avast! Auxiliary Library		95E00420A2651717AACA9E6DB6FA915C	5688
C:\PROGRA~1\AVASTS~1\Avast\aswCmnBS.dll Script: Quarantine, Delete, Delete via BC	1963786240	Common functions	Copyright (c) 2014 AVAST Software	3879605A30CCA0782C6D8D28C058CCF9	5688
C:\PROGRA~1\AVASTS~1\Avast\aswCmnIS.dll Script: Quarantine, Delete, Delete via BC	1960640512	Antivirus independent functions	Copyright (c) 2014 AVAST Software	67CF2881C32E50741E69730ACB10E2B2	5688
C:\PROGRA~1\AVASTS~1\Avast\aswCmnOS.dll Script: Quarantine, Delete, Delete via BC	1960968192	Antivirus HW dependent library	Copyright (c) 2014 AVAST Software	DA1B7AB91A15A15A6EB5BFA1428DEF78	5688
C:\PROGRA~1\AVASTS~1\Avast\aswCommChannel.dll Script: Quarantine, Delete, Delete via BC	1959919616	Communication Channels	Copyright (c) 2014 AVAST Software	FACCEA2A2F5D5777A5CF088AC22BC167	5688
C:\PROGRA~1\AVASTS~1\Avast\aswEngLdr.dll Script: Quarantine, Delete, Delete via BC	1959788544	Antivirus engine loader	Copyright (c) 2014 AVAST Software	DA3DCADB0AD2675250D83254F155BE01	5688
C:\PROGRA~1\AVASTS~1\Avast\aswProperty.dll Script: Quarantine, Delete, Delete via BC	1943928832	avast! Property Storage library	Copyright (c) 2014 AVAST Software	0329B24AD4ECD7B314CA0DD867AC55AA	5688
C:\PROGRA~1\AVASTS~1\Avast\avastIP.dll Script: Quarantine, Delete, Delete via BC	1960378368	aswDld Dynamic Link Library	Copyright (c) 2014 AVAST Software	F296E6286DC207F2BB972D71B4AE373A	5688
c:\PROGRA~2\mcafee\SITEAD~1\mcbrwctl.dll Script: Quarantine, Delete, Delete via BC	1577123840	SiteAdvisor	Copyright © 2014 McAfee, Inc.	620A27FD65EB060AE27B8743A80CA838	5688
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll Script: Quarantine, Delete, Delete via BC	1578237952	SiteAdvisor	Copyright © 2014 McAfee, Inc.	8B0C03962C3F938221AB850DDC9415E1	5688
c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll Script: Quarantine, Delete, Delete via BC	1964179456	SiteAdvisor	Copyright © 2014 McAfee, Inc.	F38A10A81A6CA2B55158679512C809D2	4028, 5036, 4580, 724, 1028, 5688, 812, 3096, 992, 916, 2140, 1356
c:\PROGRA~2\mcafee\SITEAD~1\saPlugin.dll Script: Quarantine, Delete, Delete via BC	1559494656	SiteAdvisor	Copyright © 2014 McAfee, Inc.	29CEE979BDB8B90C9977D6808CD31776	5688
C:\Windows\assembly\GAC_MSIL\MyService\1.0.0.1__2dfa3f50f0bed57d\MyService.dll Script: Quarantine, Delete, Delete via BC	57606144	MyService	Copyright © 2014	D331DB106558BE2BF3073283202DCA8B	1028
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\5bd3374f05d46ba0563f44d032209f08\mscorlib.ni.dll Script: Quarantine, Delete, Delete via BC	1645215744	Microsoft Common Language Runtime Class Library	© Microsoft Corporation. All rights reserved.	A9FD231CDCD4F1C6F28E2AF9B4D83923	4028, 1028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\0f06c6152e5384e75e9517c79ed500d4\System.Configuration.ni.dll Script: Quarantine, Delete, Delete via BC	1604845568	System.Configuration.dll	© Microsoft Corporation. All rights reserved.	60DA9831F4AD7152250D3065C6872209	4028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\828956d62d94914af63efc7fb36d1120\System.Drawing.ni.dll Script: Quarantine, Delete, Delete via BC	1630208000	.NET Framework	© Microsoft Corporation. All rights reserved.	B1DB642992D98B5B276FAC6F3E17A8B5	4028, 1028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\6074b87793a7906a01317ea8832e7330\System.Web.ni.dll Script: Quarantine, Delete, Delete via BC	1511784448	System.Web.dll	© Microsoft Corporation. All rights reserved.	13520F0398C887F0DC27B9CD43053144	4028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6b1a3043fa76fc0f83502099411d2a10\System.Windows.Forms.ni.dll Script: Quarantine, Delete, Delete via BC	1608187904	.NET Framework	© Microsoft Corporation. All rights reserved.	1F385EDAB26C2D75FE5961795129C223	4028, 1028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\49201f5658aca21352debffb85ff41df\System.Xml.ni.dll Script: Quarantine, Delete, Delete via BC	1586823168	.NET Framework	© Microsoft Corporation. All rights reserved.	B9440C895E28878105BE8451FCA23DF8	4028
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\4976746d2f27ea6b60301a84d6c3e4be\System.ni.dll Script: Quarantine, Delete, Delete via BC	106364928	.NET Framework	© Microsoft Corporation. All rights reserved.	D287076FDB3201C97481EE628E296D3F	4028, 1028
C:\Windows\SYSTEM32\Macromed\Flash\Flash.ocx Script: Quarantine, Delete, Delete via BC	1538129920	Adobe Flash Player 16.0 r0	Adobe® Flash® Player. Copyright © 1996-2015 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.	45F752C3105D14434AE29C3AF55587C3	5688
Modules found:371, recognized as trusted 240

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\system32\drivers\aswMonFlt.sys Script: Quarantine, Delete, Delete via BC	447C5000	022000 (139264)	avast! File System Minifilter for Windows 2003/Vista	Copyright (c) 2014 AVAST Software
C:\Windows\System32\Drivers\aswRvrt.sys Script: Quarantine, Delete, Delete via BC	436A6000	013000 (77824)
C:\Windows\system32\drivers\aswSnx.sys Script: Quarantine, Delete, Delete via BC	43A53000	104000 (1064960)	avast! Virtualization Driver	Copyright (c) 2014 AVAST Software
C:\Windows\system32\drivers\aswSP.sys Script: Quarantine, Delete, Delete via BC	43B57000	071000 (462848)	avast! self protection module	Copyright (c) 2014 AVAST Software
C:\Windows\system32\drivers\aswStm.sys Script: Quarantine, Delete, Delete via BC	44600000	01F000 (126976)	Stream Filter	Copyright (c) 2014 AVAST Software
C:\Windows\system32\drivers\bsdriver.sys Script: Quarantine, Delete, Delete via BC	43BD9000	00E000 (57344)		Copyright (c) 2012
C:\Windows\System32\Drivers\dump_diskdump.sys Script: Quarantine, Delete, Delete via BC	455BF000	00C000 (49152)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, Delete via BC	455E8000	016000 (90112)
C:\Windows\System32\Drivers\dump_storahci.sys Script: Quarantine, Delete, Delete via BC	455CB000	01D000 (118784)
C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys Script: Quarantine, Delete, Delete via BC	445A8000	047000 (290816)	VirtualBox Support Driver	Copyright (C) 2009-2014 Oracle Corporation
Modules found - 169, recognized as trusted - 159

Services

Service	Description	Status	File	Group	Dependencies
!SASCORE Service: Stop, Delete, Disable, Delete via BC	SAS Core Service	Running	C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE Script: Quarantine, Delete, Delete via BC
Apple Mobile Device Service: Stop, Delete, Disable, Delete via BC	Apple Mobile Device	Running	C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC		Tcpip
avast! Antivirus Service: Stop, Delete, Disable, Delete via BC	avast! Antivirus	Running	C:\Program Files\AVAST Software\Avast\AvastSvc.exe Script: Quarantine, Delete, Delete via BC	ShellSvcGroup	aswMonFlt
AvastVBoxSvc Service: Stop, Delete, Disable, Delete via BC	AvastVBox COM Service	Running	C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe Script: Quarantine, Delete, Delete via BC		RPCSS
ePowerSvc Service: Stop, Delete, Disable, Delete via BC	ePower Service	Running	C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe Script: Quarantine, Delete, Delete via BC
iPod Service Service: Stop, Delete, Disable, Delete via BC	iPod Service	Running	C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC		RpcSs
LMSvc Service: Stop, Delete, Disable, Delete via BC	Launch Manager Service	Running	C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe Script: Quarantine, Delete, Delete via BC
McAfee SiteAdvisor Service Service: Stop, Delete, Disable, Delete via BC	McAfee SiteAdvisor Service	Running	C:\PROGRAM FILES (X86)\MCAFEE\SITEADVISOR\MCSACORE.EXE Script: Quarantine, Delete, Delete via BC
mfefire Service: Stop, Delete, Disable, Delete via BC	McAfee Firewall Core Service	Running	C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe Script: Quarantine, Delete, Delete via BC		mfevtp
mfevtp Service: Stop, Delete, Disable, Delete via BC	McAfee Validation Trust Protection Service	Running	C:\Windows\system32\mfevtps.exe Script: Quarantine, Delete, Delete via BC		mfehidk
QASvc Service: Stop, Delete, Disable, Delete via BC	Quick Access Service	Running	C:\Program Files\Acer\Acer Quick Access\QASvc.exe Script: Quarantine, Delete, Delete via BC
RMSvc Service: Stop, Delete, Disable, Delete via BC	Quick Access RadioMgr Service	Running	C:\Program Files\Acer\Acer Quick Access\RMSvc.exe Script: Quarantine, Delete, Delete via BC
csrcc Service: Stop, Delete, Disable, Delete via BC	csrcc	Not started	C:\Program Files\shopperz\csrcc.exe Script: Quarantine, Delete, Delete via BC		RPCSS
Intel(R) Capability Licensing Service TCP IP Interface Service: Stop, Delete, Disable, Delete via BC	Intel(R) Capability Licensing Service TCP IP Interface	Not started	C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe Script: Quarantine, Delete, Delete via BC
SkypeUpdate Service: Stop, Delete, Disable, Delete via BC	Skype Updater	Not started	C:\Program Files (x86)\Skype\Updater\Updater.exe Script: Quarantine, Delete, Delete via BC		RpcSs
Detected - 195, recognized as trusted - 180

Drivers

Service	Description	Status	File	Group	Dependencies
aswMonFlt Driver: Unload, Delete, Disable, Delete via BC	aswMonFlt	Running	C:\Windows\system32\drivers\aswMonFlt.sys Script: Quarantine, Delete, Delete via BC	FSFilter Anti-Virus	FltMgr
aswRvrt Driver: Unload, Delete, Disable, Delete via BC	avast! Revert	Running	aswRvrt.sys Script: Quarantine, Delete, Delete via BC
aswSnx Driver: Unload, Delete, Disable, Delete via BC	aswSnx	Running	C:\Windows\system32\drivers\aswSnx.sys Script: Quarantine, Delete, Delete via BC	FSFilter Virtualization	FltMgr
aswSP Driver: Unload, Delete, Disable, Delete via BC	aswSP	Running	C:\Windows\system32\drivers\aswSP.sys Script: Quarantine, Delete, Delete via BC	FSFilter Activity Monitor	FltMgr
aswStm Driver: Unload, Delete, Disable, Delete via BC	aswStm	Running	C:\Windows\system32\drivers\aswStm.sys Script: Quarantine, Delete, Delete via BC	NDIS	tcpip
bsdriver Driver: Unload, Delete, Disable, Delete via BC	bsdriver	Running	C:\Windows\system32\drivers\bsdriver.sys Script: Quarantine, Delete, Delete via BC	Base
VBoxAswDrv Driver: Unload, Delete, Disable, Delete via BC	VBoxAsw Support Driver	Running	C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys Script: Quarantine, Delete, Delete via BC
MBAMSwissArmy Driver: Unload, Delete, Disable, Delete via BC	MBAMSwissArmy	Not started	C:\Windows\system32\drivers\MBAMSwissArmy.sys Script: Quarantine, Delete, Delete via BC	FSFilter Activity Monitor
Detected - 304, recognized as trusted - 296

Autoruns

File name	Status	Startup method	Description
.dll Script: Quarantine, Delete, Delete via BC	--	?	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Lsa, Security Packages
C:\Program Files (x86)\Acer\AOP Framework\BackgroundAgent.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BacKGround Agent Delete
C:\Program Files (x86)\Acer\abDocs\abDocsDllLoader.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, abDocsDllLoader Delete
C:\Program Files (x86)\CheckPoint\Install\Install.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ZoneAlarm Installer Delete
C:\Program Files (x86)\CheckPoint\Install\Install.xml Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ZoneAlarm Installer Delete
C:\Program Files (x86)\CheckPoint\Install\Launcher.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, ZoneAlarm Installer Delete
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IPSEventLogMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Handwriting Recognition, EventMessageFile
C:\Program Files (x86)\Nero\Nero 12\Nero BackItUp\NBEventLog.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nero BackItUp 12, EventMessageFile
C:\Program Files (x86)\QuickTime\QTSystem\QuickTime.cpl Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, QuickTime Delete
C:\Program Files (x86)\QuickTime\QTTask.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, QuickTime Task Delete
C:\Program Files (x86)\Skype\Phone\Skype.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Skype Delete
C:\Program Files (x86)\Skype\Updater\Updater.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SkypeUpdate, EventMessageFile
C:\Program Files (x86)\Windows Defender\MpEvMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WinDefend, EventMessageFile
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, msnmsgr Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {00F33137-EE26-412F-8D71-F84E4C2C6625} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {00F30F90-3E96-453B-AFCD-D71989ECC2C7} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {06A2568A-CED6-4187-BB20-400B8C02BE5A} Delete
C:\Program Files (x86)\iTunes\iTunesHelper.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, iTunesHelper Delete
C:\Program Files\AVAST Software\Avast\AvastUI.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, AvastUI.exe Delete
C:\Program Files\AVAST Software\Avast\ashShA64.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {472083B0-C522-11CF-8763-00608CC02F24} Delete
C:\Program Files\AVAST Software\Avast\ashShell.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {472083B0-C522-11CF-8763-00608CC02F24} Delete
C:\Program Files\BubbleSound\3D BubbleSound.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, 3D BubbleSound Delete
C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mfehidk, EventMessageFile
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware Delete
C:\Program Files\iTunes\iTunesMiniPlayer.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} Delete
C:\Users\Franny\AppData\Local\Pokki\Engine\HostAppService.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\RunOnce, Application Restart #1 Delete
C:\Users\Franny\AppData\Local\Pokki\Engine\inspector Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\RunOnce, Application Restart #1 Delete
C:\Windows\SYSTEM32\sirenacm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Drivers32, msacm.siren Delete
C:\Windows\System32\AudioEndpointBuilder.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\Parameters, ServiceDll Delete
C:\Windows\System32\Audiosrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Audiosrv\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSV.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AxInstSV\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-AxInstallService, EventMessageFile
C:\Windows\System32\DFDTS.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Disk Diagnostic, EventMessageFile
C:\Windows\System32\DeviceSetupManager.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DsmSvc\Parameters, ServiceDll Delete
C:\Windows\System32\Drivers\BthEnum.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BthEnum, EventMessageFile
C:\Windows\System32\Drivers\BthLEEnum.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BthLEEnum, EventMessageFile
C:\Windows\System32\Drivers\BthUsb.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BTHUSB, EventMessageFile
C:\Windows\System32\Drivers\Bthport.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BTHPORT, EventMessageFile
C:\Windows\System32\Drivers\Bthport.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BTHUSB, EventMessageFile
C:\Windows\System32\Drivers\EhStorTcgDrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-EnhancedStorage-EhStorTcgDrv, EventMessageFile
C:\Windows\System32\Drivers\Pcmcia.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\pcmcia, EventMessageFile
C:\Windows\System32\Drivers\VerifierExt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-XDV, EventMessageFile
C:\Windows\System32\Drivers\VolSnap.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Volsnap, EventMessageFile
C:\Windows\System32\Drivers\acpi.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ACPI, EventMessageFile
C:\Windows\System32\Drivers\btfilter.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BtFilter, EventMessageFile
C:\Windows\System32\Drivers\hidbth.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\HidBth, EventMessageFile
C:\Windows\System32\Drivers\hidi2c.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\hidi2c, EventMessageFile
C:\Windows\System32\Drivers\uefi.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\UEFI, EventMessageFile
C:\Windows\System32\Drivers\umdf\HidBthLE.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mshidumdf, EventMessageFile
C:\Windows\System32\Drivers\usbehci.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\usbehci, EventMessageFile
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmicguestinterface\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmicheartbeat\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmickvpexchange\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmicrdv\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmicshutdown\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmictimesync\Parameters, ServiceDll Delete
C:\Windows\System32\ICSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\vmicvss\Parameters, ServiceDll Delete
C:\Windows\System32\NcdAutoSetup.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NcdAutoSetup\Parameters, ServiceDll Delete
C:\Windows\System32\RpcEpMap.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcEptMapper\Parameters, ServiceDll Delete
C:\Windows\System32\SCardSvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters, ServiceDll Delete
C:\Windows\System32\ScDeviceEnum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\ScDeviceEnum\Parameters, ServiceDll Delete
C:\Windows\System32\SystemEventsBrokerServer.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SystemEventsBroker\Parameters, ServiceDll Delete
C:\Windows\System32\TabSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TabletInputService\Parameters, ServiceDll Delete
C:\Windows\System32\TimeBrokerServer.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TimeBroker\Parameters, ServiceDll Delete
C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}, DLLName Delete
C:\Windows\System32\UI0Detect.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Interactive Services detection, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSS, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\VSSAudit, EventMessageFile
C:\Windows\System32\WSService.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WSService\Parameters, ServiceDll Delete
C:\Windows\System32\WUDFHost.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WUDF\Services\{193a1820-d9ac-4997-8c55-be817523f6aa}, HostProcessImagePath Delete
C:\Windows\System32\WUDFSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wudfsvc\Parameters, ServiceDll Delete
C:\Windows\System32\WerSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WerSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AeLookupSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AeLookupSvc, EventMessageFile
C:\Windows\System32\appidsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppIDSvc\Parameters, ServiceDll Delete
C:\Windows\System32\appinfo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Appinfo\Parameters, ServiceDll Delete
C:\Windows\System32\bdesvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BDESVC\Parameters, ServiceDll Delete
C:\Windows\System32\bfe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BFE\Parameters, ServiceDll Delete
C:\Windows\System32\bisrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BrokerInfrastructure\Parameters, ServiceDll Delete
C:\Windows\System32\browser.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Browser\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CertPropSvc\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCPolicySvc\Parameters, ServiceDll Delete
C:\Windows\System32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\defragsvc\Parameters, ServiceDll Delete
C:\Windows\System32\dmvscres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\dmvsc, EventMessageFile
C:\Windows\System32\dnsrslvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Dnscache\Parameters, ServiceDll Delete
C:\Windows\System32\dot3svc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\dot3svc\Parameters, ServiceDll Delete
C:\Windows\System32\drivers\MTConfig.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MTConfig, EventMessageFile
C:\Windows\System32\drivers\TeeDriverx64.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MEIx64, EventMessageFile
C:\Windows\System32\drivers\UMDF\LocationProvider.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-LocationProvider, EventMessageFile
C:\Windows\System32\drivers\Wdf01000.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wdf01000, EventMessageFile
C:\Windows\System32\drivers\amdk8.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdK8, EventMessageFile
C:\Windows\System32\drivers\amdppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdPPM, EventMessageFile
C:\Windows\System32\drivers\btath_hcrp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\BTATH_HCRP, EventMessageFile
C:\Windows\System32\drivers\bxvbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\b06bdrv, EventMessageFile
C:\Windows\System32\drivers\evbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ebdrv, EventMessageFile
C:\Windows\System32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\FltMgr, EventMessageFile
C:\Windows\System32\drivers\fxppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\FxPPM, EventMessageFile
C:\Windows\System32\drivers\i8042prt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\i8042prt, EventMessageFile
C:\Windows\System32\drivers\iaStorAV.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iaStorAV, EventMessageFile
C:\Windows\System32\drivers\iaStorV.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iaStorV, EventMessageFile
C:\Windows\System32\drivers\intelppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelppm, EventMessageFile
C:\Windows\System32\drivers\ipmidrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPMIDRV, EventMessageFile
C:\Windows\System32\drivers\isapnp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\isapnp, EventMessageFile
C:\Windows\System32\drivers\k57nd60a.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\k57nd60a, EventMessageFile
C:\Windows\System32\drivers\kbdclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdclass, EventMessageFile
C:\Windows\System32\drivers\kbdhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdhid, EventMessageFile
C:\Windows\System32\drivers\mouclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouclass, EventMessageFile
C:\Windows\System32\drivers\mouhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouhid, EventMessageFile
C:\Windows\System32\drivers\nvstor.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\nvstor, EventMessageFile
C:\Windows\System32\drivers\parport.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Parport, EventMessageFile
C:\Windows\System32\drivers\processr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Processor, EventMessageFile
C:\Windows\System32\drivers\sbp2port.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sbp2port, EventMessageFile
C:\Windows\System32\drivers\serial.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Serial, EventMessageFile
C:\Windows\System32\drivers\sermouse.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sermouse, EventMessageFile
C:\Windows\System32\drivers\tpm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TPM, EventMessageFile
C:\Windows\System32\drivers\tsusbflt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TsUsbFlt, EventMessageFile
C:\Windows\System32\drivers\vpci.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vpci, EventMessageFile
C:\Windows\System32\drivers\wacompen.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WacomPen, EventMessageFile
C:\Windows\System32\dxgwdi.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Display, EventMessageFile
C:\Windows\System32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eaphost\Parameters, ServiceDll Delete
C:\Windows\System32\fxsevent.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Fax, EventMessageFile
C:\Windows\System32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\gpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\icardres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\CardSpace 4.0.0.0, EventMessageFile
C:\Windows\System32\ikeext.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters, ServiceDll Delete
C:\Windows\System32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\ipnathlp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters, ServiceDll Delete
C:\Windows\System32\ipsecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters, ServiceDll Delete
C:\Windows\System32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MSiSCSI, EventMessageFile
C:\Windows\System32\iscsilog.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iScsiPrt, EventMessageFile
C:\Windows\System32\lltdsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lltdsvc\Parameters, ServiceDll Delete
C:\Windows\System32\lmhsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lmhosts\Parameters, ServiceDll Delete
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LsaSrv, EventMessageFile
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel, EventMessageFile
C:\Windows\System32\lsm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LSM\Parameters, ServiceDll Delete
C:\Windows\System32\mdsched.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Schedule, EventMessageFile
C:\Windows\System32\ncasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NcaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\ncbservice.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NcbService\Parameters, ServiceDll Delete
C:\Windows\System32\netman.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Netman\Parameters, ServiceDll Delete
C:\Windows\System32\netprofmsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\netprofm\Parameters, ServiceDll Delete
C:\Windows\System32\netvscres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\netvsc, EventMessageFile
C:\Windows\System32\nlasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\pcasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PcaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-User Profiles Service, EventMessageFile
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Profsvc, EventMessageFile
C:\Windows\System32\pwlauncher.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WindowsToGo-StartupOptions, EventMessageFile
C:\Windows\System32\qmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BITS\Parameters, ServiceDll Delete
C:\Windows\System32\rasauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasAuto\Parameters, ServiceDll Delete
C:\Windows\System32\rasmans.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasMan\Parameters, ServiceDll Delete
C:\Windows\System32\relpost.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Results, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Directory-Services-SAM, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SAM, EventMessageFile
C:\Windows\System32\sens.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SENS\Parameters, ServiceDll Delete
C:\Windows\System32\snmptrap.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SNMPTRAP, EventMessageFile
C:\Windows\System32\ssdpsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters, ServiceDll Delete
C:\Windows\System32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-RasSstp, EventMessageFile
C:\Windows\System32\swprv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\swprv\Parameters, ServiceDll Delete
C:\Windows\System32\tcpmon.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TCPMon, EventMessageFile
C:\Windows\System32\termsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TermService\Parameters, ServiceDll Delete
C:\Windows\System32\trkwks.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TrkWks\Parameters, ServiceDll Delete
C:\Windows\System32\umpo.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Power, EventMessageFile
C:\Windows\System32\umrdp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\UmRdpService\Parameters, ServiceDll Delete
C:\Windows\System32\umrdp.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\UmRdpService, EventMessageFile
C:\Windows\System32\vaultsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\VaultSvc\Parameters, ServiceDll Delete
C:\Windows\System32\vds.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Virtual Disk Service, EventMessageFile
C:\Windows\System32\vdsbas.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\VDS Basic Provider, EventMessageFile
C:\Windows\System32\vdsdyn.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\VDS Dynamic Provider, EventMessageFile
C:\Windows\System32\vdsvd.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\VDS Virtual Disk Provider, EventMessageFile
C:\Windows\System32\vmbusres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vmbus, EventMessageFile
C:\Windows\System32\vmictimeprovider.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider, DllName Delete
C:\Windows\System32\vmstorfltres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\storflt, EventMessageFile
C:\Windows\System32\wbiosrvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WbioSrvc\Parameters, ServiceDll Delete
C:\Windows\System32\wcmsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wcmsvc\Parameters, ServiceDll Delete
C:\Windows\System32\wcncsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters, ServiceDll Delete
C:\Windows\System32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wecsvc, EventMessageFile
C:\Windows\System32\wercplsupport.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters, ServiceDll Delete
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Hang, EventMessageFile
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WerSvc, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wiarpc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WiaRpc\Parameters, ServiceDll Delete
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\stisvc\Parameters, ServiceDll Delete
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\StillImage, EventMessageFile
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Kmode
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Win32k, EventMessageFile
C:\Windows\System32\wininit.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Wininit, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Wlclntfy, EventMessageFile
C:\Windows\System32\wkssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters, ServiceDll Delete
C:\Windows\System32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WlanSvc\Parameters, ServiceDll Delete
C:\Windows\System32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wscsvc\Parameters, ServiceDll Delete
C:\Windows\System32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SecurityCenter, EventMessageFile
C:\Windows\System32\wwansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WwanSvc\Parameters, ServiceDll Delete
C:\Windows\system32\AppReadiness.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppReadiness\Parameters, ServiceDll Delete
C:\Windows\system32\AppReadiness.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AppReadiness, EventMessageFile
C:\Windows\system32\BlbEvents.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Backup, EventMessageFile
C:\Windows\system32\FntCache.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FontCache\Parameters, ServiceDll Delete
C:\Windows\system32\KMSVC.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Key Management Service, DisplayNameFile
C:\Windows\system32\ListSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HomeGroupListener\Parameters, ServiceDll Delete
C:\Windows\system32\MemoryDiagnostic.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Memory-Diagnostic-Task-Handler, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-AppModel-Runtime, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-AppModel-State, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SoftwareRestrictionPolicies, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-User-Loader, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Boot, EventMessageFile
C:\Windows\system32\Microsoft-Windows-System-Events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-General, EventMessageFile
C:\Windows\system32\SrEvents.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-System-Restore, EventMessageFile
C:\Windows\system32\WINSAT.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-WindowsSystemAssessmentTool, EventMessageFile
C:\Windows\system32\WUDFPlatform.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DriverFrameworks-UserMode, EventMessageFile
C:\Windows\system32\appxdeploymentserver.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppXSvc\Parameters, ServiceDll Delete
C:\Windows\system32\bthserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\bthserv\Parameters, ServiceDll Delete
C:\Windows\system32\certprop.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SCPNP, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Client, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Server, EventMessageFile
C:\Windows\system32\cryptsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters, ServiceDll Delete
C:\Windows\system32\csrsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Subsys-SMSS, EventMessageFile
C:\Windows\system32\das.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DeviceAssociationService\Parameters, ServiceDll Delete
C:\Windows\system32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Defrag, EventMessageFile
C:\Windows\system32\dfdts.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DiskDiagnostic, EventMessageFile
C:\Windows\system32\dps.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DPS\Parameters, ServiceDll Delete
C:\Windows\system32\drivers\HTTP.SYS Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HttpEvent, EventMessageFile
C:\Windows\system32\drivers\NdisImPlatform.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-NdisImPlatformSysEvtProvider, EventMessageFile
C:\Windows\system32\drivers\SerCx.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Serial-ClassExtension, EventMessageFile
C:\Windows\system32\drivers\SerCx.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sercx, EventMessageFile
C:\Windows\system32\drivers\SerCx2.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Serial-ClassExtension-V2, EventMessageFile
C:\Windows\system32\drivers\SerCx2.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sercx2, EventMessageFile
C:\Windows\system32\drivers\SpbCx.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SPB-ClassExtension, EventMessageFile
C:\Windows\system32\drivers\SpbCx.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\spbcx, EventMessageFile
C:\Windows\system32\drivers\bridge.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-NetworkBridge, EventMessageFile
C:\Windows\system32\drivers\exfat.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-exFAT-SQM, EventMessageFile
C:\Windows\system32\drivers\fastfat.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Fat-SQM, EventMessageFile
C:\Windows\system32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FilterManager, EventMessageFile
C:\Windows\system32\drivers\fvevol.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-Driver, EventMessageFile
C:\Windows\system32\drivers\hidi2c.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SPB-HIDI2C, EventMessageFile
C:\Windows\system32\drivers\msgpioclx.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-GPIO-ClassExtension, EventMessageFile
C:\Windows\system32\drivers\ndis.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-NDIS, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Ntfs, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Ntfs-SQM, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Ntfs-UBPM, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Ntfs, EventMessageFile
C:\Windows\system32\drivers\refs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ReFS, EventMessageFile
C:\Windows\system32\drivers\usbxhci.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-USB-USBXHCI, EventMessageFile
C:\Windows\system32\drivers\wof.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-OverlayFilter, EventMessageFile
C:\Windows\system32\dwm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Desktop Window Manager, EventMessageFile
C:\Windows\system32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EapHost, EventMessageFile
C:\Windows\system32\efssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\EFS\Parameters, ServiceDll Delete
C:\Windows\system32\fdPHost.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\fdPHost\Parameters, ServiceDll Delete
C:\Windows\system32\fdphost.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FunctionDiscoveryHost, EventMessageFile
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FDResPub\Parameters, ServiceDll Delete
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-ResourcePublication, EventMessageFile
C:\Windows\system32\fhsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\fhsvc\Parameters, ServiceDll Delete
C:\Windows\system32\fthsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Fault-Tolerant-Heap, EventMessageFile
C:\Windows\system32\fveapi.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-API, EventMessageFile
C:\Windows\system32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-GroupPolicy, EventMessageFile
C:\Windows\system32\hkcmd.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, HotKeysCmds Delete
C:\Windows\system32\igfxpers.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Persistence Delete
C:\Windows\system32\igfxtray.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, IgfxTray Delete
C:\Windows\system32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Iphlpsvc, EventMessageFile
C:\Windows\system32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MSiSCSI\Parameters, ServiceDll Delete
C:\Windows\system32\kmsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\hkmsvc\Parameters, ServiceDll Delete
C:\Windows\system32\lpksetup.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-LanguagePackSetup, EventMessageFile
C:\Windows\system32\lsm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LSM, EventMessageFile
C:\Windows\system32\lsm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager, EventMessageFile
C:\Windows\system32\microsoft-windows-hal-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HAL, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-pnp-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-PnP, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Power, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-processor-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Interrupt-Steering, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-processor-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Processor-Power, EventMessageFile
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MMCSS\Parameters, ServiceDll Delete
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\THREADORDER\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Firewall, EventMessageFile
C:\Windows\system32\msdtckrm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\KtmRm\Parameters, ServiceDll Delete
C:\Windows\system32\nsisvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\nsi\Parameters, ServiceDll Delete
C:\Windows\system32\oobe\InstallEventRes.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-InstallUX, EventMessageFile
C:\Windows\system32\oobe\winsetup.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Setup, EventMessageFile
C:\Windows\system32\p2psvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2psvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPAutoReg\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2pimsvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPsvc\Parameters, ServiceDll Delete
C:\Windows\system32\profsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters, ServiceDll Delete
C:\Windows\system32\qagentRT.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\napagent\Parameters, ServiceDll Delete
C:\Windows\system32\qmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Bits-Client, EventMessageFile
C:\Windows\system32\regsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters, ServiceDll Delete
C:\Windows\system32\reseteng.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-ResetEng, EventMessageFile
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters, ServiceDll Delete
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcSs\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Schedule\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TaskScheduler, EventMessageFile
C:\Windows\system32\seclogon.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\seclogon\Parameters, ServiceDll Delete
C:\Windows\system32\sensrsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SensrSvc\Parameters, ServiceDll Delete
C:\Windows\system32\services.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Service Control Manager, EventMessageFile
C:\Windows\system32\setupetw.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SetupPlatform, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Protection Platform Service, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Key Management Service\KmsRequests, EventMessageFile
C:\Windows\system32\srcore.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System Restore, EventMessageFile
C:\Windows\system32\srvsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, ServiceDll Delete
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters, ServiceDll Delete
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RasSstp, EventMessageFile
C:\Windows\system32\svsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\svsvc\Parameters, ServiceDll Delete
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SysMain\Parameters, ServiceDll Delete
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\rdyboost\Performance, Library Delete
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-RemoteConnectionManager, EventMessageFile
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService, EventMessageFile
C:\Windows\system32\themeservice.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Themes\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DeviceInstall\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PlugPlay\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-UserPnp, EventMessageFile
C:\Windows\system32\umpo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Power\Parameters, ServiceDll Delete
C:\Windows\system32\umpo.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-UserModePowerService, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmicguestinterface, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmicheartbeat, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmickvpexchange, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmicrdv, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmicshutdown, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmictimesync, EventMessageFile
C:\Windows\system32\vmicres.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\vmicvss, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\Parameters, ServiceDll Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Time-Service, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\W32Time, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient, DllName Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer, DllName Delete
C:\Windows\system32\wbem\WMIsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters, ServiceDll Delete
C:\Windows\system32\wbem\WinMgmtR.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-WMI, EventMessageFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wecsvc\Parameters, ServiceDll Delete
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\HardwareEvents, DisplayNameFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\wephostsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WEPHOSTSVC\Parameters, ServiceDll Delete
C:\Windows\system32\whealogr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WHEA-Logger, EventMessageFile
C:\Windows\system32\wininit.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Wininit, EventMessageFile
C:\Windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Winlogon, EventMessageFile
C:\Windows\system32\winsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Winsrv, EventMessageFile
C:\Windows\system32\winsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Application Popup, EventMessageFile
C:\Windows\system32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WLAN-AutoConfig, EventMessageFile
C:\Windows\system32\wlidsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wlidsvc\Parameters, ServiceDll Delete
C:\Windows\system32\workfolderssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\workfolderssvc\Parameters, ServiceDll Delete
C:\Windows\system32\wpdbusenum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WPDBusEnum\Parameters, ServiceDll Delete
C:\Windows\system32\wsepno.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service Profile Notification, EventMessageFile
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wuauserv\Parameters, ServiceDll Delete
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WindowsUpdateClient, EventMessageFile
WorkFoldersGPExt.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4d968b55-cac2-4ff5-983f-0a54603781a3}, DLLName Delete
auditcse.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{16be69fa-4209-4250-88cb-716cf41954e0}, DLLName Delete
auditcse.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
c:\c4bb7a50324e5d463ce756cc54\DW\DW20.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
igfxdev.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName Delete
pwlauncher.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BA649533-0AAC-4E04-B9BC-4DBAE0325B12}, DLLName Delete
pwlauncher.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C34B2751-1CF4-44F5-9262-C3FC39666591}, DLLName Delete
Autoruns items found - 820, recognized as trusted - 471

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll Script: Quarantine, Delete, Delete via BC	BHO	IE Webrep plugin	Copyright (c) 2014 AVAST Software	{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} Delete
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll Script: Quarantine, Delete, Delete via BC	BHO	SiteAdvisor	Copyright © 2014 McAfee, Inc.	{B164E929-A1B6-4A06-B104-2CD0E90A88FF} Delete
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll Script: Quarantine, Delete, Delete via BC	Toolbar	SiteAdvisor	Copyright © 2014 McAfee, Inc.	{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} Delete
	Extension module			{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} Delete
	Extension module			{2670000A-7350-4f3c-8081-5663EE0C6C49} Delete
	Extension module			{92780B25-18CC-41C8-B9BE-3C9C571A8263} Delete
Items found - 8, recognized as trusted - 2

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	Contacts folder			{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} Delete
	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
	WLMD Message Handler			{0563DB41-F538-4B37-A92D-4659049B7766} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe Script: Quarantine, Delete, Delete via BC		Photo Gallery Acquisition Wizard	© 2012 Microsoft Corporation. All rights reserved.	{06A2568A-CED6-4187-BB20-400B8C02BE5A} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC		Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F33137-EE26-412F-8D71-F84E4C2C6625} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Autoplay Drop Target	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Viewer Drop Target	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Editor Drop Target	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F374B7-B390-4884-B372-2FC349F2172B} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Viewer Drop Target Shim	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Editor Drop Target Shim	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\PhotoViewerShim.dll Script: Quarantine, Delete, Delete via BC	Windows Live Photo Gallery Autoplay Drop Target Shim	Photo Gallery	© 2012 Microsoft Corporation. All rights reserved.	{00F30F90-3E96-453B-AFCD-D71989ECC2C7} Delete
C:\Program Files\AVAST Software\Avast\ashShell.dll Script: Quarantine, Delete, Delete via BC	avast	avast! Shell Extension	Copyright (c) 2014 AVAST Software	{472083B0-C522-11CF-8763-00608CC02F24} Delete
Items found - 46, recognized as trusted - 34

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
CNCALAN.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Canon BJ FAX Language Monitor MX880 series
CNMLMAN.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Canon BJ Language Monitor MX880 series
localspl.dll Script: Quarantine, Delete, Delete via BC	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Microsoft Shared Fax Monitor
tcpmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, Delete via BC	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, Delete via BC	Provider	HTTP Print Services
win32spl.dll Script: Quarantine, Delete, Delete via BC	Provider	LanMan Print Services
Items found - 9, recognized as trusted - 0

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line
C:\Program Files (x86)\Acer\Acer Portal\AcerPortal.exe Script: Quarantine, Delete, Delete via BC	AcerCloud Script: Delete		Acer Portal	Copyright (C) 2014	C:\Windows\system32\Tasks\	C:\Program Files (x86)\Acer\Acer Portal\AcerPortal.exe task
C:\Program Files (x86)\Acer\Live Updater\updater.exe Script: Quarantine, Delete, Delete via BC	ALU Script: Delete		Live Updater	(C) All rights reserved	C:\Windows\system32\Tasks\	C:\Program Files (x86)\Acer\Live Updater\updater.exe -auto
C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Script: Quarantine, Delete, Delete via BC	avast! Emergency Update Script: Delete		avast! Emergency Update	Copyright (c) 2014 AVAST Software	C:\Windows\system32\Tasks\	C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
C:\Program Files\Acer\Acer Launch Manager\LMLauncher.exe Script: Quarantine, Delete, Delete via BC	Launch Manager Script: Delete		LMLauncher	(C) ALL rights reserved	C:\Windows\system32\Tasks\	"C:\Program Files\Acer\Acer Launch Manager\LMLauncher.exe"
aitagent /increment Script: Quarantine, Delete, Delete via BC	AitAgent Script: Delete				C:\Windows\system32\Tasks\Microsoft\Windows\Application Experience\	aitagent /increment
C:\Windows\system32\MRT.exe Script: Quarantine, Delete, Delete via BC	MRT_HB Script: Delete		Microsoft Windows Malicious Software Removal Tool	© Microsoft Corporation. All rights reserved.	C:\Windows\system32\Tasks\Microsoft\Windows\RemovalTools\	C:\Windows\system32\MRT.exe /EHB /Q
C:\Users\Franny\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe Script: Quarantine, Delete, Delete via BC	Microsoft OneDrive Auto Update Task-S-1-5-21-786374595-2290240692-171548042-1001 Script: Delete		Microsoft OneDrive	© Microsoft Corporation. All rights reserved.	C:\Windows\system32\Tasks\	%localappdata%\Microsoft\SkyDrive\SkyDrive.exe
C:\Program Files (x86)\Norton Online Backup ARA\Engine\4.5.0.9\Ara.exe Script: Quarantine, Delete, Delete via BC	Norton Online Backup ARA Script: Delete		Norton Online Backup	Copyright (c) 2013 Symantec Corporation. All rights reserved.	C:\Windows\system32\Tasks\	C:\Program Files (x86)\Norton Online Backup ARA\Engine\4.5.0.9\\Ara.exe /launch_code 1
C:\Program Files\Acer\Acer Power Management\ePowerTray.exe Script: Quarantine, Delete, Delete via BC	Power Management Script: Delete		ePowerTray	(C) All rights reserved	C:\Windows\system32\Tasks\	"C:\Program Files\Acer\Acer Power Management\ePowerTray.exe"
C:\Program Files\Acer\Acer Quick Access\QALauncher.exe Script: Quarantine, Delete, Delete via BC	Quick Access Script: Delete		QALauncher	(C) ALL rights reserved	C:\Windows\system32\Tasks\	"C:\Program Files\Acer\Acer Quick Access\QALauncher.exe"
C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe Script: Quarantine, Delete, Delete via BC	Notification Script: Delete		Notification	Copyright © 2013	C:\Windows\system32\Tasks\Recovery Management\	C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe
Items found - 73, recognized as trusted - 62

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 8, recognized as trusted - 8

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 11, recognized as trusted - 11
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
80 LISTENING 0.0.0.0 0 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
139 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
443 LISTENING 0.0.0.0 0 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 ESTABLISHED 127.0.0.1 49156 [1592] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 ESTABLISHED 127.0.0.1 49157 [1592] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 LISTENING 0.0.0.0 0 [1592] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5357 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
6404 LISTENING 0.0.0.0 0 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
6543 LISTENING 0.0.0.0 0 [4796] BtvStack.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12025 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12110 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12119 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12143 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12465 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12563 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12993 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
12995 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 49631 [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 0 [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27275 LISTENING 0.0.0.0 0 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49152 LISTENING 0.0.0.0 0 [708] wininit.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49155 LISTENING 0.0.0.0 0 [1320] spoolsv.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49156 ESTABLISHED 127.0.0.1 5354 [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49157 ESTABLISHED 127.0.0.1 5354 [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49158 LISTENING 0.0.0.0 0 [772] lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49164 ESTABLISHED 77.234.44.62 80 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49169 LISTENING 0.0.0.0 0 [764] services.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49617 ESTABLISHED 213.199.179.165 40024 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49618 ESTABLISHED 157.56.126.126 443 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49619 ESTABLISHED 157.56.53.42 12350 [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49631 ESTABLISHED 127.0.0.1 27015 [812] c:\program files (x86)\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49649 ESTABLISHED 77.234.42.61 80 [1180] c:\program files\avast software\avast\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49678 ESTABLISHED 74.125.206.108 993 [4528] livecomm.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49890 TIME_WAIT 134.170.189.4 443 [0]
49894 TIME_WAIT 54.76.226.82 443 [0]
UDP ports
137 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
443 LISTENING -- -- [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1996] dasHost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
3702 LISTENING -- -- [1996] dasHost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5353 LISTENING -- -- [1592] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
6404 LISTENING -- -- [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate
54776 LISTENING -- -- [812] c:\program files (x86)\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
54777 LISTENING -- -- [812] c:\program files (x86)\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
60528 LISTENING -- -- [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
60529 LISTENING -- -- [1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
60530 LISTENING -- -- [1592] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
60552 LISTENING -- -- [1996] dasHost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
61777 LISTENING -- -- [2140] c:\program files (x86)\skype\phone\skype.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
C:\Windows\system32\FlashPlayerCPLApp.cpl
Script: Quarantine, Delete, Delete via BC Adobe Flash Player Control Panel Applet Copyright © 1996-2015 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Items found - 17, recognized as trusted - 16

Active Setup

File name Description Manufacturer CLSID
Items found - 4, recognized as trusted - 4

HOSTS file

Hosts file record
яю1
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
Script: Quarantine, Delete, Delete via BC Handler SiteAdvisor () Copyright © 2014 McAfee, Inc. {5513F07E-936B-4E52-9B00-067394E91CC5}
Delete
C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
Script: Quarantine, Delete, Delete via BC Handler Windows Live Messenger Protocol Handler Module () © Microsoft Corporation. All rights reserved. {828030A1-22C1-4009-854F-8E305202313F}
Delete
C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
Script: Quarantine, Delete, Delete via BC Handler Windows Live Messenger Protocol Handler Module () © Microsoft Corporation. All rights reserved. {828030A1-22C1-4009-854F-8E305202313F}
Delete
c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
Script: Quarantine, Delete, Delete via BC Handler SiteAdvisor () Copyright © 2014 McAfee, Inc. {5513F07E-936B-4E52-9B00-067394E91CC5}
Delete
C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll
Script: Quarantine, Delete, Delete via BC Handler Windows Live Mail (Windows Live Mail Asynchronous Pluggable Protocol Handler) © Microsoft Corporation. All rights reserved. {03C514A3-1EFB-4856-9F99-10D7BE1653C0}
Delete
C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Script: Quarantine, Delete, Delete via BC Handler Photo Gallery Album Download Protocol Handler (wlpg: pluggable protocol) © 2012 Microsoft Corporation. All rights reserved. {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324}
Delete
Items found - 22, recognized as trusted - 16

Shared resources

Network name Path Notes
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
IPC$ Remote IPC

Suspicious objects

File Description Type
c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll
Script: Quarantine, Delete, Delete via BC Suspicion for Keylogger Suspicion for Keylogger or Trojan DLL

Attention !!! Database was last updated 23/02/2014 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 07.02.2015 17:42:07
Database loaded: signatures - 297613, NN profile(s) - 2, malware removal microprograms - 56, signature database released 23.02.2014 17:04
Heuristic microprograms loaded: 405
PVS microprograms loaded: 9
Digital signatures of system files loaded: 649447
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.2.9200,  "Windows 8.1" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .rdata
Function kernel32.dll:ReadConsoleInputExA (1094) intercepted, method - ProcAddressHijack.GetProcAddress ->756D297A->7553D435
Hook kernel32.dll:ReadConsoleInputExA (1094) blocked
Function kernel32.dll:ReadConsoleInputExW (1095) intercepted, method - ProcAddressHijack.GetProcAddress ->756D29AD->7553D459
Hook kernel32.dll:ReadConsoleInputExW (1095) blocked
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (268) intercepted, method - ProcAddressHijack.GetProcAddress ->777EAA40->7089B775
Hook ntdll.dll:NtCreateFile (268) blocked
Function ntdll.dll:NtSetInformationFile (549) intercepted, method - ProcAddressHijack.GetProcAddress ->777EA760->7089B6F1
Hook ntdll.dll:NtSetInformationFile (549) blocked
Function ntdll.dll:NtSetValueKey (580) intercepted, method - ProcAddressHijack.GetProcAddress ->777EAAF0->7089C69D
Hook ntdll.dll:NtSetValueKey (580) blocked
Function ntdll.dll:ZwCreateFile (1647) intercepted, method - ProcAddressHijack.GetProcAddress ->777EAA40->7089B775
Hook ntdll.dll:ZwCreateFile (1647) blocked
Function ntdll.dll:ZwSetInformationFile (1926) intercepted, method - ProcAddressHijack.GetProcAddress ->777EA760->7089B6F1
Hook ntdll.dll:ZwSetInformationFile (1926) blocked
Function ntdll.dll:ZwSetValueKey (1957) intercepted, method - ProcAddressHijack.GetProcAddress ->777EAAF0->7089C69D
Hook ntdll.dll:ZwSetValueKey (1957) blocked
 Analysis: user32.dll, export table found in section .text
Function user32.dll:CallNextHookEx (1531) intercepted, method - ProcAddressHijack.GetProcAddress ->76E3779D->7089B6DB
Hook user32.dll:CallNextHookEx (1531) blocked
Function user32.dll:SetWindowsHookExW (2303) intercepted, method - ProcAddressHijack.GetProcAddress ->76E45EFD->7089C801
Hook user32.dll:SetWindowsHookExW (2303) blocked
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:SystemFunction001 (1760) intercepted, method - ProcAddressHijack.GetProcAddress ->775E7F2D->751A4A91
Hook advapi32.dll:SystemFunction001 (1760) blocked
Function advapi32.dll:SystemFunction002 (1761) intercepted, method - ProcAddressHijack.GetProcAddress ->775E7F49->751A31B5
Hook advapi32.dll:SystemFunction002 (1761) blocked
Function advapi32.dll:SystemFunction003 (1762) intercepted, method - ProcAddressHijack.GetProcAddress ->775E7F65->751A3436
Hook advapi32.dll:SystemFunction003 (1762) blocked
Function advapi32.dll:SystemFunction004 (1763) intercepted, method - ProcAddressHijack.GetProcAddress ->775E7F81->751A4756
Hook advapi32.dll:SystemFunction004 (1763) blocked
Function advapi32.dll:SystemFunction005 (1764) intercepted, method - ProcAddressHijack.GetProcAddress ->775E7F9D->751A489F
Hook advapi32.dll:SystemFunction005 (1764) blocked
Function advapi32.dll:SystemFunction034 (1793) intercepted, method - ProcAddressHijack.GetProcAddress ->775E8261->751A32F4
Hook advapi32.dll:SystemFunction034 (1793) blocked
Function advapi32.dll:SystemFunction036 (1795) intercepted, method - ProcAddressHijack.GetProcAddress ->775E829A->751A11C0
Hook advapi32.dll:SystemFunction036 (1795) blocked
Function advapi32.dll:SystemFunction040 (1796) intercepted, method - ProcAddressHijack.GetProcAddress ->775E82B6->751A1256
Hook advapi32.dll:SystemFunction040 (1796) blocked
Function advapi32.dll:SystemFunction041 (1797) intercepted, method - ProcAddressHijack.GetProcAddress ->775E82D2->751A12AA
Hook advapi32.dll:SystemFunction041 (1797) blocked
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Error - file not found (C:\SystemRoot\system32\ntoskrnl.exe)
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
 Number of processes found: 23
 Number of modules loaded: 375
Scanning RAM - complete
3. Scanning disks
Error scanning directory (C:\Program Files (x86)\Acer\Acer Media\, Privileged instruction, 11,Player
Direct reading: C:\Users\Franny\AppData\Local\Temp\~DF39281890329DC7D8.TMP
Direct reading: C:\Users\Franny\AppData\Local\Temp\~DFBC84725BB897AC89.TMP
Direct reading: C:\Users\Franny\AppData\Local\Temp\~DFCB5FD44FB2735B0B.TMP
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll --> Suspicion for Keylogger or Trojan DLL
c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll>>> Behaviour analysis 
  1. Reacts to events: keyboard, all events
c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll>>> Neural net: file is 0.00% like a typical keyboard/mouse events interceptor
File quarantined succesfully (c:\PROGRA~2\mcafee\SITEAD~1\saHook.dll)
Note: Do NOT delete suspicious files, send them for analysis  (see FAQ for more details),  because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
>>> Suspicion for service/driver reg key masking "bsdriver"
>>> Suspicion for service/driver reg key masking "csrcc"
Information: IE proxy server found .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyServer="http=127.0.0.1:65056;https=127.0.0.1:65056"
Information: IE proxy server found S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyServer="http=127.0.0.1:65056;https=127.0.0.1:65056"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX, not marked as safe, in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
>>> Security: Internet Explorer allows running files and applications in IFRAME window without asking user
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  Internet Explorer - ActiveX, not marked as safe, are allowed
 >>  Internet Explorer - signed ActiveX elements are allowed without asking user
 >>  Internet Explorer - unsigned ActiveX elements are allowed
 >>  Internet Explorer - automatic queries of ActiveX operating elements are allowed
 >>  Internet Explorer - running programs and files in IFRAME window is allowed
 >>  Service termination timeout is out of admissible values
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 90768, extracted from archives: 45041, malicious software found 0, suspicions - 0
Scanning finished at 07.02.2015 17:59:13
Time of scanning: 00:17:08
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
Network diagnostics
 DNS & Ping
  Host "yandex.ru", IP="213.180.193.11,93.158.134.11,213.180.204.11", Ping=OK (0,90,213.180.193.11)
  Host "google.ru", IP="216.58.209.227", Ping=OK (0,24,216.58.209.227)
  Host "google.com", IP="216.58.209.238", Ping=OK (0,23,216.58.209.238)
  Host "www.kaspersky.com", IP="195.27.252.18", Ping=OK (0,85,195.27.252.18)
  Host "www.kaspersky.ru", IP="195.27.252.110", Ping=OK (0,103,195.27.252.110)
  Host "dnl-03.geo.kaspersky.com", IP="212.73.221.199", Ping=OK (0,32,212.73.221.199)
  Host "dnl-11.geo.kaspersky.com", IP="80.239.174.47", Ping=OK (0,32,80.239.174.47)
  Host "activation-v2.kaspersky.com", IP="195.27.252.50", Ping=Error (11010,0,0.0.0.0)
  Host "odnoklassniki.ru", IP="217.20.147.94", Ping=OK (0,73,217.20.147.94)
  Host "vk.com", IP="87.240.131.97,87.240.131.99,87.240.143.241", Ping=OK (0,78,87.240.131.97)
  Host "vkontakte.ru", IP="95.213.4.245,95.213.4.246,95.213.4.247", Ping=OK (0,79,95.213.4.245)
  Host "twitter.com", IP="199.59.148.82,199.16.156.230,199.16.156.102,199.59.150.39,199.59.148.10,199.59.150.7,199.59.149.198,199.16.156.198,199.59.149.230,199.16.156.6,199.16.156.70,199.16.156.38", Ping=OK (0,169,199.59.148.82)
  Host "facebook.com", IP="173.252.120.6", Ping=OK (0,121,173.252.120.6)
  Host "ru-ru.facebook.com", IP="31.13.90.2", Ping=OK (0,24,31.13.90.2)
 IE Setup
  AutoConfigURL=""
  AutoConfigProxy="wininet.dll"
  ProxyOverride=""
  ProxyServer=""
Network TCP/IP settings

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: block ActiveX, not marked as safe, in Internet Explorer
Security: Internet Explorer allows ActiveX, not marked as safe, without asking user
Security: block unsigned ActiveX elements in Internet Explorer
Security: block automatic queries of ActiveX administrative elements in Internet Explorer
Security: block running files and applications in IFRAME window without asking user in Internet Explorer
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
80	LISTENING	0.0.0.0	0	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
139	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
443	LISTENING	0.0.0.0	0	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	ESTABLISHED	127.0.0.1	49156	[1592] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	ESTABLISHED	127.0.0.1	49157	[1592] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	LISTENING	0.0.0.0	0	[1592] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5357	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
6404	LISTENING	0.0.0.0	0	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
6543	LISTENING	0.0.0.0	0	[4796] BtvStack.exe Script: Quarantine, Delete, Delete via BC, Terminate
12025	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12110	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12119	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12143	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12465	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12563	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12993	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
12995	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	ESTABLISHED	127.0.0.1	49631	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	LISTENING	0.0.0.0	0	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
27275	LISTENING	0.0.0.0	0	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
49152	LISTENING	0.0.0.0	0	[708] wininit.exe Script: Quarantine, Delete, Delete via BC, Terminate
49155	LISTENING	0.0.0.0	0	[1320] spoolsv.exe Script: Quarantine, Delete, Delete via BC, Terminate
49156	ESTABLISHED	127.0.0.1	5354	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
49157	ESTABLISHED	127.0.0.1	5354	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
49158	LISTENING	0.0.0.0	0	[772] lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
49164	ESTABLISHED	77.234.44.62	80	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
49169	LISTENING	0.0.0.0	0	[764] services.exe Script: Quarantine, Delete, Delete via BC, Terminate
49617	ESTABLISHED	213.199.179.165	40024	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
49618	ESTABLISHED	157.56.126.126	443	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
49619	ESTABLISHED	157.56.53.42	12350	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
49631	ESTABLISHED	127.0.0.1	27015	[812] c:\program files (x86)\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
49649	ESTABLISHED	77.234.42.61	80	[1180] c:\program files\avast software\avast\avastsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate
49678	ESTABLISHED	74.125.206.108	993	[4528] livecomm.exe Script: Quarantine, Delete, Delete via BC, Terminate
49890	TIME_WAIT	134.170.189.4	443	[0]
49894	TIME_WAIT	54.76.226.82	443	[0]
UDP ports
137	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
443	LISTENING	--	--	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1996] dasHost.exe Script: Quarantine, Delete, Delete via BC, Terminate
3702	LISTENING	--	--	[1996] dasHost.exe Script: Quarantine, Delete, Delete via BC, Terminate
5353	LISTENING	--	--	[1592] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
6404	LISTENING	--	--	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate
54776	LISTENING	--	--	[812] c:\program files (x86)\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
54777	LISTENING	--	--	[812] c:\program files (x86)\itunes\ituneshelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
60528	LISTENING	--	--	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
60529	LISTENING	--	--	[1524] c:\program files (x86)\common files\apple\mobile device support\applemobiledeviceservice.exe Script: Quarantine, Delete, Delete via BC, Terminate
60530	LISTENING	--	--	[1592] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
60552	LISTENING	--	--	[1996] dasHost.exe Script: Quarantine, Delete, Delete via BC, Terminate
61777	LISTENING	--	--	[2140] c:\program files (x86)\skype\phone\skype.exe Script: Quarantine, Delete, Delete via BC, Terminate

Network name	Path	Notes
ADMIN$	C:\Windows	Remote Admin
C$	C:\	Default share
IPC$		Remote IPC