Results of system analysis

Process List

File name	PID	Description	Copyright	MD5	Information
c:\program files (x86)\common files\aol\1356726954\ee\aolsoftware.exe Script: Quarantine, Delete, Delete via BC, Terminate	3100	AOL	Copyright (c) 2010 AOL Inc.	3F654601A593A96BC4A47035B0829E69	40.82 kb, rsAh, created: 08.03.2010 03:27:49, modified: 08.03.2010 03:27:49 Command line: "C:\Program Files (x86)\Common Files\AOL\1356726954\ee\aolsoftware.exe"
c:\program files (x86)\intel\intel(r) rapid storage technology\iastordatamgrsvc.exe Script: Quarantine, Delete, Delete via BC, Terminate	4240	IAStorDataSvc	Copyright © Intel Corporation 2009-2012	0AB254994A460550258446950BB58311	14.55 kb, rsAh, created: 28.12.2012 10:59:01, modified: 01.09.2012 19:07:22 Command line: "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe"
C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC, Terminate	2976	iPodService Module (64-bit)	© 2003-2015 Apple Inc. All rights reserved.	E61BB95A7CB49696D25A0C4EBD108156	628.79 kb, rsAh, created: 07.04.2015 00:28:50, modified: 07.04.2015 00:28:50 Command line:
C:\Program Files (x86)\TrayClient\TrayClient.exe Script: Quarantine, Delete, Delete via BC, Terminate	2532	TrayClient	TrayClient© 2014	8C7498426652EAEED735E8DD3850B135	697.50 kb, rsAh, created: 18.04.2015 10:56:53, modified: 01.04.2015 16:49:14 Command line:
Detected:58, recognized as trusted 56

Module name	Handle	Description	Copyright	MD5	Used by processes
C:\Program Files (x86)\Common Files\AOL\1356726954\ee\AOLSvcMgr.dll Script: Quarantine, Delete, Delete via BC	1811939328	AOLSvcMgr	Copyright (c) 2010 AOL Inc.	C75EB64B73839EFB8B9D8F80B4E971F1	3100
c:\program files (x86)\common files\aol\1356726954\ee\services\aolsystrayservice\ver4_1_2_1\AOLSysTrayService.dll Script: Quarantine, Delete, Delete via BC	1742995456	aolsystrayservice EE Service	Copyright (c) 2007 AOL LLC	D93F2485714AA6550421FE7A1050B2D1	3100
c:\program files (x86)\common files\aol\1356726954\ee\services\metrics\ver4_1_11_1\cmls.dll Script: Quarantine, Delete, Delete via BC	1729495040	Client Metrics Service	Copyright (c) 2007 AOL LLC	6548C67BC96A25D7D005B93615A90338	3100
C:\Program Files (x86)\Common Files\AOL\1356726954\ee\xprt6.dll Script: Quarantine, Delete, Delete via BC	1073741824	XPRT Runtime Library	Copyright (C) 1998-2009 AOL LLC	A5DFFC8F69EFB4521B766278F7402B14	3100
C:\Program Files (x86)\Common Files\AOL\AOLDiag\tbdiag.dll Script: Quarantine, Delete, Delete via BC	1811546112	AOL Diagnostics	Copyright © 1998-2009 - SupportSoft Software, Inc. All Rights Reserved.	E01945331345F678AFAE3ECD5369D61A	3100
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorCommon\3159f28b684d4aab132426e792f47bf2\IAStorCommon.ni.dll Script: Quarantine, Delete, Delete via BC	1696530432	IAStorCommon	Copyright © Intel Corp. 2009-2012	63F86405C060EAB173DA033684E3C54B	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorDataMcfeeca6f#\5914d7d7770f0aa3ca5b1a929b41520e\IAStorDataMgrSvcInterfaces.ni.dll Script: Quarantine, Delete, Delete via BC	1777139712	IAStorDataMgrSvcInterfaces	Copyright © Microsoft 2011-2012	31C17E1485389465C69EBDE427538969	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorDataMgr\ef272c54056c998d1cf9785d7eb220b4\IAStorDataMgr.ni.dll Script: Quarantine, Delete, Delete via BC	1789329408	IAStorService	Copyright © Intel Corporation 2009-2012	7B161A21DF57346F810996678B1D0D99	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorDataMgrSvc\7ae22280145fc12e3ab7f017327c4649\IAStorDataMgrSvc.ni.exe Script: Quarantine, Delete, Delete via BC	1791361024	IAStorDataSvc	Copyright © Intel Corporation 2009-2012	13EF7C64C5A93036B5B8F6AF2E83EBAF	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorUtil\70e79b2441af944a08fffa89b7f67c5c\IAStorUtil.ni.dll Script: Quarantine, Delete, Delete via BC	1789853696	IAStorUtil	Copyright © Intel Corporation 2009-2012	07CC55A14449B16DE3CAA768D4163CA9	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\IAStorViewModel\7059a81f10acf1d0fcbd6dc1197a4ce1\IAStorViewModel.ni.dll Script: Quarantine, Delete, Delete via BC	1777270784	IAStorViewModel	Copyright © Intel Corporation 2009-2012	05FFE7D4B20DCBA9F90C74CE8ECC63F3	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\PSI\031e25fc23731d21c859322f90f16d27\PSI.ni.dll Script: Quarantine, Delete, Delete via BC	1773404160	PSI	Copyright © Intel Corporation 2003-2012	BACDDE52C82DA170EBC5842AF78257C6	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\PSIClient\bc9bcf53b97e0180a22783ef8b2567c2\PSIClient.ni.dll Script: Quarantine, Delete, Delete via BC	1746665472	PSIClient	Copyright © 2011-2012	B6269F791502846069CC63BBE5C8AD6D	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\PsiData\1c9677956f6291eb3728e64913b5b1e3\PsiData.ni.dll Script: Quarantine, Delete, Delete via BC	1731133440	Intel Private Storage Interface Interop	Copyright(C) Intel Corporation 2003-2012	4A26CEF228DFDE567E65BCE92EC8A11F	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\20aaf6bbc4e93d10d6a2ce3c0193b859\System.Data.ni.dll Script: Quarantine, Delete, Delete via BC	1739259904	.NET Framework	© Microsoft Corporation. All rights reserved.	FB02D9648BE0FD3163A9BEE631DF1F8A	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\1606b3f0bd6fce8558d837f1cdd72afe\System.IdentityModel.ni.dll Script: Quarantine, Delete, Delete via BC	1689518080	System.IdentityModel.dll	© Microsoft Corporation. All rights reserved.	C8BD08D90756F38CB2729744D5586D92	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\30a9780936ee574c2af9e7741b6ac618\System.ServiceModel.Web.ni.dll Script: Quarantine, Delete, Delete via BC	1692532736	System.ServiceModel.Web.dll	© Microsoft Corporation. All rights reserved.	E28371E32764C9F1E7E73C5E517EC49B	4240
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\64332cd6b4758f531823348eaa12ce22\System.ServiceModel.ni.dll Script: Quarantine, Delete, Delete via BC	1746731008	System.ServiceModel.dll	© Microsoft Corporation. All rights reserved.	4011BEBEA6D3C39AF898B7F4217BFF8B	4240
Modules found:246, recognized as trusted 228

Kernel Space Modules Viewer

Module	Base address	Size in memory	Description	Manufacturer
C:\Windows\System32\Drivers\dump_diskdump.sys Script: Quarantine, Delete, Delete via BC	8588000	00A000 (40960)
C:\Windows\System32\Drivers\dump_dumpfve.sys Script: Quarantine, Delete, Delete via BC	8592000	013000 (77824)
C:\Windows\System32\Drivers\dump_iaStorA.sys Script: Quarantine, Delete, Delete via BC	4277000	2CB000 (2928640)
Modules found - 211, recognized as trusted - 208

Services

Service	Description	Status	File	Group	Dependencies
iPod Service Service: Stop, Delete, Disable, Delete via BC	iPod Service	Running	C:\Program Files\iPod\bin\iPodService.exe Script: Quarantine, Delete, Delete via BC		RpcSs
AOL ACS Service: Stop, Delete, Disable, Delete via BC	AOL Connectivity Service	Not started	C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe Script: Quarantine, Delete, Delete via BC
MozillaMaintenance Service: Stop, Delete, Disable, Delete via BC	Mozilla Maintenance Service	Not started	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Script: Quarantine, Delete, Delete via BC
Detected - 173, recognized as trusted - 170

Drivers

Service	Description	Status	File	Group	Dependencies
catchme Driver: Unload, Delete, Disable, Delete via BC	catchme	Not started	C:\ComboFix\catchme.sys Script: Quarantine, Delete, Delete via BC	Base
USBAAPL64 Driver: Unload, Delete, Disable, Delete via BC	Apple Mobile USB Driver	Not started	C:\Windows\System32\Drivers\usbaapl64.sys Script: Quarantine, Delete, Delete via BC	Base
Detected - 263, recognized as trusted - 261

Autoruns

File name	Status	Startup method	Description
C:\Program Files (x86)\AOL Desktop 9.7\AOL.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Fast Start, command Delete
C:\Program Files (x86)\AOL Desktop 9.7a\aol.exe Script: Quarantine, Delete, Delete via BC	Active	Shortcut in Startup folder	C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\, C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AOL Desktop 9.7.lnk,
C:\Program Files (x86)\Canon\Quick Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CanonQuickMenu, command Delete
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, APSDaemon Delete
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\APSDaemon, command Delete
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\IPSEventLogMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Handwriting Recognition, EventMessageFile
C:\Program Files (x86)\DVD Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Dvd Maker, EventMessageFile
C:\Program Files (x86)\TrayClient\TrayClient.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, TrayClient Delete
C:\Program Files (x86)\Windows Defender\MpEvMsg.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WinDefend, EventMessageFile
C:\Program Files (x86)\iTunes\iTunesHelper.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper, command Delete
C:\Program Files\TOSHIBA\Utilities\HWSetup.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HWSetup, command Delete
C:\Windows\System32\Audiosrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder\Parameters, ServiceDll Delete
C:\Windows\System32\Audiosrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AudioSrv\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSV.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AxInstSV\Parameters, ServiceDll Delete
C:\Windows\System32\AxInstSv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-AxInstallService, EventMessageFile
C:\Windows\System32\DFDTS.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Windows Disk Diagnostic, EventMessageFile
C:\Windows\System32\DispCI.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Display, EventMessageFile
C:\Windows\System32\Drivers\Netwsw00.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\NETwNs64, EventMessageFile
C:\Windows\System32\Drivers\Pcmcia.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\pcmcia, EventMessageFile
C:\Windows\System32\Drivers\VolSnap.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Volsnap, EventMessageFile
C:\Windows\System32\Drivers\acpi.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ACPI, EventMessageFile
C:\Windows\System32\Drivers\hidbth.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\HidBth, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Spell-Checking, EventMessageFile
C:\Windows\System32\MsSpellCheckingFacility.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SpellChecker, EventMessageFile
C:\Windows\System32\RdpGroupPolicyExtension.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6cfb9c5c-138e-4bb3-8a3d-d5383e910e57}, DLLName Delete
C:\Windows\System32\RpcEpMap.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcEptMapper\Parameters, ServiceDll Delete
C:\Windows\System32\SCardSvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCardSvr\Parameters, ServiceDll Delete
C:\Windows\System32\SDRSVC.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SDRSVC\Parameters, ServiceDll Delete
C:\Windows\System32\TabSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TabletInputService\Parameters, ServiceDll Delete
C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}, DLLName Delete
C:\Windows\System32\UI0Detect.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Interactive Services detection, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSS, EventMessageFile
C:\Windows\System32\VSSVC.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\VSSAudit, EventMessageFile
C:\Windows\System32\WUDFHost.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WUDF\Services\{193a1820-d9ac-4997-8c55-be817523f6aa}, HostProcessImagePath Delete
C:\Windows\System32\WUDFSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wudfsvc\Parameters, ServiceDll Delete
C:\Windows\System32\WerSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WerSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AeLookupSvc\Parameters, ServiceDll Delete
C:\Windows\System32\aelupsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AeLookupSvc, EventMessageFile
C:\Windows\System32\appidsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppIDSvc\Parameters, ServiceDll Delete
C:\Windows\System32\appinfo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Appinfo\Parameters, ServiceDll Delete
C:\Windows\System32\appmgmts.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll Delete
C:\Windows\System32\bdesvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BDESVC\Parameters, ServiceDll Delete
C:\Windows\System32\bfe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BFE\Parameters, ServiceDll Delete
C:\Windows\System32\browser.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Browser\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\CertPropSvc\Parameters, ServiceDll Delete
C:\Windows\System32\certprop.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SCPolicySvc\Parameters, ServiceDll Delete
C:\Windows\System32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\defragsvc\Parameters, ServiceDll Delete
C:\Windows\System32\dnsrslvr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Dnscache\Parameters, ServiceDll Delete
C:\Windows\System32\dot3svc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\dot3svc\Parameters, ServiceDll Delete
C:\Windows\System32\drivers\E1G6032E.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\E1G60, EventMessageFile
C:\Windows\System32\drivers\HECIx64.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MEIx64, EventMessageFile
C:\Windows\System32\drivers\MTConfig.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MTConfig, EventMessageFile
C:\Windows\System32\drivers\Rt64win7.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RTL8167, EventMessageFile
C:\Windows\System32\drivers\SynTP.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SynTP, EventMessageFile
C:\Windows\System32\drivers\Wdf01000.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wdf01000, EventMessageFile
C:\Windows\System32\drivers\amdk8.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdK8, EventMessageFile
C:\Windows\System32\drivers\amdppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\AmdPPM, EventMessageFile
C:\Windows\System32\drivers\b57nd60a.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\b57nd60a, EventMessageFile
C:\Windows\System32\drivers\bxvbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\b06bdrv, EventMessageFile
C:\Windows\System32\drivers\evbda.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ebdrv, EventMessageFile
C:\Windows\System32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\FltMgr, EventMessageFile
C:\Windows\System32\drivers\i8042prt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\i8042prt, EventMessageFile
C:\Windows\System32\drivers\iaStorA.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iaStorA, EventMessageFile
C:\Windows\System32\drivers\iaStorV.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iaStorV, EventMessageFile
C:\Windows\System32\drivers\intelppm.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelppm, EventMessageFile
C:\Windows\System32\drivers\ipmidrv.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPMIDRV, EventMessageFile
C:\Windows\System32\drivers\isapnp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\isapnp, EventMessageFile
C:\Windows\System32\drivers\kbdclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdclass, EventMessageFile
C:\Windows\System32\drivers\kbdhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\kbdhid, EventMessageFile
C:\Windows\System32\drivers\mouclass.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouclass, EventMessageFile
C:\Windows\System32\drivers\mouhid.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mouhid, EventMessageFile
C:\Windows\System32\drivers\mpio.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\mpio, EventMessageFile
C:\Windows\System32\drivers\nvstor.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\nvstor, EventMessageFile
C:\Windows\System32\drivers\parport.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Parport, EventMessageFile
C:\Windows\System32\drivers\processr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Processor, EventMessageFile
C:\Windows\System32\drivers\sbp2port.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sbp2port, EventMessageFile
C:\Windows\System32\drivers\serial.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Serial, EventMessageFile
C:\Windows\System32\drivers\sermouse.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\sermouse, EventMessageFile
C:\Windows\System32\drivers\tsusbflt.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TsUsbFlt, EventMessageFile
C:\Windows\System32\drivers\vgapnp.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vga, EventMessageFile
C:\Windows\System32\drivers\wacompen.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\WacomPen, EventMessageFile
C:\Windows\System32\drivers\wd.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Wd, EventMessageFile
C:\Windows\System32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\EapHost\Parameters, ServiceDll Delete
C:\Windows\System32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\gpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\ikeext.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters, ServiceDll Delete
C:\Windows\System32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters, ServiceDll Delete
C:\Windows\System32\ipnathlp.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters, ServiceDll Delete
C:\Windows\System32\ipsecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters, ServiceDll Delete
C:\Windows\System32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\MSiSCSI, EventMessageFile
C:\Windows\System32\iscsilog.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iScsiPrt, EventMessageFile
C:\Windows\System32\lltdsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lltdsvc\Parameters, ServiceDll Delete
C:\Windows\System32\lmhsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\lmhosts\Parameters, ServiceDll Delete
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LsaSrv, EventMessageFile
C:\Windows\System32\lsasrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel, EventMessageFile
C:\Windows\System32\mdsched.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Schedule, EventMessageFile
C:\Windows\System32\netman.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Netman\Parameters, ServiceDll Delete
C:\Windows\System32\nlasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\pcasvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PcaSvc\Parameters, ServiceDll Delete
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-User Profiles Service, EventMessageFile
C:\Windows\System32\profsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Profsvc, EventMessageFile
C:\Windows\System32\rasauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasAuto\Parameters, ServiceDll Delete
C:\Windows\System32\rasmans.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RasMan\Parameters, ServiceDll Delete
C:\Windows\System32\relpost.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-MemoryDiagnostics-Results, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Directory-Services-SAM, EventMessageFile
C:\Windows\System32\samsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SAM, EventMessageFile
C:\Windows\System32\snmptrap.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\SNMPTRAP, EventMessageFile
C:\Windows\System32\srvsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, ServiceDll Delete
C:\Windows\System32\ssdpsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters, ServiceDll Delete
C:\Windows\System32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-RasSstp, EventMessageFile
C:\Windows\System32\swprv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\swprv\Parameters, ServiceDll Delete
C:\Windows\System32\tbssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TBS\Parameters, ServiceDll Delete
C:\Windows\System32\tcpmon.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TCPMon, EventMessageFile
C:\Windows\System32\termsrv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TermService\Parameters, ServiceDll Delete
C:\Windows\System32\trkwks.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\TrkWks\Parameters, ServiceDll Delete
C:\Windows\System32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PlugPlayManager, EventMessageFile
C:\Windows\System32\umpo.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Power, EventMessageFile
C:\Windows\System32\uxsms.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\UxSms\Parameters, ServiceDll Delete
C:\Windows\System32\vds.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Virtual Disk Service, EventMessageFile
C:\Windows\System32\wbiosrvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WbioSrvc\Parameters, ServiceDll Delete
C:\Windows\System32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\wecsvc, EventMessageFile
C:\Windows\System32\wercplsupport.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters, ServiceDll Delete
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Application Hang, EventMessageFile
C:\Windows\System32\wersvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WerSvc, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Security\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wevtsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Eventlog, EventMessageFile
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\stisvc\Parameters, ServiceDll Delete
C:\Windows\System32\wiaservc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\StillImage, EventMessageFile
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Kmode
C:\Windows\System32\win32k.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Win32k, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon, EventMessageFile
C:\Windows\System32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Wlclntfy, EventMessageFile
C:\Windows\System32\wkssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters, ServiceDll Delete
C:\Windows\System32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters, ServiceDll Delete
C:\Windows\System32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\SecurityCenter, EventMessageFile
C:\Windows\System32\wwansvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WwanSvc\Parameters, ServiceDll Delete
C:\Windows\TEMP\E_SA40D.tmp Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EPSON Stylus CX8400 Series (Copy 1), command Delete
C:\Windows\TEMP\E_SF40E.tmp Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EPSON Stylus CX8400 Series, command Delete
C:\Windows\system32\BlbEvents.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Backup, EventMessageFile
C:\Windows\system32\DRIVERS\iusb3hub.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iusb3hub, EventMessageFile
C:\Windows\system32\DRIVERS\iusb3xhc.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\iusb3xhc, EventMessageFile
C:\Windows\system32\FntCache.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FontCache\Parameters, ServiceDll Delete
C:\Windows\system32\ListSvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HomeGroupListener\Parameters, ServiceDll Delete
C:\Windows\system32\Mcx2Svc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Mcx2Svc\Parameters, ServiceDll Delete
C:\Windows\system32\WINSAT.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-WindowsSystemAssessmentTool, EventMessageFile
C:\Windows\system32\WUDFPlatform.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DriverFrameworks-UserMode, EventMessageFile
C:\Windows\system32\Wat\WatUX.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Activation Technologies, EventMessageFile
C:\Windows\system32\bthserv.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\bthserv\Parameters, ServiceDll Delete
C:\Windows\system32\certprop.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-SCPNP, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Client, EventMessageFile
C:\Windows\system32\cofiredm.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-CorruptedFileRecovery-Server, EventMessageFile
C:\Windows\system32\csrsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Subsys-SMSS, EventMessageFile
C:\Windows\system32\defragsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Defrag, EventMessageFile
C:\Windows\system32\dfdts.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-DiskDiagnostic, EventMessageFile
C:\Windows\system32\dps.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DPS\Parameters, ServiceDll Delete
C:\Windows\system32\drivers\HTTP.SYS Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HttpEvent, EventMessageFile
C:\Windows\system32\drivers\fltmgr.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FilterManager, EventMessageFile
C:\Windows\system32\drivers\fvevol.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-Driver, EventMessageFile
C:\Windows\system32\drivers\ntfs.sys Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Ntfs, EventMessageFile
C:\Windows\system32\dwm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Desktop Window Manager, EventMessageFile
C:\Windows\system32\eapsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EapHost, EventMessageFile
C:\Windows\system32\fdPHost.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\fdPHost\Parameters, ServiceDll Delete
C:\Windows\system32\fdphost.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-FunctionDiscoveryHost, EventMessageFile
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\FDResPub\Parameters, ServiceDll Delete
C:\Windows\system32\fdrespub.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-ResourcePublication, EventMessageFile
C:\Windows\system32\fveapi.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-BitLocker-API, EventMessageFile
C:\Windows\system32\fxsevent.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft Fax, EventMessageFile
C:\Windows\system32\gpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-GroupPolicy, EventMessageFile
C:\Windows\system32\hkcmd.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds, command Delete
C:\Windows\system32\igfxpers.exe Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Persistence Delete
C:\Windows\system32\igfxtray.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray, command Delete
C:\Windows\system32\ipbusenum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\IPBusEnum\Parameters, ServiceDll Delete
C:\Windows\system32\ipbusenum.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-IPBusEnum, EventMessageFile
C:\Windows\system32\iphlpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Iphlpsvc, EventMessageFile
C:\Windows\system32\iscsiexe.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MSiSCSI\Parameters, ServiceDll Delete
C:\Windows\system32\kmsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\hkmsvc\Parameters, ServiceDll Delete
C:\Windows\system32\lpksetup.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-LanguagePackSetup, EventMessageFile
C:\Windows\system32\lsm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\LSM, EventMessageFile
C:\Windows\system32\lsm.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-LocalSessionManager, EventMessageFile
C:\Windows\system32\microsoft-windows-hal-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-HAL, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Power, EventMessageFile
C:\Windows\system32\microsoft-windows-kernel-processor-power-events.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Kernel-Processor-Power, EventMessageFile
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MMCSS\Parameters, ServiceDll Delete
C:\Windows\system32\mmcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\THREADORDER\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters, ServiceDll Delete
C:\Windows\system32\mpssvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Firewall, EventMessageFile
C:\Windows\system32\msdtckrm.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\KtmRm\Parameters, ServiceDll Delete
C:\Windows\system32\nsisvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\nsi\Parameters, ServiceDll Delete
C:\Windows\system32\oobe\winsetup.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Setup, EventMessageFile
C:\Windows\system32\p2psvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2psvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpauto.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPAutoReg\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\p2pimsvc\Parameters, ServiceDll Delete
C:\Windows\system32\pnrpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PNRPsvc\Parameters, ServiceDll Delete
C:\Windows\system32\profsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters, ServiceDll Delete
C:\Windows\system32\psxss.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\Windows\system32\qagentRT.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\napagent\Parameters, ServiceDll Delete
C:\Windows\system32\qmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\BITS\Parameters, ServiceDll Delete
C:\Windows\system32\qmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Bits-Client, EventMessageFile
C:\Windows\system32\recovery.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Recovery, EventMessageFile
C:\Windows\system32\regsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters, ServiceDll Delete
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters, ServiceDll Delete
C:\Windows\system32\rpcss.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\RpcSs\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Schedule\Parameters, ServiceDll Delete
C:\Windows\system32\schedsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TaskScheduler, EventMessageFile
C:\Windows\system32\sdclt.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath,
C:\Windows\system32\sdengin2.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Backup, EventMessageFile
C:\Windows\system32\seclogon.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\seclogon\Parameters, ServiceDll Delete
C:\Windows\system32\sensrsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SensrSvc\Parameters, ServiceDll Delete
C:\Windows\system32\services.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Service Control Manager, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Software Protection Platform Service, EventMessageFile
C:\Windows\system32\sppsvc.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Key Management Service\KmsRequests, EventMessageFile
C:\Windows\system32\sppuinotify.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\sppuinotify\Parameters, ServiceDll Delete
C:\Windows\system32\srcore.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\System Restore, EventMessageFile
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters, ServiceDll Delete
C:\Windows\system32\sstpsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\RasSstp, EventMessageFile
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\SysMain\Parameters, ServiceDll Delete
C:\Windows\system32\sysmain.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\rdyboost\Performance, Library Delete
C:\Windows\system32\tbssvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TBS, EventMessageFile
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-TerminalServices-RemoteConnectionManager, EventMessageFile
C:\Windows\system32\termsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService, EventMessageFile
C:\Windows\system32\themeservice.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Themes\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\PlugPlay\Parameters, ServiceDll Delete
C:\Windows\system32\umpnpmgr.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-UserPnp, EventMessageFile
C:\Windows\system32\umpo.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Power\Parameters, ServiceDll Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\Parameters, ServiceDll Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Time-Service, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\W32Time, EventMessageFile
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient, DllName Delete
C:\Windows\system32\w32time.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer, DllName Delete
C:\Windows\system32\wbem\WMIsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters, ServiceDll Delete
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Wecsvc\Parameters, ServiceDll Delete
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\HardwareEvents, DisplayNameFile
C:\Windows\system32\wecsvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-EventCollector, EventMessageFile
C:\Windows\system32\winlogon.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-Winlogon, EventMessageFile
C:\Windows\system32\winsrv.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Microsoft-Windows-Winsrv, EventMessageFile
C:\Windows\system32\wlansvc.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WLAN-AutoConfig, EventMessageFile
C:\Windows\system32\wpdbusenum.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WPDBusEnum\Parameters, ServiceDll Delete
C:\Windows\system32\wscsvc.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wscsvc\Parameters, ServiceDll Delete
C:\Windows\system32\wsepno.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service Profile Notification, EventMessageFile
C:\Windows\system32\wuaucpl.cpl Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {5F327514-6C5E-4d60-8F16-D07FA08A78ED} Delete
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\wuauserv\Parameters, ServiceDll Delete
C:\Windows\system32\wuaueng.dll Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\Microsoft-Windows-WindowsUpdateClient, EventMessageFile
C:\bf0d5efc43be0ad58e1140d9af6b6f6a\DW\DW20.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
Maker\DVDMaker.exe Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Dvd Maker, EventMessageFile
Menu\CNQMMAIN.EXE Script: Quarantine, Delete, Delete via BC	--	Registry key	HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CanonQuickMenu, command Delete
auditcse.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName Delete
igfxdev.dll Script: Quarantine, Delete, Delete via BC	Active	Registry key	HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName Delete
Autoruns items found - 709, recognized as trusted - 460

Internet Explorer extension modules (BHOs, Toolbars ...)

File name	Type	Description	Manufacturer	CLSID
Items found - 5, recognized as trusted - 5

Windows Explorer extension modules

File name	Destination	Description	Manufacturer	CLSID
	WebCheck			{E6FB5E20-DE35-11CF-9C87-00AA005127ED} Delete
Items found - 15, recognized as trusted - 14

Printing system extensions (print monitors, providers)

File name	Type	Name	Description	Manufacturer
CNCALC2.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Canon BJ FAX Language Monitor MX470 series
CNMLMC2.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Canon BJ Language Monitor MX470 series
CNMN6PPM.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Canon BJNP Port
E_ILMCEA.DLL Script: Quarantine, Delete, Delete via BC	Monitor	EPSON Stylus CX8400 Series 64MonitorBA
hpinkstsC311LM.dll Script: Quarantine, Delete, Delete via BC	Monitor	HP C311 Status Monitor
HPDiscoPMC311.dll Script: Quarantine, Delete, Delete via BC	Monitor	HP Discovery Port Monitor (HP ENVY 5530 series)
localspl.dll Script: Quarantine, Delete, Delete via BC	Monitor	Local Port
FXSMON.DLL Script: Quarantine, Delete, Delete via BC	Monitor	Microsoft Shared Fax Monitor
hpz3lw71.dll Script: Quarantine, Delete, Delete via BC	Monitor	PCL hpz3lw71
tcpmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	Standard TCP/IP Port
usbmon.dll Script: Quarantine, Delete, Delete via BC	Monitor	USB Monitor
WSDMon.dll Script: Quarantine, Delete, Delete via BC	Monitor	WSD Port
inetpp.dll Script: Quarantine, Delete, Delete via BC	Provider	HTTP Print Services
Items found - 14, recognized as trusted - 1

Task Scheduler jobs

File name	Job name	Job state	Description	Manufacturer	Path	Command line
C:\Windows\ERDNT\AutoBackup\#Date# Script: Quarantine, Delete, Delete via BC	ERUNT Script: Delete				C:\Windows\system32\Tasks\	"C:\Program Files (x86)\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# sysreg otherusers /noconfirmdelete /noprogresswindow
C:\remote-service\jetclean\AutoUpdate.exe Script: Quarantine, Delete, Delete via BC	JetCleanLoginCheckUpdate Script: Delete				C:\Windows\system32\Tasks\	C:\remote-service\jetclean\AutoUpdate.exe /AutoRun
aitagent Script: Quarantine, Delete, Delete via BC	AitAgent Script: Delete				C:\Windows\system32\Tasks\Microsoft\Windows\Application Experience\	aitagent
C:\Windows\ehome\mcupdate Script: Quarantine, Delete, Delete via BC	mcupdate Script: Delete				C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\mcupdate $(Arg0)
C:\Windows\ehome\ehrec Script: Quarantine, Delete, Delete via BC	RecordingRestart Script: Delete				C:\Windows\system32\Tasks\Microsoft\Windows\Media Center\	%SystemRoot%\ehome\ehrec /RestartRecording
Items found - 75, recognized as trusted - 70

SPI/LSP settings

Namespace providers (NSP)

Manufacturer	Status	EXE file	Description	GUID
Detected - 7, recognized as trusted - 7

Transport protocol providers (TSP, LSP)

Manufacturer EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check
LSP settings checked. No errors detected

TCP/UDP ports

Port Status Remote Host Remote Port Application Notes
TCP ports
139 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
554 LISTENING 0.0.0.0 0 [4036] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
2869 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 ESTABLISHED 127.0.0.1 49155 [1948] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 ESTABLISHED 127.0.0.1 49157 [1948] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5354 LISTENING 0.0.0.0 0 [1948] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5357 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
10243 LISTENING 0.0.0.0 0 [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 49159 [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 0 [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49155 ESTABLISHED 127.0.0.1 5354 [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49156 LISTENING 0.0.0.0 0 [708] lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49157 ESTABLISHED 127.0.0.1 5354 [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49159 ESTABLISHED 127.0.0.1 27015 [2352] iTunesHelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
49160 LISTENING 0.0.0.0 0 [700] services.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
138 LISTENING -- -- [4] System.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5004 LISTENING -- -- [4036] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5005 LISTENING -- -- [4036] wmpnetwk.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5353 LISTENING -- -- [1948] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
52368 LISTENING -- -- [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
52369 LISTENING -- -- [1820] AppleMobileDeviceService.exe
Script: Quarantine, Delete, Delete via BC, Terminate
52370 LISTENING -- -- [1948] mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC, Terminate
52372 LISTENING -- -- [2352] iTunesHelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
52373 LISTENING -- -- [2352] iTunesHelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate

Downloaded Program Files (DPF)

File name Description Manufacturer CLSID Source URL
Items found - 0, recognized as trusted - 0

Control Panel Applets (CPL)

File name Description Manufacturer
Items found - 19, recognized as trusted - 19

Active Setup

File name Description Manufacturer CLSID
Items found - 6, recognized as trusted - 6

HOSTS file

Hosts file record
127.0.0.1 localhost
Clear Hosts file

Protocols and handlers

File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Items found - 18, recognized as trusted - 15

Shared resources

Network name Path Notes
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
IPC$ Remote IPC
print$ C:\Windows\system32\spool\drivers Printer Drivers
Users C:\Users

Suspicious objects

File Description Type

AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 23.04.2015 14:56:47
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 23.04.2015 16:00
Heuristic microprograms loaded: 410
PVS microprograms loaded: 9
Digital signatures of system files loaded: 733947
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Home Premium" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Error loading driver - operation interrupted [C000036B]
1.4 Searching for masking processes and drivers
 Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
 Error loading driver - operation interrupted [C000036B]
2. Scanning RAM
 Number of processes found: 14
 Number of modules loaded: 240
Scanning RAM - complete
3. Scanning disks
Direct reading: C:\Qoobox\BackEnv\SetPath.bat
Direct reading: C:\Users\User\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
 Checking - disabled by user
6. Searching for opened TCP/UDP ports used by malicious software
 Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
 >>  HDD autorun is allowed
 >>  Network drives autorun is allowed
 >>  Removable media autorun is allowed
Checking - complete
Files scanned: 119479, extracted from archives: 83317, malicious software found 0, suspicions - 0
Scanning finished at 23.04.2015 15:13:49
Time of scanning: 00:17:02
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
Network diagnostics
 DNS and Ping test
  Host="yandex.ru", IP="87.250.250.8,87.250.251.11,93.158.134.8,77.88.21.11", Ping=OK (0,200,87.250.250.8)
  Host="google.ru", IP="216.58.219.67", Ping=OK (0,31,216.58.219.67)
  Host="google.com", IP="216.58.219.142", Ping=OK (0,31,216.58.219.142)
  Host="www.kaspersky.com", IP="77.74.178.16", Ping=Error (11010,0,0.0.0.0)
  Host="www.kaspersky.ru", IP="77.74.178.20", Ping=Error (11010,0,0.0.0.0)
  Host="dnl-03.geo.kaspersky.com", IP="4.28.136.39", Ping=OK (0,67,4.28.136.39)
  Host="dnl-11.geo.kaspersky.com", IP="38.117.98.199", Ping=OK (0,63,38.117.98.199)
  Host="activation-v2.kaspersky.com", IP="4.59.181.141", Ping=Error (11010,0,0.0.0.0)
  Host="odnoklassniki.ru", IP="217.20.147.94", Ping=OK (0,183,217.20.147.94)
  Host="vk.com", IP="87.240.131.97,87.240.131.99,87.240.143.241", Ping=OK (0,187,87.240.131.97)
  Host="vkontakte.ru", IP="95.213.4.246,95.213.4.244,95.213.4.245", Ping=OK (0,180,95.213.4.246)
  Host="twitter.com", IP="199.16.156.6,199.16.156.38,199.16.156.70,199.16.156.102", Ping=OK (0,28,199.16.156.6)
  Host="facebook.com", IP="173.252.120.6", Ping=OK (0,47,173.252.120.6)
  Host="ru-ru.facebook.com", IP="31.13.73.1", Ping=OK (0,23,31.13.73.1)
 Network IE settings
  IE setting AutoConfigURL=
  IE setting AutoConfigProxy=wininet.dll
  IE setting ProxyOverride=
  IE setting ProxyServer=
  IE setting Internet\ManualProxies=
 Network TCP/IP settings
 Network Persistent Routes

 System Analysis - complete


Script commands 
Add commands to script:
Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Remove traces of deleted files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining a file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting a file
Insert template for DelCLSID() - removing a CLSID item from registry
Additional operations:Performance tweaking: disable service TermService (Remote Desktop Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries

File list

Port	Status	Remote Host	Remote Port	Application	Notes
TCP ports
139	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
445	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
554	LISTENING	0.0.0.0	0	[4036] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
2869	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	ESTABLISHED	127.0.0.1	49155	[1948] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	ESTABLISHED	127.0.0.1	49157	[1948] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5354	LISTENING	0.0.0.0	0	[1948] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
5357	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
10243	LISTENING	0.0.0.0	0	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	ESTABLISHED	127.0.0.1	49159	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
27015	LISTENING	0.0.0.0	0	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
49155	ESTABLISHED	127.0.0.1	5354	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
49156	LISTENING	0.0.0.0	0	[708] lsass.exe Script: Quarantine, Delete, Delete via BC, Terminate
49157	ESTABLISHED	127.0.0.1	5354	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
49159	ESTABLISHED	127.0.0.1	27015	[2352] iTunesHelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
49160	LISTENING	0.0.0.0	0	[700] services.exe Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
137	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
138	LISTENING	--	--	[4] System.exe Script: Quarantine, Delete, Delete via BC, Terminate
5004	LISTENING	--	--	[4036] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5005	LISTENING	--	--	[4036] wmpnetwk.exe Script: Quarantine, Delete, Delete via BC, Terminate
5353	LISTENING	--	--	[1948] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
52368	LISTENING	--	--	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
52369	LISTENING	--	--	[1820] AppleMobileDeviceService.exe Script: Quarantine, Delete, Delete via BC, Terminate
52370	LISTENING	--	--	[1948] mDNSResponder.exe Script: Quarantine, Delete, Delete via BC, Terminate
52372	LISTENING	--	--	[2352] iTunesHelper.exe Script: Quarantine, Delete, Delete via BC, Terminate
52373	LISTENING	--	--	[2352] iTunesHelper.exe Script: Quarantine, Delete, Delete via BC, Terminate

Network name	Path	Notes
ADMIN$	C:\Windows	Remote Admin
C$	C:\	Default share
IPC$		Remote IPC
print$	C:\Windows\system32\spool\drivers	Printer Drivers
Users	C:\Users