Trojan.GenericKD.1677485_06bdeeaa4d

by malwarelabrobot on March 30th, 2015 in Malware Descriptions.

Trojan.GenericKD.1677485 (B) (Emsisoft), Trojan.GenericKD.1677485 (AdAware)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 06bdeeaa4d666cf489697415f04dff22
SHA1: 3d97eff134e178625ec14260e04fbb0f29793c9f
SHA256: 62b9d1d57c3fd682f525a393f704fd6d30ae9d9704db1b50c5797fd3a1d8bf0e
SSDeep: 98304:yrrnBsPrbzzzzzkzzzzzVisVp60YClDPKMNkA zoBR3xqRhdbonCrkd7H67gMM4B:yrjB2bzzzzzkzzzzzwWlDVk5s33E9oxM
Size: 4156824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-17 08:44:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

RsMgrSvc.exe:1780
rsDefense.exe:240
rsDefense.exe:1108
popwndexe.exe:1016
%original file name%.exe:2008

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process RsMgrSvc.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\RsMgrSvc.exe.log (217 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)

The process rsDefense.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RAC\rsDefense.exe_status.ini (80 bytes)
%Program Files%\Rising\RAC\CCenter.db-journal (18630 bytes)
%Program Files%\Rising\RAC\CCenter.db (623 bytes)

The Trojan deletes the following file(s):

%Program Files%\Rising\RAC\CCenter.db-journal (0 bytes)

The process %original file name%.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\rsuser.db (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (2723 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAC\comx3.dll (673 bytes)
%Program Files%\Rising\RAC\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RAC\XMLS\HOOKBASE.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (397 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RAC\XMLS\RAVDEFDB.xml (969 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (4 bytes)
%Program Files%\Rising\RAC\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2595 bytes)
%Program Files%\Rising\RAC\cfgxml\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Program Files%\Rising\RAC\rstask.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RAC\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RAC\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1587 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RAC\XMLS\RAVCONFIG.xml (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RAC\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RAC\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (52898 bytes)
%Program Files%\Rising\RAC\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (1243 bytes)
%Program Files%\Rising\RAC\XMLS\LICENSE.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%System%\drivers\rsutils.sys (51 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (1562 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Program Files%\Rising\RAC\XMLS\RAVMAINDUI.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Program Files%\Rising\RAC\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1369 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RAC\dfw.dll (1281 bytes)
%Program Files%\Rising\RAC\XMLS\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (2103 bytes)
%Program Files%\Rising\RAC\rscfg.dll (53 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\RAV.ini (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAC\rscombas.dll (1281 bytes)
%Program Files%\Rising\RAC\XMLS\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (36 bytes)
%Program Files%\Rising\RAC\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (37 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RAC\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\RsPcVer12[1].xml (663 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\ShortCut\Repair.url (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (371 bytes)
%Program Files%\Rising\RAC\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RAC\uprsmon.dat (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RAC\cfgxml\mondcoms.xml (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Program Files%\Rising\RAC\setup.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Program Files%\Rising\RAC\rsDefense.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (1590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (1463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1094 bytes)
%Program Files%\Rising\RAC\url.ini (4 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (3754 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (890 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%System%\drivers\protreg.sys (21 bytes)
%Program Files%\Rising\RAC\RavSetup.dll (7385 bytes)
%Program Files%\Rising\RAC\XMLS\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (2494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RAC\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (21 bytes)
%Program Files%\Rising\RAC\selfmon.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RAC\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12067 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Program Files%\Rising\RAC\RsBaseNetWrapper.dll (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1923 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (190 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RAC\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\Label.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (125 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RAC\XMLS\RAVBASE.xml (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1290 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RAC\mondrv.dll (2321 bytes)
%Program Files%\Rising\RAC\XMLS\RAV936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (36 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\language.ini (63 bytes)
%Program Files%\Rising\RAC\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (519 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (4734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (2231 bytes)
%Program Files%\Rising\RAC\rsxml3w.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (2443 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\ShortCut\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Program Files%\Rising\RAC\cfgxml\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (3 bytes)
%Program Files%\Rising\RAC\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Program Files%\Rising\RAC\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RAC\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (2775 bytes)
%Program Files%\Rising\RAC\CompsVer.inf (2 bytes)
%Program Files%\Rising\RAC\XMLS\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (263 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (21 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\rsmon.db (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAC\XMLS\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (3341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (3949 bytes)
%Program Files%\Rising\RAC\rstasku.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (1076 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (47 bytes)
%Program Files%\Rising\RAC\pngdll.dll (1425 bytes)
%Program Files%\Rising\RAC\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RAC\desktop.ini (182 bytes)
%Program Files%\Rising\RAC\Label.dat (388 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RAC\XMLS\RSCOMM.xml (2 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Program Files%\Rising\RAC\XMLS\RSDK.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (1405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (59 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\rsuser.db1 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (2500 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (336 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAC\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4877 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAC\Rising.ico (3 bytes)
%System%\drivers\rsndisp.sys (10 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (58 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\Rising\RAC\Proccom.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (1970 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RAC\rsxml3a.dll (673 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (3 bytes)
%Program Files%\Rising\RAC\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RAC\cnt09.dll (1281 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (2032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (4619 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (3 bytes)
%Program Files%\Rising\RAC\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RAC\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\ravcfg.xml (601 bytes)
%Program Files%\Rising\RAC\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RAC\moncom08.dll (601 bytes)
%Program Files%\Rising\RAC\mergexml.dll (601 bytes)
%Program Files%\Rising\RAC\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (758 bytes)
%Program Files%\Rising\RAC\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (676 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (969 bytes)
C:\rising.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Program Files%\Rising\RAC\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAC\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAC\mondef.dll (3361 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RAC\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RAC\XMLS\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RAC\XMLS\RAVXP.xml (404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Program Files%\Rising\RAC\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (2622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe.log (267841 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (434 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAC\rsmon.db1 (37 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (1 bytes)
%Program Files%\Rising\RAC\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (16409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (4542 bytes)
%Program Files%\Rising\RAC\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RAC\RsTray.ico (601 bytes)
%Program Files%\Rising\RAC\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (3768 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RAC\12345678.000 (24 bytes)
%Program Files%\Rising\RAC\bawhite.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (915 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (1580 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef (4 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1247 bytes)
%Program Files%\Rising\RAC\XMLS\_RAV.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RAC\ravxp.exe (601 bytes)
%Program Files%\Rising\RAC\bacore.dll (2321 bytes)
%Program Files%\Rising\RAC\XMLS\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%System%\drivers\sysmon.sys (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (0 bytes)
%Program Files%\Rising\RAC (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\RsPcVer12[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAO9AN81.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ForLogDeve[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (0 bytes)

Registry activity

The process RsMgrSvc.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A5 63 A1 B4 3E DA 6C A8 7F 92 FC 7B CD 59 D6"

The process rsDefense.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 32 4B 56 4A EE 87 BD 5B 30 5C D6 C9 19 B9 F4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process rsDefense.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 E6 8C 5D 47 F7 16 80 13 1B 84 CD 26 9A 2E 21"

The process popwndexe.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 87 B6 87 EE 62 4C 34 1F 0A 9A 28 4A 43 54 FE"

The process %original file name%.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\rdisk_exec_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\exploit_scan_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_registries]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"(Default)" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DenferTime]
"(Default)" = "255"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAC\nprising.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg]
"ver" = "24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\zone]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.00.95"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Mode]
"(Default)" = "Post"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\scriptmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\state]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"ver" = "2"

[HKLM\SOFTWARE\rising\rscommon]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\common"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\autorun_disable_state]
"(Default)" = "1"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Description" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\Report]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{FD565346-58E9-6648-3030-303030303030}"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\ProtectType]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Type" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\ProtectType]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_filters]
"(Default)" = "00 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\AutoEnterSilenceMode]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RAV"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\scan_timeout]
"(Default)" = "30000"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"ver" = "3"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"ver" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Group" = "Boot Bus Extender"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"(Default)" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\bxfix]
"(Default)" = "http://rscloud.rising.net.cn/navigate_bwfix.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"DisplayName" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudDefence]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\SmartRelocate]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"(Default)" = "25"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Altitude" = "370070"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\zone]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rs_processes]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"ver" = "1"

[HKCU\Software\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAC\nprising.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Count]
"(Default)" = "592"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ScanResultCountPerPage]
"(Default)" = "268435455"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
"InstallLocation" = "%Program Files%\Rising\RSD"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV]
"InstallPath" = "%Program Files%\Rising\RAC"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\rdisk_exec_state]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"DisplayVersion" = "24.00.15.17"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\writelog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"ver" = "4"

[HKLM\SOFTWARE\rising\RAV]
"Type" = "17"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV]
"Version" = "24.00.15.17"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"(Default)" = "0"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monServerName" = "RfEAivUKDUgRI0cALJc="

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\level]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"ver" = "16"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowScanAd]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"InstallLocation" = "%Program Files%\Rising\RAC"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"Title" = "RfEAivUKgd2ngZnBgYa/q5WN2g=="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"(Default)" = "60"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances]
"DefaultInstance" = "sysmon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\conntest]
"(Default)" = "http://rscloud.rising.net.cn/cloud.html"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"(Default)" = "60"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"ver" = "4"

[HKLM\System\CurrentControlSet\Services\SysMon]
"DebugLevel" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudEngine]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\port_list]
"(Default)" = "110=110|25=120"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Description" = "Rising System Monitor Driver"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\state]
"(Default)" = "1"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"regtray" = "RfEAivUKO1gZNEgQwg=="

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\RAC"

[HKLM\SOFTWARE\rising\RAV\cfg\WhiteList\TrustedFiles]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\oswhite]
"(Default)" = "http://rscloud.rising.net.cn/navigate_oswhite.xml"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\navig]
"(Default)" = "http://rscloud.rising.net.cn/navigate.xml"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"vender" = "Rising"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\notify_timeout]
"(Default)" = "131072"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\level]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"AppProtect" = "11c176b2, 920e004c, 70ffc5d4"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\JoinImprovementPlan]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rs_processes]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"ver" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"InstallPath" = "RfEAivUKbH0lCW4hCGAzD3tWFX8eNUAdLnElB2pI"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\Password]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\JoinImprovementPlan]
"(Default)" = "1"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monShowName" = "RfEAivUKG15XFGgwaX4SNF8WqQ=="

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudDefence]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\scan_timeout]
"(Default)" = "30000"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"rstrayexe" = "RfEAivUKO0wUMlsSMAMSPkwV"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudEngine]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\notify_timeout]
"(Default)" = "131072"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1427655461"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"

[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\AutoEnterSilenceMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ScanResultCountPerPage]
"(Default)" = "268435455"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\scriptmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\EngDelay]
"(Default)" = "256"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\notify_timeout]
"(Default)" = "131072"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"ver" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\autorun_disable_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\lockie]
"URL" = "aqceZAduQEZGXRpFB1pTQg4YQUFbQ0dES1wdVQ=="

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"(Default)" = "0"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"ravmonexe" = "RfEAivUKO14zI08WJ14SaEwLLCI="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\rising\lockie]
"LockTab" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\port_list]
"(Default)" = "110=110|25=120"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_filters]
"(Default)" = "00 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\CurrentWorkMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowAgent]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\lockie]
"TabUrl" = "dru7gFQfAxgYQ1ZORAQNXEITAh8FXQtPCAJDXQkWHw0OHQQVBgCw"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowScanAd]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\CurrentWorkMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowAgent]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\writelog]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\lockie]
"Enable" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Control Panel\Desktop]
"FontSmoothingType" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\SmartRelocate]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"ver" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"ver" = "2"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"RAV" = "RfEAivUKG2w0kA=="

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\notify_timeout]
"(Default)" = "131072"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"(Default)" = "0"

[HKLM\System\CurrentControlSet\Services\SysMon]
"SrpProtect" = "11c176b2, 920e004c, 70ffc5d4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 94 84 26 CA 4A 83 59 5E 17 0C 9D 5E E4 BA 13"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_registries]
"(Default)" = "00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Tag" = "4"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType\application/x-rs-extension]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"ver" = "16"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Flags" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"(Default)" = "25"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AlertSound]
"(Default)" = "1"
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\LargeFileHandleMethod]
"(Default)" = "2"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1459277861"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\verdict_vir_found]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\Password]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"DependOnService" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DenferTime]
"(Default)" = "255"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\exploit_scan_state]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAC]
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\LargeFileHandleMethod]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\DelayCloud]
"(Default)" = "1280"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\Report]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\attach_scan_mode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\attach_scan_mode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\Radio]
"(Default)" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"ver" = "2"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SysMon]
"Start" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services]
"Rising"

Dropped PE files

MD5 File path
90d4e96dbbcff68690f37736655fada3 c:\Documents and Settings\All Users\Application Data\Rising\RAC\ShortCut\RAV.ico
b19eaceaf35f2db4976db8da259a498d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rslang.dll
78c3ea16f4659851ab64bb1e763dc20a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\setup.dll
fbc567d59b385341c53338ca58c3e248 c:\Program Files\Rising\RAC\Proccom.dll
7ae91c40093e829a971616b1e2f9113e c:\Program Files\Rising\RAC\Proccomm.dll
4f14dfcb89d395d2053dfab5498e13d4 c:\Program Files\Rising\RAC\RavSetup.dll
3e2e893b273c0551e5e6cd0b8edd67d3 c:\Program Files\Rising\RAC\RsBaseNetWrapper.dll
68d18a0915bbda36e573d5dbb9e6ea8e c:\Program Files\Rising\RAC\RsTray.ico
78b62e4c13378f737603136975a07e1a c:\Program Files\Rising\RAC\atl90.dll
db19a92f0592aafbcc2466773bee0754 c:\Program Files\Rising\RAC\bacore.dll
dad3c0290a40f4efdab971fc0d316e35 c:\Program Files\Rising\RAC\bawhite.dll
7a80c5c9e6955622d45ae9bdf86472ff c:\Program Files\Rising\RAC\cnt08.dll
4918a3e5256d45c5ca1dea6a2592ca88 c:\Program Files\Rising\RAC\cnt09.dll
904607ed3d2e8a29c13dcaf80cb311a9 c:\Program Files\Rising\RAC\comx3.dll
8c0739dc69b12f52ab0a73b034528ee5 c:\Program Files\Rising\RAC\defmon.dll
12d2d81f07d7557cb4fbe3af6a3ea9f6 c:\Program Files\Rising\RAC\dfw.dll
88a16f541e961152462bfb056ac602b4 c:\Program Files\Rising\RAC\hookbase.dll
e28dd24338cae534a54a14d33020cbe9 c:\Program Files\Rising\RAC\mergexml.dll
82387571279847d2324297ea4722e14f c:\Program Files\Rising\RAC\moncom08.dll
0a44f63c07112bb325aac94321ae8ff6 c:\Program Files\Rising\RAC\moncomm.dll
62de362c75022744c5149e03d1191fff c:\Program Files\Rising\RAC\mondef.dll
8fd17f45ffbdeeea0fec507b155c05ff c:\Program Files\Rising\RAC\mondrv.dll
fd3786f0c378d3060e642cfd0d10814d c:\Program Files\Rising\RAC\monrule.dll
874c8b1317c58ffe62d4d6aa591eabe2 c:\Program Files\Rising\RAC\msvcp90.dll
f1f9eeef647cfa62a7104c054ce0999b c:\Program Files\Rising\RAC\msvcr90.dll
7d6bc107cd29293b274577d755662d05 c:\Program Files\Rising\RAC\pngdll.dll
2349983d784ed407a64f274acb8d4b18 c:\Program Files\Rising\RAC\procenv.dll
ef56ceeafa7b2464f44da3b3a46702f6 c:\Program Files\Rising\RAC\ravxp.exe
bd49c7b80bbec31e6a2c672af512e1ce c:\Program Files\Rising\RAC\rsDefense.exe
e8c78de68ec8e77e27af803074b08ce5 c:\Program Files\Rising\RAC\rscfg.dll
5bb8c8a5a7abac3b8478b254956ab580 c:\Program Files\Rising\RAC\rscom.dll
7f06e8ee5ed127b9b4d33c8fd37d7cfd c:\Program Files\Rising\RAC\rscombas.dll
9e58445a57ead0fd320fcc58ec173c3c c:\Program Files\Rising\RAC\rscommx2.dll
08dcba43400dc71b8145a30c6f0b55da c:\Program Files\Rising\RAC\rslog.dll
4f4500ee19410043cc338668d28f95a3 c:\Program Files\Rising\RAC\rsmain.dll
cc01024abb44d98c7d68ee79a1b434bb c:\Program Files\Rising\RAC\rsmain.exe
23d683209cef821f78ae2751d07455e4 c:\Program Files\Rising\RAC\rspalvd.dll
b4f78b19eed6248a10f3031baac0b517 c:\Program Files\Rising\RAC\rssqlite.dll
00a45353f419bc4891645f1ad0150617 c:\Program Files\Rising\RAC\rssrv.dll
1ac62583254fc92a143c4780489c3762 c:\Program Files\Rising\RAC\rsutils_if.dll
b19eaceaf35f2db4976db8da259a498d c:\Program Files\Rising\RAC\rsxml3a.dll
3cc9f8d9db63e973433637945232fff4 c:\Program Files\Rising\RAC\rsxml3w.dll
922264fceeb52fea696e34349a44cd96 c:\Program Files\Rising\RAC\selfmon.dll
d3b9432cc4ccf146a47c36e4428ba2c0 c:\Program Files\Rising\RAC\setup.dat
6beba6b5b2e5e5ce840cf7c02f3fb657 c:\Program Files\Rising\RAC\syslay.dll
5a866622a428d8dd979751975ab881f5 c:\Program Files\Rising\RAC\sysmon_if.dll
412638fde23d2ba33aa194a67165866f c:\Program Files\Rising\RAC\traywnd.dll
2649f027aa2dae21a4d87419c7b98e46 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys
1fade518cc8e0542fc208eb5b9916fcd c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys
f919f8d20d7470591c59aff836d1f795 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys
88a16f541e961152462bfb056ac602b4 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll
8fd17f45ffbdeeea0fec507b155c05ff c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll
595587c6d7366726203885f14a1dfc32 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys
e2208219c8b918d3a1bc614a87275385 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys
1ac62583254fc92a143c4780489c3762 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll
2128b98d47f23fb77dcef17bba3cdf7a c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys
5a866622a428d8dd979751975ab881f5 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll
0a44f63c07112bb325aac94321ae8ff6 c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll
bd49c7b80bbec31e6a2c672af512e1ce c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe
7f06e8ee5ed127b9b4d33c8fd37d7cfd c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll
00a45353f419bc4891645f1ad0150617 c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll
78b62e4c13378f737603136975a07e1a c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll
874c8b1317c58ffe62d4d6aa591eabe2 c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll
f1f9eeef647cfa62a7104c054ce0999b c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll
90d4e96dbbcff68690f37736655fada3 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico
4f14dfcb89d395d2053dfab5498e13d4 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll
68d18a0915bbda36e573d5dbb9e6ea8e c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico
7d6bc107cd29293b274577d755662d05 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll
23d683209cef821f78ae2751d07455e4 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll
d3b9432cc4ccf146a47c36e4428ba2c0 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\setup.dat
e28dd24338cae534a54a14d33020cbe9 c:\Program Files\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll
62de362c75022744c5149e03d1191fff c:\Program Files\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll
08dcba43400dc71b8145a30c6f0b55da c:\Program Files\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll
4f4500ee19410043cc338668d28f95a3 c:\Program Files\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll
cc01024abb44d98c7d68ee79a1b434bb c:\Program Files\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe
ef56ceeafa7b2464f44da3b3a46702f6 c:\Program Files\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe
e8c78de68ec8e77e27af803074b08ce5 c:\Program Files\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll
fbc567d59b385341c53338ca58c3e248 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll
7ae91c40093e829a971616b1e2f9113e c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll
3e2e893b273c0551e5e6cd0b8edd67d3 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll
7a80c5c9e6955622d45ae9bdf86472ff c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll
4918a3e5256d45c5ca1dea6a2592ca88 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll
82387571279847d2324297ea4722e14f c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll
9e58445a57ead0fd320fcc58ec173c3c c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll
b4f78b19eed6248a10f3031baac0b517 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll
6beba6b5b2e5e5ce840cf7c02f3fb657 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll
904607ed3d2e8a29c13dcaf80cb311a9 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\comx3.dll
12d2d81f07d7557cb4fbe3af6a3ea9f6 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\dfw.dll
2349983d784ed407a64f274acb8d4b18 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\procenv.dll
5bb8c8a5a7abac3b8478b254956ab580 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rscom.dll
b19eaceaf35f2db4976db8da259a498d c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll
3cc9f8d9db63e973433637945232fff4 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll
412638fde23d2ba33aa194a67165866f c:\Program Files\Rising\RSD\Backup\RAV\RSDK\traywnd.dll
db19a92f0592aafbcc2466773bee0754 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll
dad3c0290a40f4efdab971fc0d316e35 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll
8c0739dc69b12f52ab0a73b034528ee5 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll
fd3786f0c378d3060e642cfd0d10814d c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll
922264fceeb52fea696e34349a44cd96 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll
4bf3b0c552a575f4a0d09bf74e4083dd c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll
1f35136daa23c794a9561b46db35d5a5 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll
787524b75ce2e55ed671a5cd596d2b36 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe
811a775db3dba12d8fd27c352af071dc c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe
7a762be1d46bb1ed07eacec047cbd1cc c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe
58b5f59a21dbe0809c5cb82f4e996b5a c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\Setup.exe
92aa0e6a0be8766a98a74f05d202d4c3 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\comx3.dll
7864be756f44fca55c58601b765d963f c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\localopt.dll
9fc8d62cd7e5c9db50b515c26b968e00 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe
5dac4f8cc0d6b2512f7601c29891b985 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\protreg.sys
72aec55622cac794f6525a6f9411ed3f c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll
9dd8dfd3e7359021dcfa5e91537bafab c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rslang.dll
c6a0d044eec92d0f75c31e63f780ebd4 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll
4307fe2098b9d37d4c16edf73bfcb9a2 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\setup.dat
6a2ad6ba7dece95286bc5eef92c62b28 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\syslay.dll
66e3df00feb94c09d687a6d544c1e909 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\updater.exe
4bf3b0c552a575f4a0d09bf74e4083dd c:\Program Files\Rising\RSD\CfgDll.dll
1f35136daa23c794a9561b46db35d5a5 c:\Program Files\Rising\RSD\RsAppMgr.dll
787524b75ce2e55ed671a5cd596d2b36 c:\Program Files\Rising\RSD\RsBackup.exe
811a775db3dba12d8fd27c352af071dc c:\Program Files\Rising\RSD\RsMgrSvc.exe
7a762be1d46bb1ed07eacec047cbd1cc c:\Program Files\Rising\RSD\RsStub.exe
58b5f59a21dbe0809c5cb82f4e996b5a c:\Program Files\Rising\RSD\Setup.exe
92aa0e6a0be8766a98a74f05d202d4c3 c:\Program Files\Rising\RSD\comx3.dll
7864be756f44fca55c58601b765d963f c:\Program Files\Rising\RSD\localopt.dll
9fc8d62cd7e5c9db50b515c26b968e00 c:\Program Files\Rising\RSD\popwndexe.exe
72aec55622cac794f6525a6f9411ed3f c:\Program Files\Rising\RSD\rsdinfo.dll
9dd8dfd3e7359021dcfa5e91537bafab c:\Program Files\Rising\RSD\rsdk.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Program Files\Rising\RSD\rslang.dll
c6a0d044eec92d0f75c31e63f780ebd4 c:\Program Files\Rising\RSD\rsmginfo.dll
4307fe2098b9d37d4c16edf73bfcb9a2 c:\Program Files\Rising\RSD\setup.dat
6a2ad6ba7dece95286bc5eef92c62b28 c:\Program Files\Rising\RSD\syslay.dll
66e3df00feb94c09d687a6d544c1e909 c:\Program Files\Rising\RSD\updater.exe
5dac4f8cc0d6b2512f7601c29891b985 c:\WINDOWS\system32\drivers\protreg.sys
595587c6d7366726203885f14a1dfc32 c:\WINDOWS\system32\drivers\rsndisp.sys
e2208219c8b918d3a1bc614a87275385 c:\WINDOWS\system32\drivers\rsutils.sys
2128b98d47f23fb77dcef17bba3cdf7a c:\WINDOWS\system32\drivers\sysmon.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\DRIVERS\sysmon.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

KeUserModeCallback
ZwAssignProcessToJobObject
ZwClose
ZwConnectPort
ZwCreateKey
ZwCreateMutant
ZwCreateProcess
ZwCreateProcessEx
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwDebugActiveProcess
ZwDuplicateObject
ZwFreeVirtualMemory
ZwLoadDriver
ZwLockVirtualMemory
ZwOpenKey
ZwOpenProcess
ZwOpenSection
ZwProtectVirtualMemory
ZwQueryDirectoryFile
ZwQuerySystemInformation
ZwQueueApcThread
ZwReadVirtualMemory
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSecureConnectPort
ZwSetContextThread
ZwSetInformationProcess
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetSystemTime
ZwSuspendProcess
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwUnmapViewOfSection
ZwWriteVirtualMemory

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 111192 114688 4.54695 2150734a36d6a37575a2034015d3a8ac
.rdata 118784 18766 20480 3.17899 232e80bac2ac7b5c41de4142eefd48e6
.data 139264 1070924 8192 1.81509 45f91ee1fd81c8b225f59f0f6445b928
.rsrc 1212416 816832 819200 4.6788 4a34119e6227a9a5ebf6ecdc9d38ef6f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://z.rising.com.cn/LogCenter.asp?info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24
hxxp://z.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24
hxxp://z.rising.com.cn/rs2012/RsPcVer12.xml
hxxp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24 1.122.192.19
hxxp://rsup10.rising.com.cn/rs2012/RsPcVer12.xml 1.122.192.19
hxxp://center.rising.com.cn/LogCenter.asp?info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24 1.122.192.19


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DNS DNS Query for Suspicious .com.cn Domain

Traffic

GET /LogCenter.asp?info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 302 Object moved
Date: Sun, 29 Mar 2015 18:57:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24
Content-Length: 355
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQTSTAQD=LJJHAKAAIBJOCENHLPFGMMIB; path=/
Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLog
Deve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1V
mcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd
1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24">here</a>.</body>.HTTP/
1.1 302 Object moved..Date: Sun, 29 Mar 2015 18:57:37 GMT..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Location: hXXp://rsup10.rising.
com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=P/hwjGBdCUgff
DMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBB
WZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrf
x24..Content-Length: 355..Content-Type: text/html..Set-Cookie: ASPSESS
IONIDCQTSTAQD=LJJHAKAAIBJOCENHLPFGMMIB; path=/..Cache-control: private
..<head><title>Object moved</title></head>.<
;body><h1>Object Moved</h1>This object may be found <
;a HREF="hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForL
ogDeve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd
1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhV
fd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24">here</a>.</body>...
<<< skipped >>>


GET /Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=P/hwjGBdCUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUcocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZxdrfx24 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 18:57:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 671
rsd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>
;.................</title></head>..<body>..    <f
orm name="form1" method="post" action="ForLogDeve.aspx?Info=P/hwjGBd
CUgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcU
cocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UD
Zxdrfx24" id="form1">..<div>..<input type="hidden" name="_
_VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGS1OHnut2r0/Q
Op2Kl4ZsX11 Keuw==" />..</div>..    <div>..    ..    &l
t;/div>..    </form>..</body>..</html>..HTTP/1.1 
200 OK..Date: Sun, 29 Mar 2015 18:57:38 GMT..Server: Microsoft-IIS/6.0
..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: p
rivate..Content-Type: text/html; charset=utf-8..Content-Length: 671..r
sd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>
.................</title></head>..<body>..    <fo
rm name="form1" method="post" action="ForLogDeve.aspx?Info=P/hwjGBdC
UgffDMNBngIKA8tNkwKLUcocxAgBVRodx5Sd1RmBxRQd1VmcR1VcVJucR1VcVJucR1VcUc
ocBBWZxdtfx1AN1VjIRc6cVc8JkgDIABqJhtQdwI4dhVfd1hpdhxTJ1FqJksAc1NwJ1UDZ
xdrfx24" id="form1">..<div>..<input type="hidden" name
<<< skipped >>>

GET /rs2012/RsPcVer12.xml HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 663
Content-Type: text/xml
Last-Modified: Sun, 29 Mar 2015 00:10:46 GMT
Accept-Ranges: bytes
ETag: "d45f17ceb469d01:e49"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 29 Mar 2015 18:57:45 GMT
...<?xml version="1.0" encoding="utf-8"?>..<RISING>..  <
;PRODUCT NAME="Rav" VERSION="24.00.25.85" REBOOTVER="24.00.00.00">.
.  </PRODUCT>..  <URLLIST>..    <ITEM KEY="Validate">
;hXXp://rsup10.rising.com.cn/Register/Validate/PageInfo/RavRequest2012
.aspx</ITEM>..    <ITEM KEY="Download">hXXp://download.ris
ing.net.cn/rs2012/pcver/</ITEM>..    <ITEM KEY="Finish"> h
ttp://rsup10.rising.com.cn/Register/Validate/PageInfo/RequestFinished2
012.aspx</ITEM>..    <ITEM KEY="Overtime"> hXXp://rsup10.r
ising.com.cn/Register/Validate/PageInfo/SnGetOverTime.aspx</ITEM>
;..    <ITEM KEY="Stat">hXXp://cloud.rising.com.cn/productstat/p
roductStat.aspx</ITEM>..  </URLLIST>..</RISING>HTTP/
1.1 200 OK..Content-Length: 663..Content-Type: text/xml..Last-Modified
: Sun, 29 Mar 2015 00:10:46 GMT..Accept-Ranges: bytes..ETag: "d45f17ce
b469d01:e49"..

The Trojan connects to the servers at the folowing location(s):

RsMgrSvc.exe_1780:

.text
`.rdata
@.data
.rsrc
t%Shh
|$D.tD
CryptDecodeObject failed with %x
wintrust.dll
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
crypt32.dll
CryptMsgGetParam
CryptSIPVerifyIndirectData failed with %x
1.3.6.1.4.1.311.2.1.4
CryptMsgGetParam(%d) failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptQueryObject failed with %x
\\.\PhysicalDrive%d
\\.\Scsi%d:
Iphlpapi.dll
Software\Microsoft\Windows\CurrentVersion
Advapi32.dll
\Rising\RSD\RsMgrSvc.exe"
SOFTWARE\Rising\%s
[d-d-d][d:d:d:d]
Explorer.exe
{X-X-X-XX-XXXXXX}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
2.log
[u]
[0xX]
RAV.INI
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtDll.dll
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
wtsapi32.DLL
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
userinit.exe
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
Fail to OpenProcessToken; 0x%x
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
Failed to call WTSQueryUserToken, err= 0x%x
Failed to open the shell ready event: 0x%x
"%s" /shellrun
%s\RsStub.exe
Session\%d\ShellReadyEvent
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
/subkey
Failed to Verify the "%s".
Failed to call vf.Init.
%s\rsbackup.exe
"%s\rsbackup.exe"
/subkey
%s\RsMgrSvc.ini
%s\updater.exe
"%s\updater.exe"
DeleteFile: %s.
ITEM%d
\RsMgrSvc.ini
DeletePath: %s.
Clean WillReboot In %s
%s\%s\%s.ini
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%s\Data
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
%s\Updater.exe
\Reboot.ini
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
comx3.dll
KERNEL32.DLL
kernel32.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegSaveKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CRYPT32.dll
RPCRT4.dll
GetProcessHeap
GetCPInfo
zcÁ
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe
.Beijing Rising Information Technology Corporation Limited
1.0.0.38
RsMgrSvc.exe
571443342450000

popwndexe.exe_1016:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>$>(>,>0>
5(565;5~7
mscoree.dll
KERNEL32.DLL
rsdk.dll
<plugin clsid='{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}' name='CLID_CRsPopWndUI' start='1'/>
<plugin clsid='{EBC23555-424F-45c3-BECE-206819CB276B}' name='ClSID_CTrayWnd' start='999' /> </plugins></process></rscom>
BUF:<?xml version='1.0' ?><rscom> <components> <component path='rsdk.dll'> <clsid progid='RscomEnv.1'>{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}</clsid> <clsid progid='ObjectLoader.1'>{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}</clsid> <clsid progid='Rot.1'>{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}</clsid> <clsid progid='MainRun.1'>{C8CA7580-8E65-49E6-A66A-B087C7EF523D}</clsid> <clsid progid='RsSrv.1'>{5D37C04C-8F58-4D47-94C8-B94153399473}</clsid> <clsid progid='Property.1'>{ED20E0E5-2357-4825-B3FA-198AEC674E81}</clsid> <clsid progid='PropertyThread.1'>{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}</clsid> <clsid progid='Property2.1'>{2100E98D-B13E-4306-8081-50F325B10586}</clsid> <clsid progid='Property2Thread.1'>{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}</clsid> <clsid>{E8D494C-D598-4E2F-B796-809E74315E76}</clsid> <clsid>{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}</clsid> <clsid progid='TrayWnd'>{EBC23555-424F-45C3-BECE-206819CB276B}</clsid> <clsid progid='TraySrv'>{4FCE6281-8849-4FC6-A764-95C793EB8A48}</clsid> <clsid progid='TrayMenuBase'>{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}</clsid> <clsid>{35FD921E-B758-46D8-B0AA-FCD033B0E66D}</clsid> <clsid progid='DfwWindow'>{201409F6-22F8-48D3-A69F-7935BDDE6BFA}</clsid> <clsid progid='DfwComponentMgr'>{787683B8-D58D-4072-BA04-46284CEA5AF8}</clsid> <clsid progid='DfwDrawIcon'>{224E5B34-E98F-4033-8B6F-46B758E7587E}</clsid> <clsid progid='DfwLocalExternal'>{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}</clsid> <clsid progid='SafeSecurity'>{B769D42A-2392-42B6-8C10-DB99AE23F75A}</clsid> </component> <component path = 'localopt.dll'> <clsid progid='localopt'>{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}</clsid> </component> <component path = 'rsmginfo.dll'> <clsid progid='rsmginfo'>{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}</clsid> </component> </components></rscom>
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
%Program Files%\Rising\RSD\popwndexe.exe
1.0.0.7
tray.exe
814210592210000


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    RsMgrSvc.exe:1780
    rsDefense.exe:240
    rsDefense.exe:1108
    popwndexe.exe:1016
    %original file name%.exe:2008

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Rising\RSD\RsMgrSvc.exe.log (217 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
    %Program Files%\Rising\RAC\rsDefense.exe_status.ini (80 bytes)
    %Program Files%\Rising\RAC\CCenter.db-journal (18630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\rsuser.db (601 bytes)
    %Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (2723 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
    %Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RAC\comx3.dll (673 bytes)
    %Program Files%\Rising\RAC\Microsoft.VC90.ATL.manifest (466 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
    %Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
    %Program Files%\Rising\RAC\XMLS\HOOKBASE.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (397 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVDEFDB.xml (969 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
    %Program Files%\Rising\RAC\syslay.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2595 bytes)
    %Program Files%\Rising\RAC\cfgxml\mond.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
    %Program Files%\Rising\RSD\updater.exe (3361 bytes)
    %Program Files%\Rising\RAC\rstask.xml (3 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
    %Program Files%\Rising\RAC\hookbase.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
    %Program Files%\Rising\RAC\rav936\lics936.txt (8 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\RsStub.exe (64 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1587 bytes)
    %Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVCONFIG.xml (519 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RAC\rssqlite.dll (2321 bytes)
    %Program Files%\Rising\RAC\Proccomm.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
    %Program Files%\Rising\RSD\Data\RAV\RAV.ini (52898 bytes)
    %Program Files%\Rising\RAC\rsmain.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (1243 bytes)
    %Program Files%\Rising\RAC\XMLS\LICENSE.xml (347 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
    %System%\drivers\rsutils.sys (51 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (1562 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVMAINDUI.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
    %Program Files%\Rising\RAC\msvcr90.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1369 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
    %Program Files%\Rising\RAC\dfw.dll (1281 bytes)
    %Program Files%\Rising\RAC\XMLS\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (2103 bytes)
    %Program Files%\Rising\RAC\rscfg.dll (53 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\RAV.ini (517 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RAC\rscombas.dll (1281 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVMON.xml (574 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (36 bytes)
    %Program Files%\Rising\RAC\moncomm.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (37 bytes)
    %Program Files%\Rising\RAC\rav936\chs.lag (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\RsPcVer12[1].xml (663 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\ShortCut\Repair.url (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (371 bytes)
    %Program Files%\Rising\RAC\procenv.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
    %Program Files%\Rising\RAC\uprsmon.dat (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (519 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Program Files%\Rising\RAC\cfgxml\mondcoms.xml (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
    %Program Files%\Rising\RAC\setup.dat (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RSD\rslang.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (1590 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (1463 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1094 bytes)
    %Program Files%\Rising\RAC\url.ini (4 bytes)
    %Program Files%\Rising\RSD\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (3754 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (890 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
    %System%\drivers\protreg.sys (21 bytes)
    %Program Files%\Rising\RAC\RavSetup.dll (7385 bytes)
    %Program Files%\Rising\RAC\XMLS\MONBASEDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (2494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
    %Program Files%\Rising\RAC\rslog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (21 bytes)
    %Program Files%\Rising\RAC\selfmon.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
    %Program Files%\Rising\RAC\atl90.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12067 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
    %Program Files%\Rising\RAC\RsBaseNetWrapper.dll (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1923 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (190 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
    %Program Files%\Rising\RAC\bawhite.dat (22 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\Label.dat (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (125 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVBASE.xml (3 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1290 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RAC\mondrv.dll (2321 bytes)
    %Program Files%\Rising\RAC\XMLS\RAV936.xml (515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (36 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\language.ini (63 bytes)
    %Program Files%\Rising\RAC\RsMain.ico (27 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (519 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (4734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (2231 bytes)
    %Program Files%\Rising\RAC\rsxml3w.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (2443 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\ShortCut\RAV.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
    %Program Files%\Rising\RAC\cfgxml\adefmon.mond (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (3 bytes)
    %Program Files%\Rising\RAC\monrule.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
    %Program Files%\Rising\RAC\LogDc.bmp (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
    %Program Files%\Rising\RSD\syslay.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
    %Program Files%\Rising\RAC\sysmon_if.dll (64 bytes)
    %Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (2775 bytes)
    %Program Files%\Rising\RAC\CompsVer.inf (2 bytes)
    %Program Files%\Rising\RAC\XMLS\MSCRT9.xml (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (263 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (21 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\rsmon.db (37 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\update.xml (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RAC\XMLS\RSCFG.xml (996 bytes)
    %Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (3341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (3949 bytes)
    %Program Files%\Rising\RAC\rstasku.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (1076 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (47 bytes)
    %Program Files%\Rising\RAC\pngdll.dll (1425 bytes)
    %Program Files%\Rising\RAC\traywnd.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
    %Program Files%\Rising\RAC\desktop.ini (182 bytes)
    %Program Files%\Rising\RAC\Label.dat (388 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
    %Program Files%\Rising\RAC\XMLS\RSCOMM.xml (2 bytes)
    %Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
    %Program Files%\Rising\RAC\XMLS\RSDK.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (1405 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (59 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\rsuser.db1 (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (2500 bytes)
    %Program Files%\Rising\RSD\localopt.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (336 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RAC\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
    %Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\Setup.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4877 bytes)
    %Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
    %Program Files%\Rising\RAC\Rising.ico (3 bytes)
    %System%\drivers\rsndisp.sys (10 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (58 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Program Files%\Rising\RAC\Proccom.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
    %Program Files%\RsTest.ini (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (1970 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
    %Program Files%\Rising\RAC\rsxml3a.dll (673 bytes)
    %Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (3 bytes)
    %Program Files%\Rising\RAC\cnt08.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
    %Program Files%\Rising\RAC\cnt09.dll (1281 bytes)
    %Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (2032 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (4619 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (3 bytes)
    %Program Files%\Rising\RAC\rscommx2.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
    %Program Files%\Rising\RAC\msvcp90.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\ravcfg.xml (601 bytes)
    %Program Files%\Rising\RAC\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RAC\moncom08.dll (601 bytes)
    %Program Files%\Rising\RAC\mergexml.dll (601 bytes)
    %Program Files%\Rising\RAC\NetConfig.ini (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (758 bytes)
    %Program Files%\Rising\RAC\defmon.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (676 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (969 bytes)
    C:\rising.ini (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
    %Program Files%\Rising\RAC\rspalvd.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Program Files%\Rising\RAC\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RAC\mondef.dll (3361 bytes)
    %Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
    %Program Files%\Rising\RAC\rscom.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
    %Program Files%\Rising\RSD\comx3.dll (673 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVLOG.xml (545 bytes)
    %Program Files%\Rising\RAC\XMLS\RAVXP.xml (404 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
    %Program Files%\Rising\RAC\rssrv.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (2622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe.log (267841 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (434 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAC\rsmon.db1 (37 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (1 bytes)
    %Program Files%\Rising\RAC\Microsoft.VC90.CRT.manifest (496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (16409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (4542 bytes)
    %Program Files%\Rising\RAC\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
    %Program Files%\Rising\RAC\RsTray.ico (601 bytes)
    %Program Files%\Rising\RAC\rsmain.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (3768 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
    %Program Files%\Rising\RAC\12345678.000 (24 bytes)
    %Program Files%\Rising\RAC\bawhite.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (915 bytes)
    %Program Files%\Rising\RSD\setup.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (1580 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
    %Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1247 bytes)
    %Program Files%\Rising\RAC\XMLS\_RAV.xml (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
    %Program Files%\Rising\RAC\ravxp.exe (601 bytes)
    %Program Files%\Rising\RAC\bacore.dll (2321 bytes)
    %Program Files%\Rising\RAC\XMLS\RSMONDEF.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
    %System%\drivers\sysmon.sys (673 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now