Oh My

[KingAbu]

Hi,

Thanks in advance. This is from my first computer I'm running the tools on. I have four others that seem to have the same infection, all on same lan.

DDS.TXT (windows XP/sp3)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Micheal Aubuchon at 18:29:54.45 on Wed 03/23/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1067 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Micheal Aubuchon\Local Settings\Temporary Internet Files\Content.IE5\4IB1U990\Defogger[1].exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Micheal Aubuchon\Local Settings\Temporary Internet Files\Content.IE5\3JYBVMP9\dds[1].scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1294193331187

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-4 165584]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-4 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-4 40384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-4 136176]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-4 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-4 40384]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-12 14336]

.

=============== Created Last 30 ================

.

2011-03-17 20:46:15 -------- d-----w- c:\windows\system32\DIFxAPI.dll

2011-03-11 05:14:18 821824 ----a-w- c:\windows\system32\dgderapi.dll

2011-03-11 05:14:18 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys

2011-03-08 16:49:14 1416680 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01005.dll

2011-03-08 16:49:14 10344 ----a-w- c:\windows\system32\drivers\ssadcm.sys

2011-03-08 16:49:13 10216 ----a-w- c:\windows\system32\drivers\ssadwh.sys

2011-03-08 16:49:12 12616 ----a-w- c:\windows\system32\drivers\sscdcm.sys

2011-03-08 16:49:11 12488 ----a-w- c:\windows\system32\drivers\sscdwh.sys

2011-03-08 16:49:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Samsung

2011-03-08 16:48:45 -------- d-----w- c:\program files\Samsung

2011-03-08 16:47:44 -------- d-----w- c:\program files\Windows Media Connect 2

2011-03-08 16:39:57 770912 ----a-w- c:\windows\system32\Msfdbqp.dll

2011-03-08 16:39:57 511328 ----a-w- c:\windows\system32\Synchronization2.dll

2011-03-08 16:39:57 4659712 ----a-w- c:\windows\system32\Redemption.dll

2011-03-08 16:39:57 397152 ----a-w- c:\windows\system32\Msfdbse.dll

2011-03-08 16:39:57 253280 ----a-w- c:\windows\system32\MetaStore2.dll

2011-03-08 16:39:57 230240 ----a-w- c:\windows\system32\Msfdb.dll

2011-03-08 16:39:57 189792 ----a-w- c:\windows\system32\SimpleProviders2.dll

2011-03-08 16:39:57 171360 ----a-w- c:\windows\system32\FileSyncProvider2.dll

2011-03-08 16:39:57 156512 ----a-w- c:\windows\system32\FeedSync2.dll

2011-03-08 16:34:12 -------- d-----w- c:\windows\pss

2011-02-28 01:33:59 -------- d-----w- c:\docume~1\michea~1\locals~1\applic~1\PCHealth

2011-02-26 21:03:29 49152 ----a-w- c:\windows\system32\ChCfg.exe

2011-02-26 21:02:50 -------- d-----w- c:\program files\Realtek AC97

2011-02-26 20:54:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Boost

2011-02-26 20:50:04 -------- d-----w- c:\program files\Microsoft

2011-02-26 20:49:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 18:30:22.21 ===============

Ok that was the first log, Malwarebytes is runnning now. Thanks again in advance!

art.zip

[screen317]

Hi and welcome to Malwarebytes,

Likely that your router has been hijacked.

1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like

a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the

small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

• Go to Start -> Control Panel -> Double click on Network Connections.
  
• Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select
  Properties.
  
• Select the General tab.
  
• Double click on Internet Protocol (TCP/IP).
  
  • Under General tab:
    
    • Select "Obtain an IP address automatically".
      
    • Select "Obtain DNS server address automatically".
      

  [*]Click OK twice to save the settings.

  [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
  
• Click on Run
  
• In the command window copy/paste the following:
  

  ipconfig /flushdns

  
  

• Then hit enter.
  
• Exit the command window.
  

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Let me know if the issue persists.

[KingAbu]

Hi,

Thanks for your quick reply and help. I cant do those steps now, running out the door. But looking at my routers security log, is just a ton of attacks on all different ports. I WHOISed a few of them and seems as if they are all Chinesses in origin, and people are already complaining.

Was running Active Ports last night and was able to look up a few of the IP's and follow them back. One was a Facebook group with lists of IP's. Looked as if the language was in Checz/Russian. The computer we use for sensitive info stuff has been off the Lan since I noticed the problem.

Not sure what all I'm allowed to post, I know not to post scans. I have some screen shots from my Linux(ubuntu 10.04) that shows I am part of a domain, with a S-1-2-3 style SID and restricted to a limited account. Seems to be very deep, couldn't wipe my drives.

I'll be on right after work, and do the steps you suggested. Any tip on how not to be redirected in browser everytime I try to visit a page? Tried about:config in mozillia to turn off redirects, no help, and the settings in there are way off from normal.

Thanks again for everything.

[KingAbu]

Ok here is my new Malwarebytes log and I ran check disk and IPconfig. Now I am going to reset the router and do the DNS flush as you instructed. Thanks again....

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6160

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/24/2011 5:43:53 PM

mbam-log-2011-03-24 (17-43-53).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)

Objects scanned: 172240

Time elapsed: 24 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

(END)

Here is what I see on IPconfig \all (Before Router Reset)

C:\Documents and Settings\Micheal Aubuchon>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : computer-room

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : MSHome

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : MSHome

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Eth

rnet NIC

Physical Address. . . . . . . . . : 00-0C-** (I Edited)

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.6

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

192.168.2.1

Lease Obtained. . . . . . . . . . : Thursday, March 24, 2011 5:12:53 PM

Lease Expires . . . . . . . . . . : Saturday, March 21, 2020 5:12:53 PM

All that seems normal. Not used to seing the Autoconfig there, but I don't wander into CMD on Windows much.

Here is CHKDSK from usual user. Can't get to the root of the drive at C:\.

C:\Documents and Settings\Micheal Aubuchon>chkdsk

The type of the file system is NTFS.

WARNING! F parameter not specified.

Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...

File verification completed.

CHKDSK is verifying indexes (stage 2 of 3)...

Index verification completed.

CHKDSK is recovering lost files.

CHKDSK is verifying security descriptors (stage 3 of 3)...

Security descriptor verification completed.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

CHKDSK discovered free space marked as allocated in the

master file table (MFT) bitmap.

CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows found problems with the file system.

Run CHKDSK with the /F (fix) option to correct these.

187585775 KB total disk space.

13755572 KB in 34936 files.

9696 KB in 2863 indexes.

0 KB in bad sectors.

313323 KB in use by the system.

65536 KB occupied by the log file.

173507184 KB available on disk.

4096 bytes in each allocation unit.

46896443 total allocation units on disk.

43376796 allocation units available on disk.

(END)

Thank again for any help from the Malwarebytes team of Mods and all others who contribute. Program has saved me many of times.

[KingAbu]

Ok here is my new Malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6160

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

3/24/2011 8:32:58 PM

mbam-log-2011-03-24 (20-32-58).txt

Scan type: Quick scan

Objects scanned: 142447

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

END

I reset everything on just one computer. I then ran CCleaner after Malwarebytes. It found over 250 reg problems. I can post contents of the txt file it produced. Also I was alerted about updates for Windows, looks like the same programs as before.

What is the link I am suppose to be viewing if on this page??? I know I need IE8 which is one, but could be reinstalling problem, also a Jscript 5.7 update. There is 4 in total it has ready. Don't want to install till I hear back. Thanks again.

[KingAbu]

Ok here is my new Malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6160

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

3/24/2011 8:32:58 PM

mbam-log-2011-03-24 (20-32-58).txt

Scan type: Quick scan

Objects scanned: 142447

Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

END

I reset everything on just one computer. I then ran CCleaner after Malwarebytes. It found over 250 reg problems. I can post contents of the txt file it produced. Also I was alerted about updates for Windows, looks like the same programs as before.

Avast seems to be back to normal. Looking at scan history, it hadn't scanned any files in over a week but had before. The version is new and links to Avast web site instead of a dead link.

What is the link I am suppose to be viewing if on this page??? using Web Tools, there is a Ton of java going on.....

I know I need IE8 which is one, but could be reinstalling problem, also a Jscript 5.7 update. There is 4 in total it has ready. Don't want to install till I hear back. Thanks again.

[screen317]

Hi,

Hang on a minute. Let's slow down.

After resetting the router and flushing the DNS cache, have the redirects stopped? If so, great.

Outline the remaining issues you are experiencing separately and in detail.

[KingAbu]

Think your router fix worked. My linux computer has the users whole profile saved. With logs and set up scripts and all. I captured on xp computer as well. the two computers that are online are still indefected. If you have a suggestion of files to look at let me know. Seems that all my computers where running shells inside a remote server. the narrator was sending tty mail messages to the remote host. Vista computer seems untouched.two xp and one seven, and a linux were affected. Story for format, using phone. Have tons of the files and logs though, sure how to completely remove theat.

Thanks again, really thankful.

[AdvancedSetup]

Hello KingAbu,

Chris has asked me to step in and assist you.

Please correct me if I'm wrong but it seems like you're running Windows clients on a virtual host on Linux. Now you think that even the Linux box has been attacked or possibly rooted?

Please provide more details on the relationship of the computers to each other, or are all of these stand alone computers all connected on the same LAN.

[KingAbu]

Hi and thanks for your time.

My setup is just a regular home network. I have two xp computers, a vista 64 bit, windows seven machine, and linux 10.04 machine.

I am new to linux and was not running virtual machines.

Was getting errors when validating html and css using firefox webtools, on my xp machine. Noticed that my links where being redirected so tried to reinstall firefox. Couldnt. was getting ping beeps when I turned them on.

Went to router page and seen hundreds of attacks in security log. When trying to dig a little deeper, I couldn't run net diagnostic in msconfig, noticed in services thati wasn't running anything except some server client ones.

Used a program active ports, seen a few dozen connectios, all from international areas. when trying to log on as admin on my xp computer, noticed that I was not able to get on any account accept a default one it.

After doing as Sceen suggested, xp computer wouldn't boot, was locked to domain. Linux machine started in root, under unknown account, with tons of server files, and other stuff ihad never seen. Grading through logs, pretty apprent, that it was being controlled by a remote user. Took out the drive on the xp, and notice similar stuff. All kinds of scripts to redirect users, programs, and web pages.

After testing router, was able to see all the directories that had been created, there is a massive amount of stuff.

avast caught a few things but crashed when trying to move to chest. C cleaner removed hundreds of sever registry keys. That its as far as I got.

Thanks again.

[AdvancedSetup]

Okay well first off you need to separate all of the computers from each other. They cannot be on the same network at the same time.

Let's then start with one computer and get it cleaned up and functional again and then move on to the next one.

So let's continue on with the XP computer you were working with Chris on. Shut down, or remove the network cable from the other computers so they cannot talk on the network anymore.

Do you have a connection and clean computer that is capable of downloading an ISO image and burning a CD ?

[KingAbu]

Yes I have a clean computer and different access to the internet. It has a dvd burner, will dvdfab be able to burn the image?

Any more info you need to help? The xp machine has two physical drives, its that ok or should I disconnect the extra one?

[AdvancedSetup]

Please restore the router to FACTORY defaults, often just a small pin hole in the back of the router you hold in for a few seconds or if you know how you can typically also do it through a browser.

Then please go here and download the kav_rescue_10.iso image file to your system.

If you need a FREE utility to properly burn the ISO image, you can use this one.

ImgBurn

How to write an image file to a disc with ImgBurn

Then once the CD has been created put it into the first infected computer and boot from the CD to run the Kaspersky Rescue Disk.

Make sure all other computers are disconnected from the network but go ahead and allow this one to be connected and the KAV disk will try to setup a network connection and download the latest updates.

Then go through the menus and basically allow it to scan and repair the infected computer.

Once the KAV routine has finished please start the XP computer up normally and ensure your normal Anti-Virus is up and running and then connect to the network and try to run MBAM and check for updates and then run a Quick Scan with it and post back the logs.

Also let me know how it's running now and if there are any other signs of an infection with that computer.

DO NOT connect or share any USB devices between any of these computers either. Make sure they all stay isolated from each other until we're done.

[KingAbu]

ok,sounds good. Possible that out could also have infected my phone? Its a samsung galaxy captivate. Usually charge it in office off my computer. just got the thing so not really familiar with it. I know currentlyit's usb settings are set at mass storage. I can't view running services like before, or find songs I had stored on it. I'm familiar enough to know where those should be, not so much with the android os. Runs 2.2.

Thanks again.

[AdvancedSetup]

Checking back to see if you've been able to run the KAV CD on the system yet.

[KingAbu]

Don't seem to a want to run it. Download was 200mb our so, used imgburn. Runs thenprocess ends with no log. Sorry for late response. Any online scan tool I could use, or boot program?

[AdvancedSetup]

Please see the following article for more information on the KAV Rescue CD

If you cannot get it to run then please run the following.

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------

[KingAbu]

Hey Advanced reply, sorry for late response, was starting to doubt my own sanity their for a while with this one lol. Well I am Downloading all the sofware you asked me to run before. I have the Kav Recovery CD burnt but it won't run on any of the computers, did once, then it appeared as if Linux ran on it, and my keyboard/mouse were shut off. Was able to install BartPe with tools on on of the XP's. Here is a little info from its HTML export of current system status.

SYSTEM:

Name Windows XP (Professional) Service Pack 2

BartPE

Uniprocessor Free

Kernel Version 5.1.2600.2180

Security 128 bits

Serial Number **

Product Name Microsoft Windows XP

Build Lab 2600.xpsp_sp2_rtm.040803-2

Owner Administrator

Organization

Machine GUID 21d821c7-438c-41a0-a5e5-99247

Workgroup workgroup

Computer Name MININT-JVC

Language English (United States)

Boot Time 04/02/2011 16:53:17.500

Running Time 35 minutes 36 seconds

Screen Saver Direct3D Flying Objects Screen Saver

System DirectoriesNamePathInternal Windows Name

Key

Active X Cache DirectoryB:\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Application Specific Data DirectoryB:\UBCD4Win User

Settings\Administrator\APPLICATION DATA\Application

DataHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Common Administrative Tools DirectoryB:\UBCD4Win User

Settings\Administrator\Start Menu\Programs\Administrative

Tools\Administrative

ToolsHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Common Application Data DirectoryB:\UBCD4Win User

Settings\Administrator\Application Data\Application

DataHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Common Desktop Directory DirectoryB:\UBCD4Win User

Settings\Administrator\Common Desktop\Common

DesktopHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Common Documents DirectoryB:\UBCD4Win User Settings\Administrator\MY

DOCUMENTS\My

DocumentsHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Common Favorites DirectoryB:\UBCD4Win User

Settings\Administrator\Favorites\FavoritesHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Common Programs DirectoryB:\UBCD4Win User Settings\Administrator\START

MENU\Programs\ProgramsHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Common Start Menu DirectoryB:\UBCD4Win User Settings\Administrator\START

MENU\Start

MenuHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Common Startup DirectoryB:\UBCD4Win User Settings\Administrator\Start

Menu\Programs\Startup\StartupHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Common Templates DirectoryB:\UBCD4Win User

Settings\Administrator\Templates\TemplatesHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Driver Cache Path DirectoryX:\I386\Driver Cache\

HKLM\Software\Microsoft\Windows\CurrentVersion\Setup

Internet Cookies DirectoryB:\UBCD4Win User

Settings\Administrator\Cookies\CookiesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Windows Desktop DirectoryB:\UBCD4Win User

Settings\Administrator\Desktop\DesktopHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Desktop DirectoryB:\UBCD4Win User

Settings\Administrator\Desktop\DesktopHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Device DirectoryX:\I386\INF\

HKLM\Software\Microsoft\Windows\CurrentVersion

DLL Cache DirectoryX:\I386\SYSTEM32\dllcache\

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Favorites DirectoryB:\UBCD4Win User

Settings\Administrator\FAVORITES\FavoritesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Fonts

DirectoryX:\I386\FONTS\FONTSHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

History DirectoryB:\UBCD4Win User

Settings\Administrator\History\HistoryHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Internet Cache DirectoryB:\UBCD4Win User Settings\Administrator\Local

Settings\Temporary Internet Files\Temporary Internet

FilesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Local Application Data DirectoryB:\UBCD4Win User

Settings\Administrator\Local Settings\Application Data\Application

DataHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Local Settings DirectoryB:\UBCD4Win User Settings\Administrator\Local

Settings\ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

My Documents DirectoryB:\UBCD4Win User Settings\Administrator\My

Documents\My

DocumentsHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

My Music DirectoryB:\UBCD4Win User Settings\Administrator\My Documents\My

Music\My

MusicHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

My Pictures DirectoryB:\UBCD4Win User Settings\Administrator\My

Documents\My Pictures\My

PicturesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

My Network Places DirectoryB:\UBCD4Win User

Settings\Administrator\NetHood\NetHoodHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Personal DirectoryB:\UBCD4Win User Settings\Administrator\My Documents\My

DocumentsHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Printers Neighborhood DirectoryB:\UBCD4Win User

Settings\Administrator\NetHood\PrintHoodHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Program Files

DirectoryX:\PROGRAMS\PROGRAMSHKLM\Software\Microsoft\Windows\CurrentVersion

Program Files Common

DirectoryX:\I386\SYSTEM32\SYSTEM32HKLM\Software\Microsoft\Windows\CurrentVersion

Programs DirectoryB:\UBCD4Win User Settings\Administrator\Start

Menu\Programs\ProgramsHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Recent Documents DirectoryB:\UBCD4Win User

Settings\Administrator\Recent\RecentHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Resource DirectoryX:\I386\resources\RESOURCES

Send To DirectoryB:\UBCD4Win User

Settings\Administrator\SENDTO\SENDTOHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Start Menu DirectoryB:\UBCD4Win User Settings\Administrator\Start

Menu\Start

MenuHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Startup DirectoryB:\UBCD4Win User Settings\Administrator\START

MENU\Programs\Startup\StartupHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

System DirectoryX:\I386\SYSTEM32\SYSTEM32

Temp DirectoryB:\ HKCU\Environment

Templates DirectoryB:\UBCD4Win User

Settings\Administrator\TEMPLATES\TemplatesHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

Folders

Tmp DirectoryB:\ HKCU\Environment

Wall Paper DirectoryX:\I386\SYSTEM32\

HKLM\Software\Microsoft\Windows\CurrentVersion

Windows DirectoryX:\I386\I386

x86 System DirectoryX:\I386\SYSTEM32\SYSTEM32

Target RootC:\WINDOWS\ HKCU\Environment

Going to run MalwareBites only and post the log. Not concerned about cleaning this computer. I need a solution to be able to clean all 5 computers, seems even secondary drives contaminate clean installs on offline computers. Available all night, only day I can get everyone off the lan at the same time...

Thanks so much for your time...

[AdvancedSetup]

Well I'm not sure what you're doing or what's going on but there really should be no way possible for a slaved drive to infect the current system unless you launch or otherwise run one of the infected files. It might be or have gotten infected by being connected on the same network which does happen. But a fully UP TO DATE system with ALL Microsoft critical updates and live up to date Anti-Virus like Symantec 2011 or Kaspersky or NOD32 4 should not be able to get infected very easily especially like I say as a slaved drive.

Please disconnect any infected system from the network and isolate until all systems are clean.

From a CLEAN computer download and burn to a CD the following tool and run it on the affected computer and report back what it finds please.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked

  [*]On the Log file tab leave the Log to file checked.

  [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

  [*]Log mode = Append

  [*]Encoding = ANSI

  [*]Details Leave Names of file packers and Statistics checked.

  [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

  [*]On the General tab leave the Scan Priority on High

  [*]Click the Apply button at the bottom, and then the OK button.

  [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

  [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

  [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

  [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

  [*]Click 'Yes to all' if it asks if you want to cure/move the files.

  [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

  [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  [*]Save the report to your Desktop. The report will be called DrWeb.csv

  [*]Close Dr.Web Cureit.

  [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

  

[KingAbu]

Thanks again. Well my attempts to get the new version of mal ware bytes got my one computer infected again. Out was the only one on network. I have attempted reinstall on two machines, both fail, even with fresh hard drive. with an oem vista, xp or 7 disk, I get same error, cpu error checking disabled, and to check that my bios cache and shadowing are disabled.

im getting that program you just told me to, and mbam. will update as soon as I run them.

[AdvancedSetup]

checking back to see how things are going now.

Perhaps you should download, burn to CD the programs or tools from a work or friends computer and then use the CD at home. Keep all systems off of the network until they're doing better.

Also maybe download a full trial version of Kaspersky or Symantec AV to burn to disk as well for help in cleaning.

[KingAbu]

Hi and thanks for the help. I have a vista and xp running off clean installs. Going to run DrWeb in the morning, both quick and scan. Both have a "LL" type drives labeled as C: Windows is under D:

This computer is on the net, and this is all I get searching for the log.

" encoding="UTF-8"?>

<!--

IIS configuration sections.

For schema documentation, see

%windir%\system32\inetsrv\config\schema\IIS_schema.xml.

Please make a backup of this file before making any changes to it.

-->

<configuration>

<!--

The <configSections> section controls the registration of sections.

Section is the basic unit of deployment, locking, searching and

containment for configuration settings.

Every section belongs to one section group.

A section group is a container of logically-related sections.

Sections cannot be nested.

Section groups may be nested.

<section

name="" [Required, Collection Key] [xml name of the section]

allowDefinition="Everywhere" [MachineOnly|MachineToApplication|AppHostOnly|Everywhere] [Level where it can be set]

overrideModeDefault="Allow" [Allow|Deny] [Default delegation mode]

allowLocation="true" [true|false] [Allowed in location tags]

/>

The recommended way to unlock sections is by using a location tag:

<location path="Default Web Site" overrideMode="Allow">

<system.webServer>

<asp />

</system.webServer>

</location>

-->

<configSections>

<sectionGroup name="system.applicationHost">

<section name="applicationPools" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="configHistory" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="customMetadata" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="listenerAdapters" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="log" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="sites" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="webLimits" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

</sectionGroup>

<sectionGroup name="system.webServer">

<section name="asp" overrideModeDefault="Deny" />

<section name="caching" overrideModeDefault="Allow" />

<section name="cgi" overrideModeDefault="Deny" />

<section name="defaultDocument" overrideModeDefault="Allow" />

<section name="directoryBrowse" overrideModeDefault="Allow" />

<section name="fastCgi" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="globalModules" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="handlers" overrideModeDefault="Deny" />

<section name="httpCompression" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="httpErrors" overrideModeDefault="Deny" />

<section name="httpLogging" overrideModeDefault="Deny" />

<section name="httpProtocol" overrideModeDefault="Allow" />

<section name="httpRedirect" overrideModeDefault="Allow" />

<section name="httpTracing" overrideModeDefault="Deny" />

<section name="isapiFilters" allowDefinition="MachineToApplication" overrideModeDefault="Deny" />

<section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Deny" />

<section name="odbcLogging" overrideModeDefault="Deny" />

<sectionGroup name="security">

<section name="access" overrideModeDefault="Deny" />

<section name="applicationDependencies" overrideModeDefault="Deny" />

<sectionGroup name="authentication">

<section name="anonymousAuthentication" overrideModeDefault="Deny" />

<section name="basicAuthentication" overrideModeDefault="Deny" />

<section name="clientCertificateMappingAuthentication" overrideModeDefault="Deny" />

<section name="digestAuthentication" overrideModeDefault="Deny" />

<section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Deny" />

<section name="windowsAuthentication" overrideModeDefault="Deny" />

</sectionGroup>

<section name="authorization" overrideModeDefault="Allow" />

<section name="ipSecurity" overrideModeDefault="Deny" />

<section name="isapiCgiRestriction" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />

<section name="requestFiltering" overrideModeDefault="Allow" />

</sectionGroup>

<section name="serverRuntime" overrideModeDefault="Deny" />

<section name="serverSideInclude" overrideModeDefault="Deny" />

<section name="staticContent" overrideModeDefault="Allow" />

<sectionGroup name="tracing">

<section name="traceFailedRequests" overrideModeDefault="Allow" />

<section name="traceProviderDefinitions" overrideModeDefault="Deny" />

</sectionGroup>

<section name="urlCompression" overrideModeDefault="Allow" />

<section name="validation" overrideModeDefault="Allow" />

</sectionGroup>

</configSections>

<configProtectedData>

<providers>

<add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />

<add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAKx+YNgjl1ZZsp04r3V3cIYkC9HjLbRD8rIdQt4D+w9EN1eqaYHpsQ4AZVP4a2ZqFiKtSZZcYR/SJ0nLzZCeAboaRDbctCUshHtckykn5qeLGGwpUs2Pa2eHtGQC2m+axHyh3vp03S4hQkfRkaqU2cqifWgo63aE6gEHP9dks/EI=" />

<add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAALPb4VYj+Dz/X58+CU1qRM68wSamWh/9pxgwi9Y88r9ADdtOSTJXyClbIvsBAwPd0hJiXNJHcTfXONwu40FY5hFr8oWy47BJ6wavQpL29Obe40jC5DC4ETucpcb4aK8tD1QjIWvnRjNjDPeTbOF+mBFT0Ozj2OdTSxDdO89BxRjo=" />

</providers>

</configProtectedData>

<system.applicationHost>

<applicationPools>

<add name="DefaultAppPool" />

<applicationPoolDefaults>

<processModel identityType="NetworkService" />

</applicationPoolDefaults>

</applicationPools>

<!--

The <customMetadata> section is used internally by the Admin Base Objects

(ABO) Compatibility component. Please do not modify its content.

-->

<customMetadata />

<!--

The <listenerAdapters> section defines the protocols with which the

Windows Process Activation Service (WAS) binds.

-->

<listenerAdapters>

<add name="http" />

</listenerAdapters>

<log>

<centralBinaryLogFile enabled="true" directory="%SystemDrive%\inetpub\logs\LogFiles" />

<centralW3CLogFile enabled="true" directory="%SystemDrive%\inetpub\logs\LogFiles" />

</log>

<sites>

<site name="Default Web Site" id="1">

<application path="/">

<virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />

</application>

</site>

<siteDefaults>

<logFile logFormat="W3C" directory="%SystemDrive%\inetpub\logs\LogFiles" />

<traceFailedRequestsLogging directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />

</siteDefaults>

<applicationDefaults applicationPool="DefaultAppPool" />

<virtualDirectoryDefaults allowSubDirConfig="true" />

</sites>

<webLimits />

</system.applicationHost>

<system.webServer>

<asp />

<caching />

<cgi />

<defaultDocument />

<directoryBrowse />

<fastCgi />

<!--

The <globalModules> section defines all native-code modules.

To enable a module, specify it in the <modules> section.

-->

<globalModules />

<handlers />

<httpCompression />

<httpErrors />

<httpLogging />

<httpProtocol />

<httpRedirect />

<httpTracing />

<isapiFilters />

<modules />

<odbcLogging />

<security>

<access />

<applicationDependencies />

<authentication>

<anonymousAuthentication />

<basicAuthentication />

<clientCertificateMappingAuthentication />

<digestAuthentication />

<iisClientCertificateMappingAuthentication />

<windowsAuthentication />

</authentication>

<authorization />

<ipSecurity />

<isapiCgiRestriction />

<requestFiltering />

</security>

<serverRuntime />

<serverSideInclude />

<staticContent />

<tracing>

<traceFailedRequests />

<traceProviderDefinitions />

</tracing>

<urlCompression />

<validation />

</system.webServer>

</configuration>

Its under applicationhost.csv

Will provide more tomorrow. Avast is always just shutting down, and or running clean on quick.

Thanks for bearing with me. I noticed linux on every machine, I can get to it from forcing in CMD, but I dont change settings.

Thanks again, If you could point me to the log, I have tried the path you provided during set up

[AdvancedSetup]

If you mean the Dr Web log it should be located here: %USERPROFILE%\DoctorWeb\CureIt.log

If you click on START RUN and type or copy/paste NOTEPAD.EXE %USERPROFILE%\DoctorWeb\CureIt.log and click OK it should open that log when the Dr Web scan is done.

[KingAbu]

I ran Dr.Web on a Windows Vista Buisness machine. Dell D630 Latitude. Log was to large to copy and past. Saved as a txt and attached. Thanks.

logofcureit.txt

[KingAbu]

=============================================================================

=============================================================================

=============================================================================

Dr.Web Scanner for Windows v6.00.8 (6.00.8.03140)

© Doctor Web, Ltd., 1992-2011

Log generated on: 2011-04-06, 21:14:10 [FIRSTCASH-PC][first cash]

Command line: "C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\25204_xp.exe" /lng /ini:setup_xp.ini /fast

Operating system: Windows Vista Business x86 (Build 6001), Service Pack 1

=============================================================================

DwShield started

Engine version: 5.00 (5.00.2.03300)

Engine API version: 2.02

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\e7a13939 - 1828 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d1e2a3ef - 1209 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\b50370ff - 8998 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\68591c30 - 9352 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c2b011ec - 4901 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\57b26285 - 7472 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\f0c2eb0a - 13720 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\5748ff54 - 12944 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1fd7ff2b - 17300 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\50c46062 - 17443 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a310b583 - 18483 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\604ba801 - 14834 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\48c2a1cc - 14185 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1be6ef7a - 13370 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\7815825c - 7482 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1c307ac6 - 11624 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\40c79f6a - 10523 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a865be6b - 10122 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\2220d710 - 10453 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d4ed8514 - 10778 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1645d152 - 9822 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\b8bfedb6 - 14045 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\154b9aad - 7028 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\ca806955 - 8674 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\ed7a97d0 - 8626 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1eeb4d0a - 8231 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4d6c453e - 10397 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\05728e3b - 11234 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a235d50f - 10356 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4ee2d15d - 11383 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\db22925f - 8957 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\124bddab - 11015 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\0a531463 - 11168 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\b9ea8d41 - 7798 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\308f1461 - 7873 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4db2492d - 6904 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\6a8ddd96 - 6503 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\91e1f0d1 - 9823 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d474590a - 7572 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\9b19adf4 - 6996 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a15c275f - 16360 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a2913fcf - 29168 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d64a7fab - 34202 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\73c36913 - 28292 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\39af1e87 - 27164 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\47bb952e - 25131 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\8ace15c9 - 31464 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4cec6c89 - 18281 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c4699679 - 18009 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\6de8ed1e - 24685 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\bdfe21ff - 13651 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\823993c3 - 16025 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4fd0ef35 - 15644 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\04b9f78c - 23265 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c1287951 - 23135 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\2f523e4a - 20510 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\0834e2a7 - 25475 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\577a5b83 - 16298 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\71e4f153 - 19357 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\6510841b - 18381 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4926d0d9 - 19562 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\8e82c79e - 27102 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\0679ad25 - 21223 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\f1111778 - 24847 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\91b8c72a - 23251 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a10bb838 - 14982 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\8c05e4fb - 16778 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\8f81809b - 18725 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\79bc6cc3 - 18429 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\9b67a86b - 6220 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\9ebc8327 - 142240 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\2c6fdbe4 - 66726 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\f5dd1b88 - 24512 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\27f2e72c - 82762 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\35d28591 - 508543 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c6458983 - 1021 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d1fa0ab2 - 1578 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\3f223c19 - 1959 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\4a514d0a - 2033 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\12a5ab08 - 1812 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\e0932069 - 1738 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\55e46682 - 1885 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\16ced336 - 2091 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c1ec67d4 - 1569 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\6613efcb - 1834 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\75d5f07b - 29 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\ddedb719 - 1819 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\d402734c - 2229 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\b2a854d0 - 1833 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\e16d52b0 - 1614 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\c5508294 - 2297 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\62158bef - 2110 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\36bc3e47 - 2007 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1f5c83f6 - 2370 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\29168043 - 2241 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a2580a47 - 2596 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\bb81364c - 2024 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\6780ce15 - 1609 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\ac533cfb - 1471 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\a675f90c - 1445 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\8ae13188 - 1895 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\cc0ca638 - 2312 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\e904b276 - 3006 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\bb109728 - 2146 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\63f4619c - 1714 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\1e36a401 - 2095 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\65d759ac - 2715 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\821745cb - 2545 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\7f346069 - 2801 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\496b94ef - 6197 virus records

[Virus database] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\0d40df71 - 28348 virus records

Total virus records: 1962813

[self-checking] C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\25204_xp.exe

Key file: C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\setup.key

License key number: 0013622856

Registered to: An unauthorized User

License key activates on: 2011-03-10

License key expires on: 2012-03-11

Process in memory: System:4 - OK

Process in memory: C:\Windows\System32\svchost.exe:124 - OK

Process in memory: C:\Windows\System32\SearchIndexer.exe:304 - OK

Process in memory: C:\Windows\System32\smss.exe:396 - OK

Process in memory: C:\Windows\System32\csrss.exe:512 - OK

Process in memory: C:\Windows\System32\wininit.exe:572 - OK

Process in memory: C:\Windows\System32\csrss.exe:584 - OK

Process in memory: C:\Windows\System32\services.exe:616 - OK

Process in memory: C:\Windows\System32\lsass.exe:628 - OK

Process in memory: C:\Windows\System32\lsm.exe:636 - OK

Process in memory: C:\Windows\System32\svchost.exe:796 - OK

Process in memory: C:\Windows\System32\nvvsvc.exe:840 - OK

Process in memory: C:\Windows\System32\svchost.exe:868 - OK

Process in memory: C:\Windows\System32\svchost.exe:904 - OK

Process in memory: C:\Windows\System32\svchost.exe:952 - OK

Process in memory: C:\Windows\System32\svchost.exe:980 - OK

Process in memory: C:\Windows\System32\svchost.exe:1000 - OK

Process in memory: C:\Windows\System32\winlogon.exe:1060 - OK

Process in memory: C:\Windows\System32\audiodg.exe:1100 - OK

Process in memory: C:\Windows\System32\SLsvc.exe:1176 - OK

Process in memory: C:\Windows\System32\svchost.exe:1224 - OK

Process in memory: C:\Windows\System32\nvvsvc.exe:1396 - OK

Process in memory: C:\Windows\System32\svchost.exe:1412 - OK

Process in memory: C:\Windows\System32\spoolsv.exe:1676 - OK

Process in memory: C:\Windows\System32\svchost.exe:1716 - OK

Process in memory: C:\Windows\System32\svchost.exe:1928 - OK

Process in memory: C:\Windows\System32\svchost.exe:2020 - OK

Process in memory: C:\Windows\System32\dwm.exe:2156 - OK

Process in memory: C:\Windows\explorer.exe:2184 - OK

Process in memory: C:\Windows\System32\taskeng.exe:2276 - OK

Process in memory: C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe:2504 - OK

Process in memory: C:\Windows\System32\taskeng.exe:2512 - OK

Process in memory: C:\Windows\System32\rundll32.exe:2620 - OK

Process in memory: C:\Program Files\Windows Sidebar\sidebar.exe:2676 - OK

Process in memory: C:\Program Files\Windows Media Player\wmpnscfg.exe:2688 - OK

Process in memory: C:\Windows\System32\taskeng.exe:2880 - OK

Process in memory: C:\Program Files\Windows Media Player\wmpnetwk.exe:3140 - OK

Process in memory: C:\Windows\System32\wbem\WmiPrvSE.exe:3256 - OK

Process in memory: C:\Users\first cash\Desktop\drweb-cureit.exe:3460 - OK

Process in memory: C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\718691.exe:3740 - OK

Process in memory: C:\Windows\System32\ctfmon.exe:3784 - OK

Process in memory: C:\Users\first cash\AppData\Local\Temp\A9B364F2-627CD846-2F2EC0B4-24F8088\25204_xp.exe:3836 - OK

Process in memory: C:\Windows\System32\wuauclt.exe:4080 - OK

[Memory scanning] No viruses found

Master Boot Record HDD1 - OK

Active OS/2 or WinNT Boot Sector HDD1 - OK

[scan path] C:\Windows\system32

C:\Windows\system32\12520437.cpx - OK

C:\Windows\system32\12520850.cpx - OK

C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 - OK

C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 - OK

C:\Windows\system32\8point1.wav - OK

C:\Windows\system32\aaclient.dll - OK

C:\Windows\system32\accessibilitycpl.dll - OK

C:\Windows\system32\ACCTRES.dll - OK

C:\Windows\system32\acledit.dll - OK

C:\Windows\system32\aclui.dll - OK

C:\Windows\system32\acppage.dll - OK

C:\Windows\system32\acprgwiz.dll - OK

C:\Windows\system32\ActionQueue.dll - OK

C:\Windows\system32\ActiveContentWizard.dll packed by ZLIB

>C:\Windows\system32\ActiveContentWizard.dll - archive BINARYRES

>>C:\Windows\system32\ActiveContentWizard.dll/data001 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data002 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data003 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data004 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data005 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data006 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data007 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data008 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data009 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data010 - OK

>>C:\Windows\system32\ActiveContentWizard.dll/data011 - OK

>C:\Windows\system32\ActiveContentWizard.dll - OK

C:\Windows\system32\activeds.dll - OK

C:\Windows\system32\activeds.tlb - OK

C:\Windows\system32\actxprxy.dll - OK

C:\Windows\system32\ACW.exe - OK

C:\Windows\system32\acwizard.ico - OK

C:\Windows\system32\AdapterTroubleshooter.exe - OK

C:\Windows\system32\admparse.dll - OK

C:\Windows\system32\adsldp.dll - OK

C:\Windows\system32\adsldpc.dll - OK

C:\Windows\system32\adsmsext.dll - OK

C:\Windows\system32\adsnt.dll - OK

C:\Windows\system32\adtschema.dll - OK

C:\Windows\system32\advapi32.dll - OK

C:\Windows\system32\advpack.dll - OK

C:\Windows\system32\aecache.dll - OK

C:\Windows\system32\aelupsvc.dll - OK

C:\Windows\system32\alg.exe - OK

C:\Windows\system32\AltTab.dll - OK

C:\Windows\system32\amcompat.tlb - OK

C:\Windows\system32\amstream.dll - OK

C:\Windows\system32\amxread.dll - OK

C:\Windows\system32\ANSI.SYS - OK

C:\Windows\system32\apds.dll - OK

C:\Windows\system32\apilogen.dll - OK

C:\Windows\system32\apircl.dll - OK

C:\Windows\system32\append.exe - OK

C:\Windows\system32\apphelp.dll - OK

C:\Windows\system32\Apphlpdm.dll - OK

C:\Windows\system32\appinfo.dll - OK

C:\Windows\system32\appmgmts.dll - OK

C:\Windows\system32\appmgr.dll - OK

C:\Windows\system32\appwiz.cpl - OK

C:\Windows\system32\apss.dll - OK

C:\Windows\system32\ARP.EXE - OK

C:\Windows\system32\asferror.dll - OK

C:\Windows\system32\asycfilt.dll - OK

C:\Windows\system32\at.exe - OK

C:\Windows\system32\AtBroker.exe - OK

C:\Windows\system32\atl.dll - OK

C:\Windows\system32\atmfd.dll - OK

C:\Windows\system32\atmlib.dll - OK

C:\Windows\system32\attrib.exe - OK

C:\Windows\system32\audiodev.dll - OK

C:\Windows\system32\audiodg.exe - OK

C:\Windows\system32\AudioEng.dll - OK

C:\Windows\system32\AUDIOKSE.dll - OK

C:\Windows\system32\AudioSes.dll - OK

C:\Windows\system32\audiosrv.dll - OK

C:\Windows\system32\auditpol.exe - OK

C:\Windows\system32\Aurora.scr - OK

C:\Windows\system32\authfwcfg.dll - OK

C:\Windows\system32\AuthFWGP.dll - OK

C:\Windows\system32\AuthFWSnapin.dll - OK

C:\Windows\system32\AuthFWWizFwk.dll - OK

C:\Windows\system32\authui.dll - OK

C:\Windows\system32\authz.dll - OK

C:\Windows\system32\autochk.exe - OK

C:\Windows\system32\autoconv.exe - OK

C:\Windows\system32\autoexec.nt - OK

C:\Windows\system32\autofmt.exe - OK

C:\Windows\system32\autoplay.dll - OK

C:\Windows\system32\AuxiliaryDisplayApi.dll - OK

C:\Windows\system32\AuxiliaryDisplayClassInstaller.dll - OK

C:\Windows\system32\AuxiliaryDisplayCpl.dll - OK

C:\Windows\system32\AuxiliaryDisplayDriverLib.dll - OK

C:\Windows\system32\AuxiliaryDisplayServices.dll - OK

C:\Windows\system32\avicap.dll - OK

C:\Windows\system32\avicap32.dll - OK

C:\Windows\system32\avifil32.dll - OK

C:\Windows\system32\avifile.dll - OK

C:\Windows\system32\avrt.dll - OK

C:\Windows\system32\axaltocm.dll - OK

C:\Windows\system32\azman.msc - OK

C:\Windows\system32\azroles.dll - OK

C:\Windows\system32\azroleui.dll - OK

C:\Windows\system32\AzSqlExt.dll packed by PESTUB

>C:\Windows\system32\AzSqlExt.dll - OK

C:\Windows\system32\basecsp.dll - OK

C:\Windows\system32\basesrv.dll - OK

C:\Windows\system32\batmeter.dll - OK

C:\Windows\system32\batt.dll packed by PESTUB

>C:\Windows\system32\batt.dll - OK

C:\Windows\system32\bcdedit.exe - OK

C:\Windows\system32\bcdprov.dll - OK

C:\Windows\system32\bcdsrv.dll - OK

C:\Windows\system32\bcrypt.dll - OK

C:\Windows\system32\bdaplgin.ax - OK

C:\Windows\system32\BFE.DLL - OK

C:\Windows\system32\bidispl.dll - OK

C:\Windows\system32\bios1.rom - OK

C:\Windows\system32\bios4.rom - OK

C:\Windows\system32\bitsadmin.exe - OK

C:\Windows\system32\bitsigd.dll - OK

C:\Windows\system32\bitsperf.dll - OK

C:\Windows\system32\bitsprx2.dll - OK

C:\Windows\system32\bitsprx3.dll - OK

C:\Windows\system32\bitsprx4.dll - OK

C:\Windows\system32\bitsprx5.dll - OK

C:\Windows\system32\blackbox.dll - OK

C:\Windows\system32\BlbEvents.dll - OK

C:\Windows\system32\blbres.dll - OK

C:\Windows\system32\blb_ps.dll - OK

C:\Windows\system32\bootcfg.exe - OK

C:\Windows\system32\bootstr.dll - OK

C:\Windows\system32\BOOTVID.DLL - OK

C:\Windows\system32\bopomofo.uce - OK

C:\Windows\system32\brcoinst.dll - OK

C:\Windows\system32\brcpl.dll - OK

C:\Windows\system32\brcplsdw.dll - OK

C:\Windows\system32\brcplsiw.dll - OK

C:\Windows\system32\brdgcfg.dll - OK

C:\Windows\system32\bridgeres.dll - OK

C:\Windows\system32\bridgeunattend.exe - OK

C:\Windows\system32\browser.dll - OK

C:\Windows\system32\browseui.dll - OK

C:\Windows\system32\bthci.dll packed by PESTUB

>C:\Windows\system32\bthci.dll - OK

C:\Windows\system32\bthprops.cpl - OK

C:\Windows\system32\bthserv.dll - OK

C:\Windows\system32\bthudtask.exe - OK

C:\Windows\system32\btpanui.dll - OK

C:\Windows\system32\Bubbles.scr - OK

C:\Windows\system32\cabinet.dll - OK

C:\Windows\system32\cabview.dll - OK

C:\Windows\system32\cacls.exe - OK

C:\Windows\system32\calc.exe - OK

C:\Windows\system32\capisp.dll packed by PESTUB

>C:\Windows\system32\capisp.dll - OK

C:\Windows\system32\catsrv.dll - OK

C:\Windows\system32\catsrvps.dll - OK

C:\Windows\system32\catsrvut.dll - OK

C:\Windows\system32\cbsra.exe - OK

C:\Windows\system32\cdd.dll packed by FLY-CODE

>C:\Windows\system32\cdd.dll - OK

C:\Windows\system32\cdosys.dll - archive BINARYRES

>C:\Windows\system32\cdosys.dll/data001 - OK

>C:\Windows\system32\cdosys.dll/data002 - OK

C:\Windows\system32\cdosys.dll - OK

C:\Windows\system32\certcli.dll - OK

C:\Windows\system32\certenc.dll - OK

C:\Windows\system32\CertEnroll.dll - OK

C:\Windows\system32\CertEnrollCtrl.exe - OK

C:\Windows\system32\CertEnrollUI.dll - OK

C:\Windows\system32\certmgr.dll - OK

C:\Windows\system32\certmgr.msc - OK

C:\Windows\system32\certprop.dll - OK

C:\Windows\system32\certreq.exe - OK

C:\Windows\system32\certutil.exe - OK

C:\Windows\system32\cewmdm.dll - OK

C:\Windows\system32\cfgbkend.dll - OK

C:\Windows\system32\cfgmgr32.dll - OK

C:\Windows\system32\chajei.ime - OK

C:\Windows\system32\change.exe - OK

C:\Windows\system32\charmap.exe - OK

C:\Windows\system32\chcp.com - OK

C:\Windows\system32\chglogon.exe - OK

C:\Windows\system32\chgport.exe - OK

C:\Windows\system32\chgusr.exe - OK

C:\Windows\system32\chkdsk.exe - OK

C:\Windows\system32\chkntfs.exe - OK

C:\Windows\system32\choice.exe - OK

C:\Windows\system32\chsbrkr.dll - OK

C:\Windows\system32\chtbrkr.dll packed by PESTUB

>C:\Windows\system32\chtbrkr.dll - OK

C:\Windows\system32\CHxReadingStringIME.dll - OK

C:\Windows\system32\ci.dll - OK

C:\Windows\system32\cic.dll - OK

C:\Windows\system32\cintlgnt.ime - OK

C:\Windows\system32\cipher.exe - OK

C:\Windows\system32\CIRCoInst.dll - OK

C:\Windows\system32\clb.dll - OK

C:\Windows\system32\clbcatq.dll - OK

C:\Windows\system32\cleanmgr.exe - OK

C:\Windows\system32\clfs.sys - OK

C:\Windows\system32\clfsw32.dll - OK

C:\Windows\system32\cliconfg.dll - OK

C:\Windows\system32\cliconfg.exe - OK

C:\Windows\system32\cliconfg.rll - OK

C:\Windows\system32\clip.exe - OK

C:\Windows\system32\clusapi.dll - OK

C:\Windows\system32\cmcfg32.dll packed by PESTUB

>C:\Windows\system32\cmcfg32.dll - OK

C:\Windows\system32\cmd.exe - OK

C:\Windows\system32\cmdial32.dll - OK

C:\Windows\system32\cmdkey.exe - OK

C:\Windows\system32\cmdl32.exe - OK

C:\Windows\system32\cmicryptinstall.dll - OK

C:\Windows\system32\cmifw.dll - OK

C:\Windows\system32\cmipnpinstall.dll - OK

C:\Windows\system32\cmlua.dll packed by PESTUB

>C:\Windows\system32\cmlua.dll - OK

C:\Windows\system32\cmmon32.exe - OK

C:\Windows\system32\cmpbk32.dll - OK

C:\Windows\system32\cmstp.exe - OK

C:\Windows\system32\cmstplua.dll packed by PESTUB

>C:\Windows\system32\cmstplua.dll - OK

C:\Windows\system32\cmutil.dll - OK

C:\Windows\system32\cngaudit.dll - OK

C:\Windows\system32\cnvfat.dll - OK

C:\Windows\system32\cofire.exe - OK

C:\Windows\system32\cofiredm.dll packed by PESTUB

>C:\Windows\system32\cofiredm.dll - OK

C:\Windows\system32\colbact.dll - OK

C:\Windows\system32\collab.cpl - OK

C:\Windows\system32\COLORCNV.DLL - OK

C:\Windows\system32\colorcpl.exe - OK

C:\Windows\system32\colorui.dll - OK

C:\Windows\system32\comcat.dll - OK

C:\Windows\system32\comctl32.dll - OK

C:\Windows\system32\comdlg32.dll - OK

C:\Windows\system32\comexp.msc - OK

C:\Windows\system32\COMM.drv - OK

C:\Windows\system32\COMMAND.COM - OK

C:\Windows\system32\COMMDLG.DLL - OK

C:\Windows\system32\comp.exe - OK

C:\Windows\system32\compact.exe - OK

C:\Windows\system32\CompatUI.dll - OK

C:\Windows\system32\compmgmt.msc - OK

C:\Windows\system32\CompMgmtLauncher.exe - OK

C:\Windows\system32\compobj.dll - OK

C:\Windows\system32\compstui.dll - OK

C:\Windows\system32\ComputerDefaults.exe - OK

C:\Windows\system32\comrepl.dll - OK

C:\Windows\system32\comres.dll - OK

C:\Windows\system32\comsnap.dll - OK

C:\Windows\system32\comsvcs.dll - OK

C:\Windows\system32\comuid.dll - OK

C:\Windows\system32\config.nt - OK

C:\Windows\system32\conime.exe - OK

C:\Windows\system32\connect.dll - OK

C:\Windows\system32\consent.exe - OK

C:\Windows\system32\console.dll - OK

C:\Windows\system32\control.exe - OK

C:\Windows\system32\convert.exe - OK

C:\Windows\system32\corpol.dll - OK

C:\Windows\system32\country.sys - OK

C:\Windows\system32\credssp.dll - OK

C:\Windows\system32\credui.dll - OK

C:\Windows\system32\credwiz.exe - OK

C:\Windows\system32\CRPPresentation.dll - OK

C:\Windows\system32\crtdll.dll - OK

C:\Windows\system32\crypt32.dll - OK

C:\Windows\system32\cryptdlg.dll - OK

C:\Windows\system32\cryptdll.dll - OK

C:\Windows\system32\cryptext.dll - OK

C:\Windows\system32\cryptnet.dll - OK

C:\Windows\system32\cryptsvc.dll - OK

C:\Windows\system32\cryptui.dll - OK

C:\Windows\system32\cscapi.dll - OK

C:\Windows\system32\cscdll.dll - OK

C:\Windows\system32\CscMig.dll - OK

C:\Windows\system32\cscobj.dll - OK

C:\Windows\system32\cscript.exe - OK

C:\Windows\system32\cscsvc.dll - OK

C:\Windows\system32\cscui.dll - OK

C:\Windows\system32\csrsrv.dll - OK

C:\Windows\system32\csrss.exe - OK

C:\Windows\system32\csrstub.exe - OK

C:\Windows\system32\ctfmon.exe - OK

C:\Windows\system32\ctl3d32.dll - OK

C:\Windows\system32\ctl3dv2.dll - OK

C:\Windows\system32\C_037.NLS - OK

C:\Windows\system32\C_10000.NLS - OK

C:\Windows\system32\C_10001.NLS - OK

C:\Windows\system32\C_10002.NLS - OK

C:\Windows\system32\C_10003.NLS - OK

C:\Windows\system32\C_10004.NLS - OK

C:\Windows\system32\C_10005.NLS - OK

C:\Windows\system32\C_10006.NLS - OK

C:\Windows\system32\C_10007.NLS - OK

C:\Windows\system32\C_10008.NLS - OK

C:\Windows\system32\C_10010.NLS - OK

C:\Windows\system32\C_10017.NLS - OK

C:\Windows\system32\C_10021.NLS - OK

C:\Windows\system32\C_10029.NLS - OK

C:\Windows\system32\C_10079.NLS - OK

C:\Windows\system32\C_10081.NLS - OK

C:\Windows\system32\C_10082.NLS - OK

C:\Windows\system32\C_1026.NLS - OK

C:\Windows\system32\C_1047.NLS - OK

C:\Windows\system32\C_1140.NLS - OK

C:\Windows\system32\C_1141.NLS - OK

C:\Windows\system32\C_1142.NLS - OK

C:\Windows\system32\C_1143.NLS - OK

C:\Windows\system32\C_1144.NLS - OK

C:\Windows\system32\C_1145.NLS - OK

C:\Windows\system32\C_1146.NLS - OK

C:\Windows\system32\C_1147.NLS - OK

C:\Windows\system32\C_1148.NLS - OK

C:\Windows\system32\C_1149.NLS - OK

C:\Windows\system32\C_1250.NLS - OK

C:\Windows\system32\C_1251.NLS - OK

C:\Windows\system32\C_1252.NLS - OK

C:\Windows\system32\C_1253.NLS - OK

C:\Windows\system32\C_1254.NLS - OK

C:\Windows\system32\C_1255.NLS - OK

C:\Windows\system32\C_1256.NLS - OK

C:\Windows\system32\C_1257.NLS - OK

C:\Windows\system32\C_1258.NLS - OK

C:\Windows\system32\C_1361.NLS - OK

C:\Windows\system32\C_20000.NLS - OK

C:\Windows\system32\C_20001.NLS - OK

C:\Windows\system32\C_20002.NLS - OK

C:\Windows\system32\C_20003.NLS - OK

C:\Windows\system32\C_20004.NLS - OK

C:\Windows\system32\C_20005.NLS - OK

C:\Windows\system32\C_20105.NLS - OK

C:\Windows\system32\C_20106.NLS - OK

C:\Windows\system32\C_20107.NLS - OK

C:\Windows\system32\C_20108.NLS - OK

C:\Windows\system32\C_20127.NLS - OK

C:\Windows\system32\C_20261.NLS - OK

C:\Windows\system32\C_20269.NLS - OK

C:\Windows\system32\C_20273.NLS - OK

C:\Windows\system32\C_20277.NLS - OK

C:\Windows\system32\C_20278.NLS - OK

C:\Windows\system32\C_20280.NLS - OK

C:\Windows\system32\C_20284.NLS - OK

C:\Windows\system32\C_20285.NLS - OK

C:\Windows\system32\C_20290.NLS - OK

C:\Windows\system32\C_20297.NLS - OK

C:\Windows\system32\C_20420.NLS - OK

C:\Windows\system32\C_20423.NLS - OK

C:\Windows\system32\C_20424.NLS - OK

C:\Windows\system32\C_20833.NLS - OK

C:\Windows\system32\C_20838.NLS - OK

C:\Windows\system32\C_20866.NLS - OK

C:\Windows\system32\C_20871.NLS - OK

C:\Windows\system32\C_20880.NLS - OK

C:\Windows\system32\C_20905.NLS - OK

C:\Windows\system32\C_20924.NLS - OK

C:\Windows\system32\C_20932.NLS - OK

C:\Windows\system32\C_20936.NLS - OK

C:\Windows\system32\C_20949.NLS - OK

C:\Windows\system32\C_21025.NLS - OK

C:\Windows\system32\C_21027.NLS - OK

C:\Windows\system32\C_21866.NLS - OK

C:\Windows\system32\C_28591.NLS - OK

C:\Windows\system32\C_28592.NLS - OK

C:\Windows\system32\C_28593.NLS - OK

C:\Windows\system32\C_28594.NLS - OK

C:\Windows\system32\C_28595.NLS - OK

C:\Windows\system32\C_28596.NLS - OK

C:\Windows\system32\C_28597.NLS - OK

C:\Windows\system32\C_28598.NLS - OK

C:\Windows\system32\C_28599.NLS - OK

C:\Windows\system32\c_28603.nls - OK

C:\Windows\system32\C_28605.NLS - OK

C:\Windows\system32\C_437.NLS - OK

C:\Windows\system32\C_500.NLS - OK

C:\Windows\system32\C_708.NLS - OK

C:\Windows\system32\C_720.NLS - OK

C:\Windows\system32\C_737.NLS - OK

C:\Windows\system32\C_775.NLS - OK

C:\Windows\system32\C_850.NLS - OK

C:\Windows\system32\C_852.NLS - OK

C:\Windows\system32\C_855.NLS - OK

C:\Windows\system32\C_857.NLS - OK

C:\Windows\system32\C_858.NLS - OK

C:\Windows\system32\C_860.NLS - OK

C:\Windows\system32\C_861.NLS - OK

C:\Windows\system32\C_862.NLS - OK

C:\Windows\system32\C_863.NLS - OK

C:\Windows\system32\C_864.NLS - OK

C:\Windows\system32\C_865.NLS - OK

C:\Windows\system32\C_866.NLS - OK

C:\Windows\system32\C_869.NLS - OK

C:\Windows\system32\C_870.NLS - OK

C:\Windows\system32\C_874.NLS - OK

C:\Windows\system32\C_875.NLS - OK

C:\Windows\system32\C_932.NLS - OK

C:\Windows\system32\C_936.NLS - OK

C:\Windows\system32\C_949.NLS - OK

C:\Windows\system32\C_950.NLS - OK

C:\Windows\system32\C_G18030.DLL - OK

C:\Windows\system32\C_IS2022.DLL - OK

C:\Windows\system32\C_ISCII.DLL - OK

C:\Windows\system32\d3d10.dll - OK

C:\Windows\system32\d3d10core.dll - OK

C:\Windows\system32\d3d10_1.dll - OK

C:\Windows\system32\d3d10_1core.dll - OK

C:\Windows\system32\d3d8.dll - OK

C:\Windows\system32\d3d8thk.dll - OK

C:\Windows\system32\d3d9.dll - OK

C:\Windows\system32\d3dim.dll - OK

C:\Windows\system32\d3dim700.dll - OK

C:\Windows\system32\d3dramp.dll - OK

C:\Windows\system32\d3dxof.dll - OK

C:\Windows\system32\dataclen.dll - OK

C:\Windows\system32\davclnt.dll - OK

C:\Windows\system32\dbgeng.dll - OK

C:\Windows\system32\dbghelp.dll - OK

C:\Windows\system32\dbnetlib.dll - OK

C:\Windows\system32\dbnmpntw.dll - OK

C:\Windows\system32\dciman32.dll - OK

C:\Windows\system32\dcomcnfg.exe - OK

C:\Windows\system32\DDACLSys.dll - OK

C:\Windows\system32\DDEML.DLL - OK

C:\Windows\system32\ddraw.dll - OK

C:\Windows\system32\ddrawex.dll - OK

C:\Windows\system32\debug.exe packed by EXEPACK

>C:\Windows\system32\debug.exe - OK

C:\Windows\system32\Defrag.exe - OK

C:\Windows\system32\desk.cpl - OK

C:\Windows\system32\deskadp.dll - OK

C:\Windows\system32\deskmon.dll - OK

C:\Windows\system32\deskperf.dll - OK

C:\Windows\system32\desktop.ini - OK

C:\Windows\system32\devenum.dll - OK

C:\Windows\system32\DeviceEject.exe - OK

C:\Windows\system32\DeviceProperties.exe - OK

C:\Windows\system32\devmgmt.msc - OK

C:\Windows\system32\devmgr.dll - OK

C:\Windows\system32\dfdts.dll - OK

C:\Windows\system32\DFDWiz.exe - OK

C:\Windows\system32\dfrgfat.exe - OK

C:\Windows\system32\dfrgifc.exe - OK

C:\Windows\system32\dfrgifps.dll - OK

C:\Windows\system32\DfrgNtfs.exe - OK

C:\Windows\system32\DfrgRes.dll - OK

C:\Windows\system32\dfrgui.exe packed by ZLIB

>C:\Windows\system32\dfrgui.exe - archive BINARYRES

>>C:\Windows\system32\dfrgui.exe/data001 - OK

>>C:\Windows\system32\dfrgui.exe/data002 - OK

>C:\Windows\system32\dfrgui.exe - OK

C:\Windows\system32\dfshim.dll - OK

C:\Windows\system32\dfsr.exe - OK

C:\Windows\system32\dfsrres.dll - OK

C:\Windows\system32\DfsShlEx.dll - OK

C:\Windows\system32\dhcpcmonitor.dll - OK

C:\Windows\system32\dhcpcsvc.dll - OK

C:\Windows\system32\dhcpcsvc6.dll - OK

C:\Windows\system32\DHCPQEC.DLL - OK

C:\Windows\system32\dhcpsapi.dll packed by PESTUB

>C:\Windows\system32\dhcpsapi.dll - OK

C:\Windows\system32\dhcpsoc.dll - OK

C:\Windows\system32\diagperf.dll - OK

C:\Windows\system32\dialer.exe - OK

C:\Windows\system32\diantz.exe - OK

C:\Windows\system32\dimsjob.dll - OK

C:\Windows\system32\dimsroam.dll - OK

C:\Windows\system32\dinput.dll - OK

C:\Windows\system32\dinput8.dll - OK

C:\Windows\system32\diskcomp.com - OK

C:\Windows\system32\diskcopy.com - OK

C:\Windows\system32\diskcopy.dll - OK

C:\Windows\system32\diskmgmt.msc - OK

C:\Windows\system32\diskpart.exe - OK

C:\Windows\system32\diskperf.exe - OK

C:\Windows\system32\diskraid.exe - OK

C:\Windows\system32\dispci.dll - OK

C:\Windows\system32\dispdiag.exe - OK

C:\Windows\system32\dispex.dll - OK

C:\Windows\system32\dllhost.exe - OK

C:\Windows\system32\dllhst3g.exe - OK

C:\Windows\system32\dmband.dll - OK

C:\Windows\system32\dmcompos.dll - OK

C:\Windows\system32\dmdlgs.dll - OK

C:\Windows\system32\dmdskmgr.dll - OK

C:\Windows\system32\dmdskres.dll - OK

C:\Windows\system32\dmdskres2.dll - OK

C:\Windows\system32\dmime.dll - OK

C:\Windows\system32\dmintf.dll - OK

C:\Windows\system32\dmloader.dll - OK

C:\Windows\system32\dmocx.dll - OK

C:\Windows\system32\dmscript.dll - OK

C:\Windows\system32\dmstyle.dll - OK

C:\Windows\system32\dmsynth.dll - OK

C:\Windows\system32\dmusic.dll - OK

C:\Windows\system32\dmutil.dll - OK

C:\Windows\system32\dmvdsitf.dll - OK

C:\Windows\system32\dmview.ocx packed by PESTUB

>C:\Windows\system32\dmview.ocx - OK

C:\Windows\system32\dnsapi.dll - OK

C:\Windows\system32\dnscacheugc.exe - OK

C:\Windows\system32\dnshc.dll - OK

C:\Windows\system32\dnsrslvr.dll - OK

C:\Windows\system32\docprop.dll - OK

C:\Windows\system32\doskey.exe - OK

C:\Windows\system32\dosx.exe - OK

C:\Windows\system32\dot3.tmf - OK

C:\Windows\system32\dot3api.dll - OK

C:\Windows\system32\dot3cfg.dll packed by PESTUB

>C:\Windows\system32\dot3cfg.dll - OK

C:\Windows\system32\dot3dlg.dll - OK

C:\Windows\system32\dot3gpclnt.dll - OK

C:\Windows\system32\dot3gpui.dll - OK

C:\Windows\system32\dot3msm.dll - OK

C:\Windows\system32\dot3svc.dll - OK

C:\Windows\system32\dot3ui.dll - OK

C:\Windows\system32\dpapimig.exe - OK

C:\Windows\system32\dpinst.exe - OK

C:\Windows\system32\DpiScaling.exe - OK

C:\Windows\system32\dplaysvr.exe - OK

C:\Windows\system32\dplayx.dll - OK

C:\Windows\system32\dpmodemx.dll - OK

C:\Windows\system32\dpnaddr.dll - OK

C:\Windows\system32\dpnathlp.dll - OK

C:\Windows\system32\dpnet.dll - OK

C:\Windows\system32\dpnhpast.dll - OK

C:\Windows\system32\dpnhupnp.dll - OK

C:\Windows\system32\dpnlobby.dll - OK

C:\Windows\system32\dpnsvr.exe - OK

C:\Windows\system32\dps.dll - OK

C:\Windows\system32\dpwsockx.dll - OK

C:\Windows\system32\dpx.dll - OK

C:\Windows\system32\driverquery.exe - OK

C:\Windows\system32\drmmgrtn.dll - OK

C:\Windows\system32\drmv2clt.dll - archive BINARYRES

>C:\Windows\system32\drmv2clt.dll/data001 - archive HTML

>>C:\Windows\system32\drmv2clt.dll/data001/JavaScript.0 - OK

>C:\Windows\system32\drmv2clt.dll/data001 - OK

C:\Windows\system32\drmv2clt.dll - OK

C:\Windows\system32\drprov.dll - OK

C:\Windows\system32\drvinst.exe - OK

C:\Windows\system32\drvstore.dll packed by BINARYRES

>C:\Windows\system32\drvstore.dll packed by MS COMPRESS

>>C:\Windows\system32\drvstore.dll - OK

C:\Windows\system32\DRWATSON.EXE - OK

C:\Windows\system32\ds16gt.dLL - OK

C:\Windows\system32\ds32gt.dll - OK

C:\Windows\system32\dsauth.dll packed by PESTUB

>C:\Windows\system32\dsauth.dll - OK

C:\Windows\system32\dsdmo.dll - OK

C:\Windows\system32\dskquota.dll - OK

C:\Windows\system32\dskquoui.dll - OK

C:\Windows\system32\dsound.dll - OK

C:\Windows\system32\dsprop.dll - OK

C:\Windows\system32\dsquery.dll - OK

C:\Windows\system32\dssec.dat - OK

C:\Windows\system32\dssec.dll packed by PESTUB

>C:\Windows\system32\dssec.dll - OK

C:\Windows\system32\dssenh.dll - OK

C:\Windows\system32\dsuiext.dll - OK

C:\Windows\system32\dswave.dll - OK

C:\Windows\system32\dtsh.dll - OK

C:\Windows\system32\duser.dll - OK

C:\Windows\system32\dvdplay.exe - OK

C:\Windows\system32\dvdupgrd.exe - OK

C:\Windows\system32\dwm.exe - OK

C:\Windows\system32\dwmapi.dll - OK

C:\Windows\system32\dwmredir.dll - OK

C:\Windows\system32\DWWIN.EXE - OK

C:\Windows\system32\dxdiag.exe - OK

C:\Windows\system32\dxdiagn.dll - OK

C:\Windows\system32\dxgi.dll - OK

C:\Windows\system32\dxmasf.dll - OK

C:\Windows\system32\dxtmsft.dll - OK

C:\Windows\system32\dxtrans.dll - OK

C:\Windows\system32\dxva2.dll - OK

C:\Windows\system32\eaphost.tmf - OK

C:\Windows\system32\eapp3hst.dll - OK

C:\Windows\system32\eappcfg.dll - OK

C:\Windows\system32\eappgnui.dll - OK

C:\Windows\system32\eapphost.dll - OK

C:\Windows\system32\eappprxy.dll - OK

C:\Windows\system32\EAPQEC.DLL - OK

C:\Windows\system32\eapsvc.dll - OK

C:\Windows\system32\edit.com packed by EXEPACK

>C:\Windows\system32\edit.com - OK

C:\Windows\system32\EDIT.HLP - OK

C:\Windows\system32\edlin.exe packed by EXEPACK

>C:\Windows\system32\edlin.exe - OK

C:\Windows\system32\efsadu.dll - OK

C:\Windows\system32\efsui.exe - OK

C:\Windows\system32\ega.cpi - OK

C:\Windows\system32\els.dll - OK

C:\Windows\system32\emdmgmt.dll - OK

C:\Windows\system32\encapi.dll - OK

C:\Windows\system32\EncDec.dll - OK

C:\Windows\system32\EncDump.dll - OK

C:\Windows\system32\eqossnap.dll - OK

C:\Windows\system32\es.dll - OK

C:\Windows\system32\esent.dll - OK

C:\Windows\system32\esentprf.dll - OK

C:\Windows\system32\esentutl.exe - OK

C:\Windows\system32\eudcedit.exe - OK

C:\Windows\system32\eventcls.dll - OK

C:\Windows\system32\eventcreate.exe - OK

C:\Windows\system32\EventViewer_EventDetails.xsl - archive HTML

>C:\Windows\system32\EventViewer_EventDetails.xsl/Script.0 - OK

C:\Windows\system32\EventViewer_EventDetails.xsl - OK

C:\Windows\system32\eventvwr.exe - OK

C:\Windows\system32\eventvwr.msc - OK

C:\Windows\system32\evr.dll - OK

C:\Windows\system32\exe2bin.exe packed by EXEPACK

>C:\Windows\system32\exe2bin.exe - OK

C:\Windows\system32\expand.exe packed by BINARYRES

>C:\Windows\system32\expand.exe packed by MS COMPRESS

>>C:\Windows\system32\expand.exe - OK

C:\Windows\system32\ExplorerFrame.dll - OK

C:\Windows\system32\expsrv.dll - OK

C:\Windows\system32\extmgr.dll - OK

C:\Windows\system32\extrac32.exe - OK

C:\Windows\system32\f3ahvoas.dll - OK

C:\Windows\system32\fastopen.exe packed by EXEPACK

>C:\Windows\system32\fastopen.exe packed by COM2EXE

>>C:\Windows\system32\fastopen.exe - OK

C:\Windows\system32\Faultrep.dll - OK

C:\Windows\system32\fc.exe - OK

C:\Windows\system32\fde.dll - OK

C:\Windows\system32\fdeploy.dll - OK

C:\Windows\system32\fdPHost.dll - OK

C:\Windows\system32\fdProxy.dll - OK

C:\Windows\system32\FDResPub.dll - OK

C:\Windows\system32\fdSSDP.dll - OK

C:\Windows\system32\fdWCN.dll - OK

C:\Windows\system32\fdWNet.dll - OK

C:\Windows\system32\fdWSD.dll - OK

C:\Windows\system32\feclient.dll - OK

C:\Windows\system32\filemgmt.dll - OK

C:\Windows\system32\find.exe - OK

C:\Windows\system32\findnetprinters.dll - OK

C:\Windows\system32\findstr.exe - OK

C:\Windows\system32\finger.exe - OK

C:\Windows\system32\Firewall.cpl - OK

C:\Windows\system32\FirewallAPI.dll - OK

C:\Windows\system32\FirewallControlPanel.exe - OK

C:\Windows\system32\FirewallSettings.exe - OK

C:\Windows\system32\fixmapi.exe - OK

C:\Windows\system32\fltLib.dll - OK

C:\Windows\system32\fltMC.exe - OK

C:\Windows\system32\fmifs.dll - OK

C:\Windows\system32\FNTCACHE.DAT - OK

C:\Windows\system32\fontext.dll packed by BINARYRES

>C:\Windows\system32\fontext.dll packed by MS COMPRESS

>>C:\Windows\system32\fontext.dll - OK

C:\Windows\system32\fontsub.dll - OK

C:\Windows\system32\fontview.exe - OK

C:\Windows\system32\forfiles.exe - OK

C:\Windows\system32\format.com - OK

C:\Windows\system32\fphc.dll - OK

C:\Windows\system32\framebuf.dll packed by FLY-CODE

>C:\Windows\system32\framebuf.dll - OK

C:\Windows\system32\framedyn.dll - OK

C:\Windows\system32\framedynos.dll - OK

C:\Windows\system32\fsmgmt.msc - OK

C:\Windows\system32\fsutil.exe - OK

C:\Windows\system32\ftp.exe - OK

C:\Windows\system32\fundisc.dll - OK

C:\Windows\system32\fwcfg.dll packed by PESTUB

>C:\Windows\system32\fwcfg.dll - OK

C:\Windows\system32\FWPUCLNT.DLL - OK

C:\Windows\system32\FwRemoteSvr.dll - OK

C:\Windows\system32\FXSAPI.dll - OK

C:\Windows\system32\FXSCOM.dll - OK

C:\Windows\system32\FXSCOMEX.dll - OK

C:\Windows\system32\FXSCOMPOSE.dll - OK

C:\Windows\system32\FXSCOMPOSERES.dll - OK

C:\Windows\system32\FXSCOVER.exe - OK

C:\Windows\system32\FXSEVENT.dll - OK

C:\Windows\system32\FXSEXT32.dll packed by PESTUB

>C:\Windows\system32\FXSEXT32.dll - OK

C:\Windows\system32\FXSMON.dll - OK

C:\Windows\system32\FXSRESM.dll - OK

C:\Windows\system32\FXSROUTE.dll - OK

C:\Windows\system32\FXSST.dll - OK

C:\Windows\system32\FXSSVC.exe - OK

C:\Windows\system32\FXST30.dll - OK

C:\Windows\system32\FXSTIFF.dll - OK

C:\Windows\system32\FXSUNATD.exe - OK

C:\Windows\system32\FXSUTILITY.dll - OK

C:\Windows\system32\FXSXP32.dll - OK

C:\Windows\system32\g711codc.ax - OK

C:\Windows\system32\gacinstall.dll - OK

C:\Windows\system32\gameux.dll - OK

C:\Windows\system32\GameUXLegacyGDFs.dll - OK

C:\Windows\system32\gatherWiredInfo.vbs - OK

C:\Windows\system32\gatherWiredInfo.xslt - OK

C:\Windows\system32\gatherWirelessInfo.vbs - OK

C:\Windows\system32\gatherWirelessInfo.xslt - OK

C:\Windows\system32\gb2312.uce - OK

C:\Windows\system32\gcdef.dll - OK

C:\Windows\system32\GDI.EXE - OK

C:\Windows\system32\gdi32.dll - OK

C:\Windows\system32\getmac.exe - OK

C:\Windows\system32\getuname.dll - OK

C:\Windows\system32\GkSui20.EXE - OK

C:\Windows\system32\glmf32.dll - OK

C:\Windows\system32\glu32.dll - OK

C:\Windows\system32\gpapi.dll - OK

C:\Windows\system32\gpedit.dll - OK

C:\Windows\system32\gpedit.msc - OK

C:\Windows\system32\gpprnext.dll packed by PESTUB

>C:\Windows\system32\gpprnext.dll - OK

C:\Windows\system32\gpresult.exe - OK

C:\Windows\system32\gpscript.dll - OK

C:\Windows\system32\gpscript.exe - OK

C:\Windows\system32\gpsvc.dll - OK

C:\Windows\system32\gptext.dll - OK

C:\Windows\system32\gpupdate.exe - OK

C:\Windows\system32\graftabl.com - OK

C:\Windows\system32\GRAPHICS.COM - OK

C:\Windows\system32\graphics.pro - OK

C:\Windows\system32\grpconv.exe - OK

C:\Windows\system32\GuidedHelp.dll packed by PESTUB

>C:\Windows\system32\GuidedHelp.dll - OK

C:\Windows\system32\hal.dll - OK

C:\Windows\system32\halacpi.dll - OK

C:\Windows\system32\halmacpi.dll - OK

C:\Windows\system32\hbaapi.dll packed by PESTUB

>C:\Windows\system32\hbaapi.dll - OK

C:\Windows\system32\hccoin.dll - OK

C:\Windows\system32\hcrstco.dll packed by PESTUB

>C:\Windows\system32\hcrstco.dll - OK

C:\Windows\system32\hdwwiz.cpl - OK

C:\Windows\system32\hdwwiz.exe - OK

C:\Windows\system32\help.exe - OK

C:\Windows\system32\HelpPaneProxy.dll - OK

C:\Windows\system32\hhctrl.ocx - OK

C:\Windows\system32\hhsetup.dll - OK

C:\Windows\system32\hid.dll - OK

C:\Windows\system32\hidphone.tsp - OK

C:\Windows\system32\hidserv.dll - OK

C:\Windows\system32\HIMEM.SYS - OK

C:\Windows\system32\hlink.dll - OK

C:\Windows\system32\hnetcfg.dll - OK

C:\Windows\system32\hnetmon.dll packed by PESTUB

>C:\Windows\system32\hnetmon.dll - OK

C:\Windows\system32\HOSTNAME.EXE - OK

C:\Windows\system32\hotplug.dll - OK

C:\Windows\system32\HotStartUserAgent.dll - OK

C:\Windows\system32\html.iec packed by PESTUB

>C:\Windows\system32\html.iec - OK

C:\Windows\system32\httpapi.dll - OK

C:\Windows\system32\htui.dll - OK

C:\Windows\system32\iac25_32.ax - OK

C:\Windows\system32\ias.dll - OK

C:\Windows\system32\iasacct.dll - OK

C:\Windows\system32\iasads.dll - OK

C:\Windows\system32\iasdatastore.dll - OK

C:\Windows\system32\iashlpr.dll packed by PESTUB

>C:\Windows\system32\iashlpr.dll - OK

C:\Windows\system32\iashost.exe - OK

C:\Windows\system32\IasMigPlugin.dll - archive BINARYRES

>C:\Windows\system32\IasMigPlugin.dll/data001 - OK

C:\Windows\system32\IasMigPlugin.dll - OK

C:\Windows\system32\iasnap.dll - OK

C:\Windows\system32\iaspolcy.dll - OK

C:\Windows\system32\iasrad.dll - OK

C:\Windows\system32\iasrecst.dll - OK

C:\Windows\system32\iassam.dll - OK

C:\Windows\system32\iassdo.dll - OK

C:\Windows\system32\iassvcs.dll - OK

C:\Windows\system32\icaapi.dll - OK

C:\Windows\system32\icacls.exe - OK

C:\Windows\system32\icardagt.exe - OK

C:\Windows\system32\icardie.dll - OK

C:\Windows\system32\icardres.dll - OK

C:\Windows\system32\iccvid.dll - OK

C:\Windows\system32\icfupgd.dll - OK

C:\Windows\system32\icm32.dll - OK

C:\Windows\system32\icmp.dll - OK

C:\Windows\system32\icmui.dll - OK

C:\Windows\system32\IconCodecService.dll - OK

C:\Windows\system32\icrav03.rat - OK

C:\Windows\system32\icsfiltr.dll - OK

C:\Windows\system32\icsigd.dll - OK

C:\Windows\system32\icsunattend.exe - OK

C:\Windows\system32\identprv.dll packed by UPX

>C:\Windows\system32\identprv.dll packed by FLY-CODE

>>C:\Windows\system32\identprv.dll - archive BINARYRES

>>>C:\Windows\system32\identprv.dll/data001 - OK

>>>C:\Windows\system32\identprv.dll/data002 - OK

>>C:\Windows\system32\identprv.dll - OK

C:\Windows\system32\ideograf.uce - OK

C:\Windows\system32\idndl.dll packed by PESTUB

>C:\Windows\system32\idndl.dll - OK

C:\Windows\system32\ie4uinit.exe - OK

C:\Windows\system32\ieakeng.dll - OK

C:\Windows\system32\ieaksie.dll - OK

C:\Windows\system32\ieakui.dll - OK

C:\Windows\system32\ieapfltr.dat - OK

C:\Windows\system32\ieapfltr.dll - OK

C:\Windows\system32\iedkcs32.dll - OK

C:\Windows\system32\ieencode.dll - OK

C:\Windows\system32\ieframe.dll - OK

C:\Windows\system32\iepeers.dll - OK

C:\Windows\system32\iernonce.dll - OK

C:\Windows\system32\iertutil.dll - OK

C:\Windows\system32\iesetup.dll - OK

C:\Windows\system32\ieui.dll - OK

C:\Windows\system32\ieuinit.inf - OK

C:\Windows\system32\ieUnatt.exe - OK

C:\Windows\system32\iexpress.exe - OK

C:\Windows\system32\ifmon.dll packed by PESTUB

>C:\Windows\system32\ifmon.dll - OK

C:\Windows\system32\ifsutil.dll - OK

C:\Windows\system32\ifsutilx.dll - OK

C:\Windows\system32\ifxcardm.dll - OK

C:\Windows\system32\IKEEXT.DLL - OK

C:\Windows\system32\Ikeext.etl - OK

C:\Windows\system32\imaadp32.acm - OK

C:\Windows\system32\imagehlp.dll - OK

C:\Windows\system32\imageres.dll - OK

C:\Windows\system32\imagesp1.dll - OK

C:\Windows\system32\imapi.dll - OK

C:\Windows\system32\imapi2.dll - OK

C:\Windows\system32\imapi2fs.dll - OK

C:\Windows\system32\imgutil.dll - OK

C:\Windows\system32\IMJP10.IME - OK

C:\Windows\system32\IMJP10K.DLL - OK

C:\Windows\system32\imkr80.ime - OK

C:\Windows\system32\imm32.dll - OK

C:\Windows\system32\inetcomm.dll - OK

C:\Windows\system32\inetcpl.cpl - OK

C:\Windows\system32\inetmib1.dll - OK

C:\Windows\system32\inetpp.dll - OK

C:\Windows\system32\inetppui.dll packed by PESTUB

>C:\Windows\system32\inetppui.dll - OK

C:\Windows\system32\INETRES.dll - OK

C:\Windows\system32\InfDefaultInstall.exe - OK

C:\Windows\system32\infocardapi.dll - OK

C:\Windows\system32\infocardcpl.cpl - OK

C:\Windows\system32\InkEd.dll - OK

C:\Windows\system32\input.dll - OK

C:\Windows\system32\inseng.dll - OK

C:\Windows\system32\InstallPackage_ETW.Log - OK

C:\Windows\system32\InstallPackage_ETW.Log.dpx - OK

C:\Windows\system32\InstallPackage_ETW.Log.perf - OK

C:\Windows\system32\intl.cpl - OK

C:\Windows\system32\iologmsg.dll - OK

C:\Windows\system32\IPBusEnum.dll - OK

C:\Windows\system32\IPBusEnumProxy.dll - OK

C:\Windows\system32\ipconfig.exe - OK

C:\Windows\system32\IPHLPAPI.DLL - OK

C:\Windows\system32\iphlpsvc.dll - OK

C:\Windows\system32\ipnathlp.dll - OK

C:\Windows\system32\iprop.dll - OK

C:\Windows\system32\iprtprio.dll - OK

C:\Windows\system32\iprtrmgr.dll - OK

C:\Windows\system32\ipsecsnp.dll - OK

C:\Windows\system32\IPSECSVC.DLL - OK

C:\Windows\system32\ipsmsnap.dll - OK

C:\Windows\system32\ir32_32.dll - OK

C:\Windows\system32\ir41_32.ax - OK

C:\Windows\system32\ir41_qc.dll - OK

C:\Windows\system32\ir41_qcx.dll - OK

C:\Windows\system32\ir50_32.dll - OK

C:\Windows\system32\ir50_qc.dll - OK

C:\Windows\system32\ir50_qcx.dll - OK

C:\Windows\system32\irclass.dll - OK

C:\Windows\system32\irftp.exe - OK

C:\Windows\system32\irmon.dll - OK

C:\Windows\system32\irprops.cpl - OK

C:\Windows\system32\iscsicli.exe - OK

C:\Windows\system32\iscsicpl.dll - OK

C:\Windows\system32\iscsicpl.exe - OK

C:\Windows\system32\iscsidsc.dll - OK

C:\Windows\system32\iscsied.dll - OK

C:\Windows\system32\iscsiexe.dll - OK

C:\Windows\system32\iscsilog.dll - OK

C:\Windows\system32\iscsium.dll - OK

C:\Windows\system32\iscsiwmi.dll - OK

C:\Windows\system32\itircl.dll - OK

C:\Windows\system32\itss.dll - OK

C:\Windows\system32\ivfsrc.ax - OK

C:\Windows\system32\iyuv_32.dll - OK

C:\Windows\system32\jnwmon.dll - OK

C:\Windows\system32\joy.cpl - OK

C:\Windows\system32\jscript.dll - OK

C:\Windows\system32\jsproxy.dll - OK

C:\Windows\system32\kanji_1.uce - OK

C:\Windows\system32\kanji_2.uce - OK

C:\Windows\system32\KB16.COM - OK

C:\Windows\system32\kbd101.dll - OK

C:\Windows\system32\kbd101a.dll - OK

C:\Windows\system32\kbd101b.dll - OK

C:\Windows\system32\kbd101c.dll - OK

C:\Windows\system32\kbd103.dll - OK

C:\Windows\system32\kbd106.dll - OK

C:\Windows\system32\kbd106n.dll - OK

C:\Windows\system32\KBDA1.DLL - OK

C:\Windows\system32\KBDA2.DLL - OK

C:\Windows\system32\KBDA3.DLL - OK

C:\Windows\system32\KBDAL.DLL - OK

C:\Windows\system32\KBDARME.DLL - OK

C:\Windows\system32\KBDARMW.DLL - OK

C:\Windows\system32\kbdax2.dll - OK

C:\Windows\system32\KBDAZE.DLL - OK

C:\Windows\system32\KBDAZEL.DLL - OK

C:\Windows\system32\KBDBASH.DLL - OK

C:\Windows\system32\KBDBE.DLL - OK

C:\Windows\system32\KBDBENE.DLL - OK

C:\Windows\system32\KBDBGPH.DLL - OK

C:\Windows\system32\KBDBHC.DLL - OK

C:\Windows\system32\KBDBLR.DLL - OK

C:\Windows\system32\KBDBR.DLL - OK

C:\Windows\system32\KBDBU.DLL - OK

C:\Windows\system32\KBDBULG.DLL - OK

C:\Windows\system32\KBDCA.DLL - OK

C:\Windows\system32\KBDCAN.DLL - OK

C:\Windows\system32\KBDCR.DLL - OK

C:\Windows\system32\KBDCZ.DLL - OK

C:\Windows\system32\KBDCZ1.DLL - OK

C:\Windows\system32\KBDCZ2.DLL - OK

C:\Windows\system32\KBDDA.DLL - OK

C:\Windows\system32\KBDDIV1.DLL - OK

C:\Windows\system32\KBDDIV2.DLL - OK

C:\Windows\system32\KBDDV.DLL - OK

C:\Windows\system32\KBDES.DLL - OK

C:\Windows\system32\KBDEST.DLL - OK

C:\Windows\system32\KBDFA.DLL - OK

C:\Windows\system32\KBDFC.DLL - OK

C:\Windows\system32\KBDFI.DLL - OK

C:\Windows\system32\KBDFI1.DLL - OK

C:\Windows\system32\KBDFO.DLL - OK

C:\Windows\system32\KBDFR.DLL - OK

C:\Windows\system32\KBDGAE.DLL - OK

C:\Windows\system32\KBDGEO.DLL - OK

C:\Windows\system32\kbdgeoer.dll - OK

C:\Windows\system32\kbdgeoqw.dll - OK

C:\Windows\system32\KBDGKL.DLL - OK

C:\Windows\system32\KBDGR.DLL - OK

C:\Windows\system32\KBDGR1.DLL - OK

C:\Windows\system32\KBDGRLND.DLL - OK

C:\Windows\system32\KBDHE.DLL - OK

C:\Windows\system32\KBDHE220.DLL - OK

C:\Windows\system32\KBDHE319.DLL - OK

C:\Windows\system32\KBDHEB.DLL - OK

C:\Windows\system32\KBDHELA2.DLL - OK

C:\Windows\system32\KBDHELA3.DLL - OK

C:\Windows\system32\KBDHEPT.DLL - OK

C:\Windows\system32\KBDHU.DLL - OK

C:\Windows\system32\KBDHU1.DLL - OK

C:\Windows\system32\kbdibm02.dll - OK

C:\Windows\system32\KBDIC.DLL - OK

C:\Windows\system32\KBDINASA.DLL - OK

C:\Windows\system32\KBDINBE1.DLL - OK

C:\Windows\system32\KBDINBE2.DLL - OK

C:\Windows\system32\KBDINBEN.DLL - OK

C:\Windows\system32\KBDINDEV.DLL - OK

C:\Windows\system32\KBDINGUJ.DLL - OK

C:\Windows\system32\KBDINHIN.DLL - OK

C:\Windows\system32\KBDINKAN.DLL - OK

C:\Windows\system32\KBDINMAL.DLL - OK

C:\Windows\system32\KBDINMAR.DLL - OK

C:\Windows\system32\KBDINORI.DLL - OK

C:\Windows\system32\KBDINPUN.DLL - OK

C:\Windows\system32\KBDINTAM.DLL - OK

C:\Windows\system32\KBDINTEL.DLL - OK

C:\Windows\system32\KBDINUK2.DLL - OK

C:\Windows\system32\KBDIR.DLL - OK

C:\Windows\system32\KBDIT.DLL - OK

C:\Windows\system32\KBDIT142.DLL - OK

C:\Windows\system32\KBDIULAT.DLL - OK

C:\Windows\system32\KBDJPN.DLL - OK

C:\Windows\system32\KBDKAZ.DLL - OK

C:\Windows\system32\KBDKHMR.DLL - OK

C:\Windows\system32\KBDKOR.DLL - OK

C:\Windows\system32\KBDKYR.DLL - OK

C:\Windows\system32\KBDLA.DLL - OK

C:\Windows\system32\KBDLAO.DLL - OK

C:\Windows\system32\kbdlk41a.dll - OK

C:\Windows\system32\KBDLT.DLL - OK

C:\Windows\system32\KBDLT1.DLL - OK

C:\Windows\system32\KBDLT2.DLL - OK

C:\Windows\system32\KBDLV.DLL - OK

C:\Windows\system32\KBDLV1.DLL - OK

C:\Windows\system32\KBDMAC.DLL - OK

C:\Windows\system32\KBDMACST.DLL - OK

C:\Windows\system32\KBDMAORI.DLL - OK

C:\Windows\system32\KBDMLT47.DLL - OK

C:\Windows\system32\KBDMLT48.DLL - OK

C:\Windows\system32\KBDMON.DLL - OK

C:\Windows\system32\KBDMONMO.DLL - OK

C:\Windows\system32\KBDNE.DLL - OK

C:\Windows\system32\kbdnec.dll - OK

C:\Windows\system32\kbdnec95.dll - OK

C:\Windows\system32\kbdnecat.dll - OK

C:\Windows\system32\kbdnecnt.dll - OK

C:\Windows\system32\KBDNEPR.DLL - OK

C:\Windows\system32\KBDNO.DLL - OK

C:\Windows\system32\KBDNO1.DLL - OK

C:\Windows\system32\KBDPASH.DLL - OK

C:\Windows\system32\KBDPL.DLL - OK

C:\Windows\system32\KBDPL1.DLL - OK

C:\Windows\system32\KBDPO.DLL - OK

C:\Windows\system32\KBDRO.DLL - OK

C:\Windows\system32\KBDROPR.DLL - OK

C:\Windows\system32\KBDROST.DLL - OK

C:\Windows\system32\KBDRU.DLL - OK

C:\Windows\system32\KBDRU1.DLL - OK

C:\Windows\system32\KBDSF.DLL - OK

C:\Windows\system32\KBDSG.DLL - OK

C:\Windows\system32\KBDSL.DLL - OK

C:\Windows\system32\KBDSL1.DLL - OK

C:\Windows\system32\KBDSMSFI.DLL - OK

C:\Windows\system32\KBDSMSNO.DLL - OK

C:\Windows\system32\KBDSN1.DLL - OK

C:\Windows\system32\KBDSOREX.DLL - OK

C:\Windows\system32\KBDSORST.DLL - OK

C:\Windows\system32\KBDSP.DLL - OK

C:\Windows\system32\KBDSW.DLL - OK

C:\Windows\system32\KBDSW09.DLL - OK

C:\Windows\system32\KBDSYR1.DLL - OK

C:\Windows\system32\KBDSYR2.DLL - OK

C:\Windows\system32\KBDTAJIK.DLL - OK

C:\Windows\system32\KBDTAT.DLL - OK

C:\Windows\system32\KBDTH0.DLL - OK

C:\Windows\system32\KBDTH1.DLL - OK

C:\Windows\system32\KBDTH2.DLL - OK

C:\Windows\system32\KBDTH3.DLL - OK

C:\Windows\system32\KBDTIPRC.DLL - OK

C:\Windows\system32\KBDTUF.DLL - OK

C:\Windows\system32\KBDTUQ.DLL - OK

C:\Windows\system32\KBDTURME.DLL - OK

C:\Windows\system32\KBDUGHR.DLL - OK

C:\Windows\system32\KBDUK.DLL - OK

C:\Windows\system32\KBDUKX.DLL - OK

C:\Windows\system32\KBDUR.DLL - OK

C:\Windows\system32\KBDUR1.DLL - OK

C:\Windows\system32\KBDURDU.DLL - OK

C:\Windows\system32\KBDUS.DLL - OK

C:\Windows\system32\KBDUSA.DLL - OK

C:\Windows\system32\KBDUSL.DLL - OK

C:\Windows\system32\KBDUSR.DLL - OK

C:\Windows\system32\KBDUSX.DLL - OK

C:\Windows\system32\KBDUZB.DLL - OK

C:\Windows\system32\KBDVNTC.DLL - OK

C:\Windows\system32\KBDYAK.DLL - OK

C:\Windows\system32\KBDYCC.DLL - OK

C:\Windows\system32\KBDYCL.DLL - OK

C:\Windows\system32\kd1394.dll - OK

C:\Windows\system32\kdcom.dll - OK

C:\Windows\system32\kdusb.dll - OK

C:\Windows\system32\kerberos.dll - OK

C:\Windows\system32\kernel32.dll - OK

C:\Windows\system32\KEY01.SYS - OK

C:\Windows\system32\keyboard.drv - OK

C:\Windows\system32\KEYBOARD.SYS - OK

C:\Windows\system32\keyiso.dll - OK

C:\Windows\system32\keymgr.dll - OK

C:\Windows\system32\kmddsp.tsp - OK

C:\Windows\system32\KMSVC.DLL - OK

C:\Windows\system32\korean.uce - OK

C:\Windows\system32\korwbrkr.dll - OK

C:\Windows\system32\korwbrkr.lex - OK

C:\Windows\system32\krnl386.exe - OK

C:\Windows\system32\ksproxy.ax - OK

C:\Windows\system32\kstvtune.ax - OK

C:\Windows\system32\ksuser.dll - OK

C:\Windows\system32\Kswdmcap.ax - OK

C:\Windows\system32\ksxbar.ax - OK

C:\Windows\system32\ktmutil.exe - OK

C:\Windows\system32\ktmw32.dll - OK

C:\Windows\system32\l2gpstore.dll - OK

C:\Windows\system32\l2nacp.dll - OK

C:\Windows\system32\L2SecHC.dll - OK

C:\Windows\system32\l3codeca.acm - OK

C:\Windows\system32\l3codecp.acm - OK

C:\Windows\system32\label.exe - OK

C:\Windows\system32\LangCleanupSysprepAction.dll packed by PESTUB

>C:\Windows\system32\LangCleanupSysprepAction.dll - OK

C:\Windows\system32\lanman.drv - OK

C:\Windows\system32\LAPRXY.DLL - OK

C:\Windows\system32\lcphrase.tbl - OK

C:\Windows\system32\lcptr.tbl - OK

C:\Windows\system32\license.rtf - OK

C:\Windows\system32\licmgr10.dll - OK

C:\Windows\system32\linkinfo.dll - OK

C:\Windows\system32\lltdapi.dll - OK

C:\Windows\system32\lltdres.dll - OK

C:\Windows\system32\lltdsvc.dll - OK

C