Malware Removal Information

Hoofdmenu

Home
Malware info
- Malware - Securitysuites
- Waarom?
Scanners
Infecties
- Archief 0 - E
- Archief F - N
- Archief O - S
- Archief T - Z
- CLB rootkit
- DNS-hijackers
- Haxdoor - Goldun
- Sinowal
- TDL3
- TDL4
- Virut
- Vundo
- Whistler
Tools
- Hijackthis
  - Hijackthis
  - Hijackthis handleiding
- Rootkitscanners
- ComBoFix
- HaxFix
- LSPFix
- Reglooks
- Roguescanfix
- SmitfraudFix
Informatie
Preventie
- De computer is malware vrij
- Infecties voorkomen

Delf

Infecties > Archief 0 - E

Trojan-Downloader.Win32.Delf.pa (Trojan.Stwoyle)

Kenmerken:
In een hijackthislog zie je:
O2 - BHO: C:\WINDOWS\q842468_disk.dll - {B212D577-05B7-4963-911E-4A8588160DFA} - C:\WINDOWS\q842468_disk.dll
O2 - BHO: C:\WINDOWS\system32\winstyle2.dll - {6AC3806F-8B39-4746-9C38-6B01CB7331FF} - C:\WINDOWS\system32\winstyle2.dll
O2 - BHO: (no name) - {8D82BB89-B58C-4F21-9C5D-377F65947806} - C:\WINDOWS\slassac.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\prflbmsgp32.dll
O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\system32\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - C:\WINDOWS\system32\st3.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B711} - C:\WINDOWS\adsldpbd.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {C0E5FF11-4AE0-4699-A6A7-2FB7118F2081} - C:\WINDOWS\adsldpbd.dll
O2 - BHO: (no name) - {DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB} - C:\WINDOWS\mpatrol.dll
O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dll
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbg.dll
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\admparsel.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\adsldpbl.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - C:\WINDOWS\adsldpby.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} C:\WINDOWS\system32\adsldpbz.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00305} - C:\WINDOWS\system32\compstuia.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - C:\WINDOWS\compstuib.dll
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\compstuic.dll
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsek.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\g73617125.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\podpis.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {192C5288-623B-4F48-959F-DC9CEE403E94} - C:\WINDOWS\adsldpbc.dl
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {C5E0E2D5-6595-46C1-9D87-0465A0B703D0} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\g10235562.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - C:\WINDOWS\system32\compstuig.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - C:\WINDOWS\system32\adsldpby.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00302} - C:\WINDOWS\system32\adsldpbx.dll
O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\prflbmsgp32.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - C:\WINDOWS\system32\compstuif.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - C:\WINDOWS\compstuif.dll
O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\g6152828.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\system32\fontexta.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00402} - C:\WINDOWS\System32\fontextb.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00403} - C:\WINDOWS\System32\fontextc.dll
O2 - BHO: (no name) - {857BEA2E-73ED-4C41-86A4-F5284A4BA296} - C:\WINDOWS\System32\adsldmpc.dll
O2 - BHO: (no name) - {34E7CF84-386A-4E77-91E3-9AC0B205235B} - C:\WINDOWS\System32\adsldmpc.dll
O2 - BHO: (no name) - {E4345659-2EE8-45D9-873A-9A23CDF67380} - C:\WINDOWS\System32\adsldmpc.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {C69ED6B3-3228-4F4F-9477-328A7D509216} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: (no name) - {1E9D26CE-15EB-44C2-8E17-985691884E06} - C:\WINDOWS\system32\fontextd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00404} - C:\WINDOWS\system32\fontextd.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00405} - C:\WINDOWS\system32\fontexte.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00405} - C:\WINDOWS\fontexte.dll
O2 - BHO: (no name) - {6B754AA2-0CE7-4822-9865-E33AFD03E407} - C:\WINDOWS\system32\fontextg.dll
O2 - BHO: (no name) - {D4C5947D-16E3-462F-A93D-FB718E100406} - C:\WINDOWS\system32\fontext_a.dll
O2 - BHO: (no name) - {25C7CE21-E543-46A9-B4B3-01B845B28A6D} - C:\WINDOWS\system32\admparsex.dll
O2 - BHO: (no name) - {DDEC2387-6435-46B6-AF8C-1075F6EBF08B} - C:\WINDOWS\system32\admparsez.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - C:\WINDOWS\system32\d3dxofa.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - C:\WINDOWS\system32\d3acdb.dll
O2 - BHO: (no name) - {D1159422-16E3-462F-A93D-FB718E100407} - C:\WINDOWS\system32\d4xofa.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {12520983-7C80-4F20-87F1-49B8BF1E8A38} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00401} - C:\WINDOWS\system32\afontext.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\C68OdXqe.dll
O2 - BHO: C:\WINDOWS\adsldpbd.dll - {4FD4B307-E2C7-41ED-A18C-C7BE647759B7} - C:\WINDOWS\adsldpbd.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb2.dll
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\q842468_disk.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q8909656_disk.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q10948125.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle2.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\system32\winstyle32.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\q126578.dll
O20 - Winlogon Notify: gg - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: gggg - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: ggggg - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\g10600453.dll
O20 - Winlogon Notify: st3d - C:\WINDOWS\system32\st3d.dll
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: h618 - C:\WINDOWS\g18213171.dll
O20 - Winlogon Notify: h619 - C:\WINDOWS\g15571968.dll
O20 - Winlogon Notify: winup2date - C:\WINDOWS\system32\servmswinp.dll
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\C68OdXqe.dll
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\servmswin.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"="google service" FILE ="C:\\WINDOWS\\system32\\hjthis101.dll"

De naam van het bestand q842468_disk.dll is willekeurig. Het heeft de volgende opbouw: q*_disk.dll (de * staat voor een een aantal willekeurig gekozen cijfers.)
Idem voor q10948125.dll of g10600453.dll. De reeks cijfers achter de q of de g worden willekeurig gekozen.

De .dll die onder O20 verschijnt hecht zich aan winlogon.exe en aan explorer.exe.
De nieuwe varianten zijn vaak heel moeilijk te verwijderen. Killbox werkt niet (pendingfilename...), met processexplorer lukt het ook niet altijd omdat je .dll die niet altijd kan zien onder winlogon en dus ook niet kan verwijderen.

Zolang de .dll die verantwoordelijk is voor deze infectie gehecht is aan explorer.exe kan je de infectie niet verwijderen en kan je het bestand ook niet verwijderen.
Fixen met hijackthis biedt ook geen oplossing, de sleutel wordt onmiddellijk teruggeplaatst.

Nieuwere varianten maken ook gebruik van een service, die zorgt voor herinfectie.
Sommige varianten maken gebruik van willekeurig gekozen bestandsnamen en willekeurig gekozen sleutels onder Notify en Sharedtask. Win32delfkil.exe kan deze verwijderen.

Hoe deze infectie verwijderen:
Win32delfkil.exe verwijdert nu de non-legit sharedtaskschedulerkeys die gevonden worden, als ook het bijbehorend bestand indien aanwezig.
Deze clsid's worden niet verwijderd:
{438755C2-A8BA-11D1-B96B-00A0C90312E1}
{8C7461EF-2B13-11d2-BE35-3078302C2030}
{553858A7-4922-4e7e-B1C1-97140C1C16EF}

Bestanden en registersleutels die op deze manier verwijderd worden, worden gebackupd in deze map: c:\_BackupsD
De sharedtaskkeys die verwijderd worden zijn genummerd in de logfile (windelf.txt). Dit nummer vind je ook terug in backupregs. Dit om het makkelijker te maken om de juiste backups terug te plaatsen indien toch legit zaken verwijderd werden.

Download win32delfkil.exe.
Plaats het op je bureaublad.
Sluit alle open vensters want de computer zal herstarten.
Dubbelklik op win32delfkil.exe om het tooltje te starten.
Na reboot opent er een kladblokbestand dat aangeeft wat de removaltool gevonden en verwijderd heeft.
Na dat de computer herstart is, zou de infectie verdwenen moeten zijn.

Sommige van deze varianten targetten win32delfkil, Killbox en hijackthis. Indien win32delfkil.exe afsluit, start je het opnieuw. Na een paar keer proberen zal de tool toch starten en de infectie verwijderen.

BHO's die verwijderd worden:
{B212D577-05B7-4963-911E-4A8588160DFA}
{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
{0976BE78-EA53-4DD6-91E6-E6175940032B}
{405132A4-5DD1-4BA8-A181-95C8D435093A}
{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}
{16875E09-927B-4494-82BD-158A1CD46BA0}
{C7CF1142-0785-4B12-A280-B64681E4D45E}
{8D82BB89-B58C-4F21-9C5D-377F65947806}
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
{826B2228-BC09-49F2-B5F8-42CE26B1B711}
{826B2228-BC09-49F2-B5F8-42CE26B1B712}
{C0E5FF11-4AE0-4699-A6A7-2FB7118F2081}
{FCADDC14-BD46-408A-9842-111111111111}
{E412F14A-E998-4543-9E7A-1031A3189A87}
{D8569837-3CD6-4AD7-9A77-65975B581925}
{08DF42F3-792D-4944-941B-512582B87219}
{11111111-2222-408A-9842-CDBE1C6D37EB}
{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}
{7507739F-BC2E-4DC3-B233-816783C25DC9}
{EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6}
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}
{621D36CC-09F4-44F6-BA4C-C8FBEAA00207}
{DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C}
{062492AF-392E-479D-BF52-A7A4BCA00307}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00302}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00303}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00304}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00305}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00306}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00307}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00309}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00310}
{11111111-2222-408A-9842-CDBE1C6D37EB}
{192C5288-623B-4F48-959F-DC9CEE403E94}
{C5E0E2D5-6595-46C1-9D87-0465A0B703D0}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00320}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00402}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}
{857BEA2E-73ED-4C41-86A4-F5284A4BA296}
{34E7CF84-386A-4E77-91E3-9AC0B205235B}
{E4345659-2EE8-45D9-873A-9A23CDF67380}
{C69ED6B3-3228-4F4F-9477-328A7D509216}
{1E9D26CE-15EB-44C2-8E17-985691884E06}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00405}
{6B754AA2-0CE7-4822-9865-E33AFD03E407}
{D4C5947D-16E3-462F-A93D-FB718E100406}
{25C7CE21-E543-46A9-B4B3-01B845B28A6D}
{DDEC2387-6435-46B6-AF8C-1075F6EBF08B}
{DDC59E41-75CA-42E6-AEA2-C2E78BD9F410}
{73A31C4E-4D8A-4DF2-B6F1-60FE96B001F6}
{1F68611C-69BE-4848-B59F-35B3D588F0B5}
{DE8D010E-A2B4-492B-8DF6-05B13410CD16}
{4418F36B-A9B2-4B80-8A3B-E44A4449F8C9}
{46C2A3C4-B861-468F-9F86-9D5943770038}
{F988CA85-C1B7-4E9A-986F-3BE8B5227702}
{E6C906AF-A34F-47FF-964F-D0FC22AB397B}
{D1159422-16E3-462F-A93D-FB718E100407}
{12520983-7C80-4F20-87F1-49B8BF1E8A38}
{99509409-1B72-4767-B5BD-1E2601601601}
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}
{4FD4B307-E2C7-41ED-A18C-C7BE647759B7}
{D1159422-16E3-462F-A93D-FB718E100408}

Notify keys die verwijderd worden:
style2
style32
st3
st3i
st3d
gg
gggg
ggggg
gs
browsela
cfgmngr32
h618
h619
winup2date

Sharedtaskscheduler keys die verwijderd worden:
{B212D577-05B7-4963-911E-4A8588160DFA}
{6AC3806F-8B39-4746-9C38-6B01CB7331FF}
{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}
{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}
{16875E09-927B-4494-82BD-158A1CD46BA0}
{C7CF1142-0785-4B12-A280-B64681E4D45E}
{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}
{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}
{86AA461F-2A5B-4889-B543-E1BBA6746D61}
{31EE3286-D785-4E3F-95FC-51D00FDABC01}
{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}
{B29BE267-3A64-4F7E-8A57-75FB5E900506}
{259BA022-2005-45E9-A965-10EDB9C00605}
{B29BE267-3A64-4F7E-8A57-75FB5E900503}
{259BA022-2005-45E9-A965-10EDB9C00615}
{259BA022-2005-45E9-A965-10EDB9C00617}
{259BA022-2005-45E9-A965-10EDB9C00616}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00311}
{259BA022-2005-45E9-A965-10EDB9C00620}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00322}
{259BA022-2005-45E9-A965-10EDB9C00618}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00401}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00402}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}
{A4F94C0C-54A7-4DB1-9AF3-B22E63D00405}
{6B754AA2-0CE7-4822-9865-E33AFD03E407}
{D4C5947D-16E3-462F-A93D-FB718E100406}
{25C7CE21-E543-46A9-B4B3-01B845B28A6D}
{DDEC2387-6435-46B6-AF8C-1075F6EBF08B}
{D1159422-16E3-462F-A93D-FB718E100407}
{12520983-7C80-4F20-87F1-49B8BF1E8A38}
{2188CEDE-B239-484C-8EA6-B84DC1001001}
{CEDE2188-484C-B239-A68E-DC1B84001001}
{B0099233-1FF5-4326-A3E8-24AE1DF18D57}
{99509409-1B72-4767-B5BD-1E2601601601}
{53B5F2B1-94DD-43E5-8187-EB4E31F00701}
{4FD4B307-E2C7-41ED-A18C-C7BE647759B7}
{D1159422-16E3-462F-A93D-FB718E100408}

Run keys die verwijderd worden:
ClearCookies
AlexaToolbar

Bestanden die verwijderd worden na reboot:
windows\q*_disk.dll (or WINNT\q*_disk.dll)
windows\g*.dll (or WINNT\g*.dll)
windows\6HEiWaAr.dll (or WINNT\6HEiWaAr.dll)
windows\adsldpb*.dll (or WINNT\adsldpb*.dll)
windows\slassac.dll (or WINNT\slassac.dll)
windows\cc.exe (or winnt\cc.exe)
windows\alt.exe (or WINNT\alt.exe)
windows\mpatrol.dll (or WINNT\mpatrol.dll)
windows\netdde.dll (or WINNT\netdde.dll)
windows\prflbmsgp32.dll (or WINNT\prflbmsgp32.dll)
windows\admparsel.dll (or WINNT\admparsel.dll)
windows\admparsex.dll (or WINNT\admparsex.dll)
windows\admparsez.dll (or WINNT\admparsez.dll
windows\adsldmpc.dll (or WINNT\adsldmpc.dll)
windows\afontext.dll (or WINNT\afontext.dll)
windows\C68OdXqe.dll (or WINNT\C68OdXqe.dll)
windows\compstuia.dll (or WINNT\compstuia.dll)
windows\compstuib.dll (or WINNT\compstuib.dll)
windows\compstuic.dll (or WINNT\compstuic.dll)
windows\compstuid.dll (or WINNT\compstuid.dll)
windows\compstuie.dll (or WINNT\compstuie.dll)
windows\compstuif.dll (or WINNT\compstuif.dll)
windows\compstuig.dll (or WINNT\compstuig.dll)
windows\compstuih.dll (or WINNT\compstuih.dll)
windows\cpblpbc*.log (or WINNT\cpblpbc*.log)
windows\d3asvbn.dll (of WINNT\d3asvbn.dll)
windows\d3dxim.dll (of WINNT\d3dxim.dll)
windows\d3dxofa.dll (or WINNT\d3dxofa.dll)
windows\d4acdb.dll (of WINNT\d4acdb.dll)
windows\d4dxofa.dll (of WINNT\d4dxofa.dll)
windows\d4xofa.dll (or WINNT\d4xofa.dll)
windows\podpis.dll (or WINNT\podpis.dll)
windows\fontexta.dll (or WINNT\fontexta.dll)
windows\fontext_a.dll (or WINNT\fontext_a.dlll)
windows\fontextb.dll (or WINNT\fontextb.dll)
windows\fontextc.dll (or WINNT\fontextc.dll)
windows\fontextd.dll (or WINNT\fontextd.dll)
windows\fontexte.dll (or WINNT\fontexte.dll)
windows\fontextf.dll (or WINNT\fontextf.dll)
windows\fontextg.dll (or WINNT\fontextg.dll)
windows\gc403.cnf (or WINNT\gc403.cnf)
windows\gsc403.cnf (or WINNT\gsc403.cnf)
windows\gc404.cnf (or WINNT\gc404.cnf)
windows\gsc404.cnf (or WINNT\gsc404.cnf)
windows\gc405.cnf (or WINNT\gc405.cnf)
windows\gsc405.cnf (or WINNT\gsc405.cnf)
windows\gs_406.cnf (or WINNT\gs_406.cnf )
windows\gsc_406.cnf (or WINNT\gsc_406.cnf)
windows\gc407.cnf (or WINNT\gc407.cnf)
windows\gsc407.cnf (or WINNT\gsc407.cnf)
windows\gc_601.cnf (of WINNT\gc_601.cnf)
windows\gsc_601.cnf (of WINNT\gsc_601.cnf)
windows\gc_701.cnf (of WINNT\gc_701.cnf)
windows\gsc_701.cnf (of WINNT\gsc_701.cnf)
windows\hjthis101.dll (or WINNT\hjthis101.dll)
windows\l3acdb2.dll (or WINNT\l3acdb2.dll)
windows\mizMviP4.dll (or WINNT\mizMviP4.dll)
windows\sct101.log (or WINNT\sct101.log)
windows\sct102.log (or WINNT\sct102.log)
windows\scf101.log (or WINNT\scf101.log)
windows\scf102.log (or WINNT\scf102.log)
windows\servmswinp.dll (or WINNT\servmswinp.dll)
windows\ztaskmen32.pif (or WINNT\ztaskmen32.pif)
system32\6HEiWaAr.dll
system32\winstyle2.dll
system32\winstyle3.dll
system32\winstyle32.dll
system32\prflbmsgp32.dll
system32\st3.dll
system32\browsela.dll
system32\adsldpbc.dll
system32\adsldpbd.dll
system32\adsldpbe.dll
system32\adsldpbf.dll
system32\adsldpbg.dll
system32\adsldpbh.dll
system32\adsldpbj.dll
system32\adsldpbk.dll
system32\adsldpbl.dll
system32\adsldpbm.dll
system32\adsldpbn.dll
system32\adsldpbx.dll
system32\adsldpby.dll
system32\adsldpbz.dll
system32\cfgmngr32.dll
system32\cfgmngr321.dll
system32\hk.dll
system32\admparsel.dll
system32\admparsek.dll
system32\admparsex.dll
system32\admparsez.dll
system32\adsldmpc.dll
system32\afontext.dll
system32\C68OdXqe.dll
system32\compstuia.dll
system32\compstuib.dll
system32\compstuic.dll
system32\compstuid.dll
system32\compstuie.dll
system32\compstuif.dll
system32\compstuig.dll
system32\compstuih.dll
system32\d3asvbn.dll
system32\d3dxim.dll
system32\d3dxofa.dll
system32\d4acdb.dll
system32\d4dxofa.dll
system32\d4xofa.dll
system32\fontexta.dll
system32\fontext_a.dll
system32\fontextb.dll
system32\fontextc.dll
system32\fontextd.dll
system32\fontexte.dll
system32\fontextf.dll
system32\fontextg.dll
system32\hjthis101.dll
system32\l3acdb2.dll
system32\mizMviP4.dll
system32\servmswinp.dll
system32\sxserv101.dll
system32\sxserv102.dll
system32\sxserv101.exe
system32\sdgfgf43td.dll
system32\U.exe
system32\servmswin.exe