Odhaleno. Včera zapnutý prohlížeč tam se to ukázalo. Dnes jsem nic nedělal gmer neodhalil. Spustil to a zkusil znova a rootkit na 00 dr0 disk
Problém je že log je nějaký zmršený. Protože ukazuje disk E ale ve výpisu to ukazuje disk C na kterém je rootkit. Navíc výpis je strašený dlouhý má přes 2MB
obnovení vymyzáno
GMER 2.0.18444 -
http://www.gmer.net
Rootkit scan 2013-01-24 17:18:52
Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1 ST3160812A rev.3.AAD 149,05GB
Running: gmer.exe; Driver: C:\DOCUME~1\HANSPE~1.DOM\LOCALS~1\Temp\pfqdqfog.sys
---- Kernel code sections - GMER 2.0 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9511000, 0x1E2E6E, 0xE8000020]
---- Disk sectors - GMER 2.0 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- EOF - GMER 2.0 ----
MER 2.0.18444 -
http://www.gmer.net
Rootkit scan 2013-01-24 17:31:39
Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1 ST3160812A rev.3.AAD 149,05GB
Running: gmer.exe; Driver: C:\DOCUME~1\HANSPE~1.DOM\LOCALS~1\Temp\pfqdqfog.sys
---- Kernel code sections - GMER 2.0 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9511000, 0x1E2E6E, 0xE8000020]
---- Disk sectors - GMER 2.0 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Files - GMER 2.0 ----
File C:\license.rtf 15048 bytes
File C:\Drive Rescue 0 bytes
File C:\Drive Rescue\readme.rtf 21987 bytes
File C:\Drive Rescue\rescue.chm 224684 bytes
File C:\Drive Rescue\rescue.exe 1166848 bytes
File C:\Drive Rescue\transl.txt 20485 bytes
File C:\Drive Rescue\unins000.dat 1815 bytes
File C:\Drive Rescue\unins000.exe
File C:\Program Files\Mozilla Firefox\plds4.dll (size mismatch) 30320/20952 bytes executable
File C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll (size mismatch) 13952/19416 bytes executable
File C:\Program Files\Mozilla Firefox\browserconfig.properties 222 bytes
File C:\Program Files\Mozilla Firefox\chrome\browser.jar 1287124 bytes
File C:\Program Files\Mozilla Firefox\chrome\browser.manifest 550 bytes
File C:\Program Files\Mozilla Firefox\chrome\chromelist.txt 28472 bytes
File C:\Program Files\Mozilla Firefox\chrome\classic.jar 766981 bytes
File C:\Program Files\Mozilla Firefox\chrome\classic.manifest 322 bytes
File C:\Program Files\Mozilla Firefox\chrome\comm.jar 31967 bytes
File C:\Program Files\Mozilla Firefox\chrome\comm.manifest 144 bytes
File C:\Program Files\Mozilla Firefox\chrome\cs.jar 656578 bytes
File C:\Program Files\Mozilla Firefox\chrome\cs.manifest 768 bytes
File C:\Program Files\Mozilla Firefox\chrome\pippki.jar 299987 bytes
File C:\Program Files\Mozilla Firefox\chrome\pippki.manifest 69 bytes
File C:\Program Files\Mozilla Firefox\chrome\reporter.jar 44541 bytes
File C:\Program Files\Mozilla Firefox\chrome\reporter.manifest 340 bytes
File C:\Program Files\Mozilla Firefox\chrome\toolkit.jar 1862539 bytes
File C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest 469 bytes
File C:\Program Files\Mozilla Firefox\components\nsSearchSuggestions.js 27061 bytes
File C:\Program Files\Mozilla Firefox\components\browser.xpt 321474 bytes
File C:\Program Files\Mozilla Firefox\components\compreg.dat 146881 bytes
File C:\Program Files\Mozilla Firefox\components\FeedConverter.js 20770 bytes
File C:\Program Files\Mozilla Firefox\components\FeedProcessor.js 60396 bytes
File C:\Program Files\Mozilla Firefox\components\FeedWriter.js 41338 bytes
File C:\Program Files\Mozilla Firefox\components\jar50.dll 66672 bytes executable
File C:\Program Files\Mozilla Firefox\components\jsconsole-clhandler.js 6313 bytes
File C:\Program Files\Mozilla Firefox\components\jsd3250.dll 54376 bytes
File C:\Program Files\Mozilla Firefox\components\myspell.dll 34952 bytes executable
File C:\Program Files\Mozilla Firefox\components\nsBookmarkTransactionManager.js 13895 bytes
File C:\Program Files\Mozilla Firefox\components\nsBrowserContentHandler.js 29967 bytes
File C:\Program Files\Mozilla Firefox\components\nsBrowserGlue.js 9459 bytes
File C:\Program Files\Mozilla Firefox\components\nsCloseAllWindows.js 5132 bytes
File C:\Program Files\Mozilla Firefox\components\nsDictionary.js 4805 bytes
File C:\Program Files\Mozilla Firefox\components\nsExtensionManager.js 324298 bytes
File C:\Program Files\Mozilla Firefox\components\nsHelperAppDlg.js 39291 bytes
File C:\Program Files\Mozilla Firefox\components\nsMicrosummaryService.js 81649 bytes
File C:\Program Files\Mozilla Firefox\components\nsPostUpdateWin.js 22254 bytes
File C:\Program Files\Mozilla Firefox\components\nsProxyAutoConfig.js 13475 bytes
File C:\Program Files\Mozilla Firefox\components\nsSafebrowsingApplication.js 147647 bytes
File C:\Program Files\Mozilla Firefox\components\nsSearchService.js 107030 bytes
File C:\Program Files\Mozilla Firefox\components\nsSessionStartup.js 15383 bytes
File C:\Program Files\Mozilla Firefox\components\nsSessionStore.js 73657 bytes
File C:\Program Files\Mozilla Firefox\components\nsSetDefaultBrowser.js 5054 bytes
File C:\Program Files\Mozilla Firefox\components\nsSidebar.js 14892 bytes
File C:\Program Files\Mozilla Firefox\components\nsUpdateService.js 104040 bytes
File C:\Program Files\Mozilla Firefox\components\nsUrlClassifierLib.js 136062 bytes
File C:\Program Files\Mozilla Firefox\components\nsUrlClassifierListManager.js 32944 bytes
File C:\Program Files\Mozilla Firefox\components\nsUrlClassifierTable.js 45938 bytes
File C:\Program Files\Mozilla Firefox\components\nsURLFormatter.js 5835 bytes
File C:\Program Files\Mozilla Firefox\components\nsXmlRpcClient.js 35263 bytes
File C:\Program Files\Mozilla Firefox\components\spellchk.dll 46720 bytes executable
File C:\Program Files\Mozilla Firefox\components\WebContentConverter.js 24340 bytes
File C:\Program Files\Mozilla Firefox\components\xpinstal.dll 172144 bytes executable
File C:\Program Files\Mozilla Firefox\components\xpti.dat 93147 bytes
File C:\Program Files\Mozilla Firefox\defaults\autoconfig\platform.js 87 bytes
File C:\Program Files\Mozilla Firefox\defaults\autoconfig\prefcalls.js 7296 bytes
File C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js 915 bytes
File C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js 359 bytes
File C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js 26801 bytes
File C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js 206 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\bookmarks.html 7129 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\chrome\userChrome-example.css 877 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\chrome\userContent-example.css 723 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\localstore.rdf 158 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\mimeTypes.rdf 369 bytes
File C:\Program Files\Mozilla Firefox\defaults\profile\search.rdf 2402 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org 0 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\chrome.manifest 0 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components 0 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\BrandRes.dll 99840 bytes executable
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\fullsoft.dll 156544 bytes executable
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\master.ini 3323 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\qfaservices.dll 14456 bytes executable
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\qfaservices.xpt 144 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\talkback-l10n.ini 14826 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\talkback.cnt 1355 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\talkback.exe 407040 bytes executable
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\components\talkback.hlp 32928 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\install.rdf 1727 bytes
File C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org\InstallDisabled 2 bytes
File C:\Program Files\Mozilla Firefox\firefox.exe (size mismatch) 7633008/924632 bytes executable
File C:\Program Files\Mozilla Firefox\freebl3.dll (size mismatch) 200829/269272 bytes executable
File C:\Program Files\Mozilla Firefox\greprefs\all.js 64659 bytes
File C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js 3013 bytes
File C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js 85 bytes
File C:\Program Files\Mozilla Firefox\js3250.dll 455272 bytes executable
File C:\Program Files\Mozilla Firefox\LICENSE 30869 bytes
File C:\Program Files\Mozilla Firefox\nspr4.dll (size mismatch) 161392/187352 bytes executable
File C:\Program Files\Mozilla Firefox\nss3.dll (size mismatch) 378472/646104 bytes executable
File C:\Program Files\Mozilla Firefox\nssckbi.dll (size mismatch) 259696/371672 bytes executable
File C:\Program Files\Mozilla Firefox\old-homepage-default.properties 107 bytes
File C:\Program Files\Mozilla Firefox\plc4.dll (size mismatch) 34424/22488 bytes executable
File C:\Program Files\Mozilla Firefox\plugins\npnul32.dll 22664 bytes executable
File C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL 17248 bytes executable
File C:\Program Files\Mozilla Firefox\README.txt 438 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-after-active.gif 823 bytes
File C:\Program Files\Mozilla Firefox\res\arrow.gif 49 bytes
File C:\Program Files\Mozilla Firefox\res\arrowd.gif 52 bytes
File C:\Program Files\Mozilla Firefox\res\broken-image.gif 165 bytes
File C:\Program Files\Mozilla Firefox\res\charsetalias.properties 11348 bytes
File C:\Program Files\Mozilla Firefox\res\charsetData.properties 8507 bytes
File C:\Program Files\Mozilla Firefox\res\cmessage.txt 93 bytes
File C:\Program Files\Mozilla Firefox\res\dtd\mathml.dtd 64504 bytes
File C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd 8427 bytes
File C:\Program Files\Mozilla Firefox\res\EditorOverride.css 10566 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\html40Latin1.properties 3690 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\html40Special.properties 2396 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\html40Symbols.properties 4090 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\htmlEntityVersions.properties 1967 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\mathml20.properties 29091 bytes
File C:\Program Files\Mozilla Firefox\res\entityTables\transliterate.properties 38499 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\fontEncoding.properties 5169 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\fontNameMap.properties 3793 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfont.properties 42412 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontCMEX10.properties 5951 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontCMSY10.properties 4439 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontMath1.properties 3353 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontMath2.properties 5472 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontMath4.properties 6512 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontMTExtra.properties 2348 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontPUA.properties 15688 bytes
File C:\Program Files\Mozilla Firefox\res\fonts\mathfontSymbol.properties 3747 bytes
File C:\Program Files\Mozilla Firefox\res\forms.css 13385 bytes
File C:\Program Files\Mozilla Firefox\res\grabber.gif 858 bytes
File C:\Program Files\Mozilla Firefox\res\hiddenWindow.html 117 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-audio.gif 163 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-binary.gif 165 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-find.gif 178 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-image.gif 188 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-menu.gif 135 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-movie.gif 180 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-sound.gif 163 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-telnet.gif 189 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-text.gif 154 bytes
File C:\Program Files\Mozilla Firefox\res\html\gopher-unknown.gif 132 bytes
File C:\Program Files\Mozilla Firefox\res\html.css 9568 bytes
File C:\Program Files\Mozilla Firefox\res\langGroups.properties 5619 bytes
File C:\Program Files\Mozilla Firefox\res\language.properties 5452 bytes
File C:\Program Files\Mozilla Firefox\res\loading-image.gif 157 bytes
File C:\Program Files\Mozilla Firefox\res\mathml.css 13572 bytes
File C:\Program Files\Mozilla Firefox\res\quirk.css 11757 bytes
File C:\Program Files\Mozilla Firefox\res\svg.css 2251 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-after-hover.gif 826 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-after.gif 826 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-before-active.gif 50 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-before-hover.gif 825 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-column-before.gif 825 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-after-active.gif 822 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-after-hover.gif 826 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-after.gif 826 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-before-active.gif 821 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-before-hover.gif 825 bytes
File C:\Program Files\Mozilla Firefox\res\table-add-row-before.gif 825 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-column-active.gif 835 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-column-hover.gif 841 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-column.gif 841 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-row-active.gif 835 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-row-hover.gif 841 bytes
File C:\Program Files\Mozilla Firefox\res\table-remove-row.gif 841 bytes
File C:\Program Files\Mozilla Firefox\res\ua.css 6053 bytes
File C:\Program Files\Mozilla Firefox\res\viewsource.css 3042 bytes
File C:\Program Files\Mozilla Firefox\res\wincharset.properties 2080 bytes
File C:\Program Files\Mozilla Firefox\searchplugins 0 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\centrum-cz.xml 1118 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\google.xml 2368 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\jyxo-cz.xml 661 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\mall-cz.xml 1674 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\seznam-cz.xml 1302 bytes
File C:\Program Files\Mozilla Firefox\searchplugins\slunecnice-cz.xml 765 bytes
File C:\Program Files\Mozilla Firefox\smime3.dll (size mismatch) 112232/105432 bytes executable
File C:\Program Files\Mozilla Firefox\softokn3.dll (size mismatch) 254060/170968 bytes executable
File C:\Program Files\Mozilla Firefox\ssl3.dll (size mismatch) 132712/154584 bytes executable
File C:\Program Files\Mozilla Firefox\uninstall\helper.exe (size mismatch) 431808/835832 bytes executable
File C:\Program Files\Mozilla Firefox\updater.exe (size mismatch) 130184/269272 bytes executable
File C:\Program Files\Mozilla Firefox\xpcom.dll (size mismatch) 13416/19928 bytes executable
File C:\Program Files\Mozilla Firefox\xpcom_compat.dll 73848 bytes executable
File C:\Program Files\Mozilla Firefox\xpcom_core.dll 421488 bytes executable
File C:\Program Files\Mozilla Firefox\xpicleanup.exe 73336 bytes executable
File C:\Program Files\Mozilla Firefox\xpistub.dll 12400 bytes executable
File C:\Program Files\star.tga 3116 bytes
File C:\Program Files\Undo 0 bytes
File C:\Program Files\Undo\ECUndo01.reg 23790 bytes
File C:\Program Files\Uninstall Information\odbc.dat 24 bytes
File C:\Program Files\Video Card Stability Test 0 bytes
File C:\Program Files\Video Card Stability Test\EarthDX9.dll 667648 bytes executable
File C:\Program Files\Video Card Stability Test\fgsender.dll 65536 bytes executable
File C:\Program Files\Video Card Stability Test\FreeStone-Group.com.ico 2998 bytes
File C:\Program Files\Video Card Stability Test\FreeStone-Group.com.url 115 bytes
File C:\Program Files\Video Card Stability Test\Games.FreeStone-Group.com.url 59 bytes
File C:\Program Files\Video Card Stability Test\License.txt 958 bytes
File C:\Program Files\Video Card Stability Test\Media 0 bytes
File C:\Program Files\Video Card Stability Test\Media\bumpshader.vsh 825 bytes
File C:\Program Files\Video Card Stability Test\Media\bumpshader2.vsh 835 bytes
File C:\Program Files\Video Card Stability Test\Media\bumpshader3.vsh 779 bytes
File C:\Program Files\Video Card Stability Test\Media\bumpshader4.vsh 783 bytes
File C:\Program Files\Video Card Stability Test\Media\fg.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shadowbumpshader.psh 659 bytes
File C:\Program Files\Video Card Stability Test\Media\shine 0 bytes
File C:\Program Files\Video Card Stability Test\Media\shine0.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine1.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine2.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine3.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine4.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine5.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine6.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine7.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine8.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\shine9.bmp 17462 bytes
File C:\Program Files\Video Card Stability Test\Media\sphere_h.x 3101498 bytes
File C:\Program Files\Video Card Stability Test\Media\sphere_m.x 392344 bytes
File C:\Program Files\Video Card Stability Test\Media\Thumbs.db 25088 bytes
File C:\Program Files\Video Card Stability Test\meshes.dat 78293 bytes
File C:\Program Files\Video Card Stability Test\StabilityTestDX9.dll 176128 bytes executable
File C:\Program Files\Video Card Stability Test\uninstall.exe 58384 bytes executable
File C:\Program Files\Video Card Stability Test\unrar.dll 153088 bytes
File C:\Program Files\Video Card Stability Test\vcstres.dll 90112 bytes executable
File C:\Program Files\Video Card Stability Test\Video Card Stability Test.exe 108544 bytes executable
File C:\Program Files\wood.tga 196652 bytes
File C:\readme.txt 2208 bytes
File C:\RECYCLER\S-1-5-21-1801674531-1935655697-1060284298-1004 0 bytes
File C:\RECYCLER\S-1-5-21-343818398-1647877149-725345543-1003 0 bytes
File C:\RECYCLER\S-1-5-21-343818398-1647877149-725345543-500 0 bytes
File C:\RECYCLER\S-1-5-21-57989841-789336058-842925246-1004 0 bytes
File C:\RECYCLER\S-1-5-21-842925246-1580818891-1957994488-1004 0 bytes
File C:\RelNotes.rtf 22200 bytes
File C:\System Volume Information\_restore{06A5AF6C-7E18-4ABD-A2C2-A3A0E86141D1} 0 bytes
F
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_MACHINE_SECURITY 40960 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_MACHINE_SOFTWARE 22298624 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_MACHINE_SYSTEM 4837376 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_.DEFAULT 282624 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 282624 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 233472 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 237568 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-57989841-789336058-842925246-1004 2588672 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 8192 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP41\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 8192 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42 0 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026227.dll 103776 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026228.ini 222 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026229.rbf 7084384 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026230.rbf 766 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026231.rbf 409600 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026232.rbf 286720 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026233.rbf 135168 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026234.rbf 61440 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026235.rbf 249856 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026236.rbf 593920 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026237.rbf 12288 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026238.rbf 86016 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026239.rbf 11264 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026240.rbf 27136 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026241.rbf 4096 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026242.rbf 794624 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026243.rbf 23040 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026245.rbf 612352 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026246.rbf 562184 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026247.rbf 766 bytes
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026248.rbf 409600 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026249.rbf 286720 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026250.rbf 135168 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026251.rbf 61440 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026252.rbf 249856 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026253.rbf 593920 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026254.rbf 12288 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026255.rbf 86016 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026256.rbf 11264 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026257.rbf 27136 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026258.rbf 4096 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026259.rbf 794624 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026260.rbf 23040 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026261.rbf 422912 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026263.rbf 409600 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026264.rbf 286720 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026265.rbf 135168 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026266.rbf 61440 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026267.rbf 249856 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026268.rbf 593920 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026269.rbf 12288 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026270.rbf 86016 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026271.rbf 11264 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026272.rbf 27136 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026273.rbf 4096 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026274.rbf 794624 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026275.rbf 23040 bytes executable
File C:\System Volume Information\_restore{44E0F3CF-EBBF-4DA8-8B70-F95813736D6C}\RP42\A0026276.rbf 766 bytes