Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No programs running but I'm getting audio


  • This topic is locked This topic is locked
27 replies to this topic

#1 amolamo1980

amolamo1980

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 21 July 2009 - 10:26 PM

Hi. I hope someone can help.

I'm running Windows Vista. There are no programs or applications (that I can tell) running but I can hear sometimes its an interview with a pro skater, sometimes its a woman talking about sports. Those are the only two so far that I can make out. I have no clue even how to search for an answer. Please help!

Thanks in advance.

--Amy

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 21 July 2009 - 10:34 PM

Hi Amy and welcome to BC!

Let's take a look with Malwarebytes. This will give us an idea if we have an infection and what it is...

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 21 July 2009 - 10:43 PM

Malwares won't start on my computer. Everything looks fine with downloading, installing. The last step I make sure Update and Launch is checked then nothing happens.

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 21 July 2009 - 10:45 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 21 July 2009 - 10:47 PM

I clicked on the link in the last post and this is what it said:

The bandwidth or page view limit for this site has been exceeded and the page cannot be viewed at this time. Once the site is below the limit, it will once again begin serving as normal.

The second link for the tutorial has a page error.

Sorry for the difficulties

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 21 July 2009 - 10:53 PM

Not a problem. It looks like this might be a denial of sevice attack against Rootrepeal . They are very good with rootkits. Our process here will be a long one. Let's move to another step. First a rename of Malwarebytes. Rename the Malwarebytes file to winlogin.exe. try to run the program.

Let's also move forward with Dr.Web.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 21 July 2009 - 11:10 PM

The malware is done scanning. I haven't rebooted yet but I have downloaded the dr.web thing but i haven't installed it. Do I reboot now?

#8 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 21 July 2009 - 11:15 PM

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

7/21/2009 11:14:21 PM
mbam-log-2009-07-21 (23-14-21).txt

Scan type: Quick Scan
Objects scanned: 87737
Time elapsed: 10 minute(s), 33 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\Windows\msb.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695bc-a811-4a9d-8cdf-ba8c795f261e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a4a435cf-3583-11d4-91bd-0048546a1450} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2680e10-1655-4a0e-87f8-4259325a84b7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9306072-417e-43e3-81d5-369490beef7c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (Adware.AdBreak) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0} (Adware.Aconti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06dfedaa-6196-11d5-bfc8-00508b4a487d} (Adware.7Search) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3} (Adware.7Search) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c4ca6559-2cf1-48b6-96b2-8340a06fd129} (Adware.AdBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca1d1b05-9c66-11d5-a009-000103c1e50b} (Adware.4Arcade) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d8efadf1-9009-11d6-8c73-608c5dc19089} (Adware.AccessPlugin) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bb936323-19fa-4521-ba29-eca6a121bc78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864a5-3916-46e2-96a9-a2e84f3f1208} (Adware.Accoona) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000012-890e-4aac-afd9-eff6954a34dd} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinBlueSoft (Rogue.WinBlue) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qiawpbjj.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{72616f6c-3eb8-412d-bfe6-be2b5b5ac5c3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73a15681-c430-4d0f-888c-438af3c4e99d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{72616f6c-3eb8-412d-bfe6-be2b5b5ac5c3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{73a15681-c430-4d0f-888c-438af3c4e99d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.9,85.255.112.24 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\msb.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\din.ip (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\prrbpgbr.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\jofstvyt.sbin (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\faxwin32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 PM

Posted 21 July 2009 - 11:16 PM

Reboot then finally, once you have rebooted, install Dr. Web and scan with it

Edited by Computer Pro, 21 July 2009 - 11:19 PM.

Computer Pro

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 22 July 2009 - 07:01 AM

Please hold on ComputerPros instructions

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Then we will run Dr Web...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 22 July 2009 - 07:16 AM

Running RootRepeal right now. I started the Dr.Web last night but I fell asleep. When I woke up this morning my computer had restarted. I'll post the rootrepeal report when its done. Thanks again for all the help! :-)

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 22 July 2009 - 07:22 AM

You are welcome... It was fine that you ran Dr.Web. We will run it again after finishing RootRepeal's procedure. It may take a couple of steps. :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 22 July 2009 - 07:23 AM

I'm not hearing the phantom audio anymore though! It would start pretty much as soon as I would connect to the internet, that's a relief! Rootrepeal still running.

#14 amolamo1980

amolamo1980
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:texas
  • Local time:06:12 PM

Posted 22 July 2009 - 07:34 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/22

07:14
Program Version: Version 1.3.2.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32

\Drivers\dump_iaStor.sys
Address: 0x8ED3A000 Size: 778240 File

Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32

\drivers\rootrepeal.sys
Address: 0xAD597000 Size: 49152 File

Visible: No Signed: -
Status: -

Name: splz.sys
Image Path: C:\Windows\System32\Drivers\splz.sys
Address: 0x82C96000 Size: 1048576 File

Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No

Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings
Status: Locked to the Windows API!

Path: C:\ProgramData\Application Data
Status: Locked to the Windows API!

Path: C:\ProgramData\Desktop
Status: Locked to the Windows API!

Path: C:\ProgramData\Documents
Status: Locked to the Windows API!

Path: C:\ProgramData\Start Menu
Status: Locked to the Windows API!

Path: C:\ProgramData\Templates
Status: Locked to the Windows API!

Path: C:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9d050a49-5a1f-

11de-9d75-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9d050a66-5a1f-

11de-9d75-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a9392214-6638-

11de-909e-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a93922e7-6638-

11de-909e-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{aa0cff9a-4f69-

11de-a303-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b4cc5633-7479-

11de-a5d4-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b96ded0d-52c1-

11de-a714-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b96ded38-52c1-

11de-a714-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b96ded7a-52c1-

11de-a714-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b96ded83-52c1-

11de-a714-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4eaf00a7-431f-

11de-8bd6-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2c47e0b4-440e-

11de-9514-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{334ad364-7689-

11de-8143-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{334ad36a-7689-

11de-8143-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-

4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c053f58a-48b1-

11de-94ba-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cb426f17-44e6-

11de-907b-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d5232b6f-56eb-

11de-8cf9-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d70e10cb-5bc1-

11de-895e-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{714e1bea-3912-

11de-86af-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{714e1bf0-3912-

11de-86af-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{714e1bf6-3912-

11de-86af-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{714e1bfc-3912-

11de-86af-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8036efa0-2561-

11de-b32f-0013a9c35989}{3808876b-c176-4e48-b7ae-

04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Users\All Users
Status: Locked to the Windows API!

Path: C:\Users\Default User
Status: Locked to the Windows API!

Path: C:\Users\Default\Application Data
Status: Locked to the Windows API!

Path: C:\Users\Default\Cookies
Status: Locked to the Windows API!

Path: C:\Users\Default\Local Settings
Status: Locked to the Windows API!

Path: C:\Users\Default\My Documents
Status: Locked to the Windows API!

Path: C:\Users\Default\NetHood
Status: Locked to the Windows API!

Path: C:\Users\Default\PrintHood
Status: Locked to the Windows API!

Path: C:\Users\Default\Recent
Status: Locked to the Windows API!

Path: C:\Users\Default\SendTo
Status: Locked to the Windows API!

Path: C:\Users\Default\Start Menu
Status: Locked to the Windows API!

Path: C:\Users\Default\Templates
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Music
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Pictures
Status: Locked to the Windows API!

Path: C:\Users\Default\Documents\My Videos
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Music
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Pictures
Status: Locked to the Windows API!

Path: C:\Users\Public\Documents\My Videos
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd

6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1

fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c

.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd

6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1

fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed

.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft

.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5

6e60dc5df.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd

6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6b

d6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft

.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5926f98

ceadc42c2.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft

.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c

0566bec5b24.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1

fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8

.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd

6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsof

t.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e2

0e9863b4.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsof

t.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a898

0e994a5d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1

fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86.c

at
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsof

t.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc

0ea08098.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openm

p_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850

4d2.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft

.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d

d7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft

.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8

cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfclo

c_1fc8b3b9a1e18e3b_9.0.21022.8_none_b59bae9d65014b9

8.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1

fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c

at
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfclo

c_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d

131.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft

.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5ce4

7260749ddc2c.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft

.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c

2e857a23b.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft

.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053

e8c6967ba9d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd

6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft

.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab

ac38a907ee8801.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft

.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd

a6db.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1

fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.c

at
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openm

p_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f3

9.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft

.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a

620671dde41.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\df4c00155bfca5da8232008

9743bb386e8df43312c8d8b8112418980a2440f2d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\4a4e6de1088e614f7694727

d621129512819bdecdb46cc6ebb7c1f192dfe380e.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\8b414e757cb8b153bff77dd

00a36556aea3adab25ce15f3e8b184ffbf41ba7a2.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\3582cf91bea0e0e7b5f4b8a

168a2e4bf248a01f764aa3c5d7c4f352ebc681e9d.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\935df4549e21123a2efb986

a707f54475380a037519679510e4b4dfc4bdb5767.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\b080e112e69d2e9c8e71acd

39a81f0d469d837625ceb8ed73b5b87da1fd1424c.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\ef483ae0673e2975dd4224f

e26749623c1c702b8b3fded10161417459e1771a7.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\71503c1b988fb27a41668f3

ba35468d268daf07e8e79cf7b82a1ef64a8d213a1.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\70f19edeeb8e3329aad18f7

44094ea0319d2ecc78dd6a12559a1e765c42418f7.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\4bde3906e1ad59953a7d859

2ff3860dd7fadc4e12abe4b5c828645390461a3aa.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\d5ecf2ab9387e082648bbcc

cd6eceb9d67b096939150833d0ae3066b3a1a676e.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\bd83dce340498e7c363093c

2fc74dfb58e1ec17770453905172c7471fadd9333.cat
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Manifests\989e628160e12c984a435d2

bb2a335ad043e006646150c7b1f3bb52dccd842cc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3

fd0636ec44d63f6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_4

08173e9dd4c5e75\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

gameexplorer_31bf3856ad364e35_6.0.6001.18000_none_4

2004f0ec13d017b\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_4

1c472dec16924fb\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4

231a10dda9b7df4\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde

541564b88ae\$$DeleteMe.kernel32.dll.01c9ed920a05cc1

0.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

p..ooler-core-

localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5

dfb92ae18db\$$DeleteMe.localspl.dll.01c9ed920a66b0c

0.000b
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-

p..talcontrolssettings_31bf3856ad364e35_6.0.6001.18

000_none_f3ec70780f6f64fc\wpcuninst.mof
Status: Allocation size mismatch (API: 4096, Raw:

472)

Path: C:\Windows\winsxs\x86_microsoft-windows-rpc-

local_31bf3856ad364e35_6.0.6001.18051_none_b3c58fc5

453bf46b\$$DeleteMe.rpcrt4.dll.01c9ed9209cf52c0.000

3
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-

core-fastprox-

dll_31bf3856ad364e35_6.0.6001.18000_none_fb49535a79

bca3e8

\$$DeleteMe.fastprox.dll.01c9ed920a47de20.0009
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-wmi-

mof.resources_31bf3856ad364e35_6.0.6001.18000_en-

us_6d2cbd70bfeb5621\subscrpt.mfl
Status: Allocation size mismatch (API: 4096, Raw:

560)

Path:

c:\windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.

6001.18000_none_8133189db1382d8a\msbuild.exe.config
Status: Allocation size mismatch (API: 4096, Raw:

560)

Path: C:\Windows\winsxs\x86_microsoft-windows-

mediaplayer-

core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4

f19b995\$$DeleteMe.wmp.dll.01c9a2e99f595000.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

mediaplayer-

core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4

f19b995\$$DeleteMe.wmploc.DLL.01c9a2e99f62c5e0.0002
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\x86_policy.1.2.microsof..op.secur

ity.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea

83414c2e75b887

\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

security-

schannel_31bf3856ad364e35_6.0.6001.18000_none_22164

b0e5542d6c1

\$$DeleteMe.schannel.dll.01c9a2e99eef4390.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-

base-qfe-

rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc

3ddffe3c\$$DeleteMe.rpcss.dll.01c9ed920a3c4560.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25c

cb3836\$$DeleteMe.lsasrv.dll.01c9ed9209f159b0.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25c

cb3836\$$DeleteMe.secur32.dll.01c9ed9209f37c90.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-

runtimeutilities_31bf3856ad364e35_6.0.6001.18157_no

ne_47749ea98ca66a80

\$$DeleteMe.iertutil.dll.01c98dbb87d9d2d0.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-

runtimeutilities_31bf3856ad364e35_6.0.6001.18203_no

ne_47a6af038c817696

\$$DeleteMe.iertutil.dll.01c9ed9209804860.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-

runtimeutilities_31bf3856ad364e35_6.0.6001.18248_no

ne_478070c58c9d650d\$$DeleteMe.iertutil.dll.01c9ee9

c97c37dd0.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..tocolimplementation_31bf3856ad364e35_6.0.6001.18

157_none_01b9e7cda1f54c23

\$$DeleteMe.wininet.dll.01c98dbb87dd2e30.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..tocolimplementation_31bf3856ad364e35_6.0.6001.18

203_none_01ebf827a1d05839

\$$DeleteMe.wininet.dll.01c9ed920990ea30.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..tocolimplementation_31bf3856ad364e35_6.0.6001.18

248_none_01c5b9e9a1ec46b0

\$$DeleteMe.wininet.dll.01c9ee9c97b41480.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18

157_none_b4b40c2bd6ec2590

\$$DeleteMe.urlmon.dll.01c98dbb87d517e0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18

203_none_b4e61c85d6c731a6

\$$DeleteMe.urlmon.dll.01c9ed92095b0d20.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-

i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18

248_none_b4bfde47d6e3201d\$$DeleteMe.urlmon.dll.01c

9ee9c98014a20.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-

core-

providerhost_31bf3856ad364e35_6.0.6001.18000_none_1

062be8b8b6509c7

\$$DeleteMe.WmiPrvSD.dll.01c9ed920a4d8370.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wmi-

core-

providerhost_31bf3856ad364e35_6.0.6001.18000_none_1

062be8b8b6509c7

\$$DeleteMe.WmiPrvSE.exe.01c9ed920a463070.0008
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\x86_microsoft.windows.winhttp_31b

f3856ad364e35_5.1.6001.18000_none_24cdf96ec22363fa\

$$DeleteMe.winhttp.dll.01c9ed920a738200.000c
Status: Locked to the Windows API!

Path: C:\Users\Default\AppData\Local\Application

Data
Status: Locked to the Windows API!

Path: C:\Users\Default\AppData\Local\History
Status: Locked to the Windows API!

Path: C:\Users\Default\AppData\Local\Temporary

Internet Files
Status: Locked to the Windows API!

Path:

C:\Windows\Microsoft.NET\Framework\v2.0.50727

\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path:

C:\Windows\winsxs\Temp\PendingDeletes\dciman32.dll
Status: Locked to the Windows API!

Path: c:\users\amy

geno\appdata\local\temp\etilqs_er8nqrpghzvorktpvnsl
Status: Allocation size mismatch (API: 32768, Raw:

0)

Path: c:\windows\system32

\driverstore\filerepository\winmobil.inf_a7c8ce31

\wmdsynce.man
Status: Allocation size mismatch (API: 4096, Raw:

688)

Path: C:\Windows\System32

\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32

\LogFiles\WMI\RtBackup\EtwRTEventLog-

Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32

\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32

\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32

\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.

6000.16386__31bf3856ad364e35

\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path:

C:\Windows\assembly\GAC_MSIL\System.Runtime.Seriali

zation.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SY

STEM~1.DLL
Status: Locked to the Windows API!

Path: c:\windows\system32

\driverstore\filerepository\prnhp001.inf_2ade4966

\i386\hpfdj920.gpd
Status: Allocation size mismatch (API: 4096, Raw:

648)

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Outbox\1E6C30~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Storage Folders\Deleted

Items\12450C~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Storage Folders\Deleted

Items\5BD32A~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Storage Folders\Deleted

Items\61CE47~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Storage Folders\Deleted

Items\701452~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: C:\Users\Amy

Geno\AppData\Local\Microsoft\Windows Live

Mail\Storage Folders\Recovered items\04-16-2009

673\762B2C~1.EML:OEStandardProperty
Status: Visible to the Windows API, but not on

disk.

Path: c:\users\amy

geno\appdata\local\cometnetwork\cometbird\profiles\

4yualc6x.default\cache\_cache_001_
Status: Allocation size mismatch (API: 524288, Raw:

98304)

Path: c:\users\amy

geno\appdata\local\cometnetwork\cometbird\profiles\

4yualc6x.default\cache\_cache_002_
Status: Allocation size mismatch (API: 655360, Raw:

163840)

Path: c:\users\amy

geno\appdata\local\cometnetwork\cometbird\profiles\

4yualc6x.default\cache\_cache_003_
Status: Allocation size mismatch (API: 2031616,

Raw: 262144)

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1372 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_SET_SECURITY]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs,

IRP_MJ_SET_QUOTA]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x84e0d1f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_CREATE]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat, IRP_MJ_READ]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat, IRP_MJ_WRITE]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_SET_INFORMATION]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_QUERY_EA]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_SET_EA]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_SHUTDOWN]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat,

IRP_MJ_CLEANUP]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: fastfat, IRP_MJ_PNP]
Process: System Address: 0x921e61f8 Address:

121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi,

IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi,

IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x84e0c1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_CREATE]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_CLOSE]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma, IRP_MJ_READ]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_WRITE]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_SHUTDOWN]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_POWER]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma,

IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: cdroma, IRP_MJ_PNP]
Process: System Address: 0x8670e1f8 Address:

121

Object: Hidden Code [Driver: usbuhci,

IRP_MJ_CREATE]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci,

IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci,

IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x866621f8 Address:

121

Object: Hidden Code [Driver: Smb前І晖呁翘虲,

IRP_MJ_CREATE]
Process: System Address: 0x8e4ba1f8 Address:

121

Object: Hidden Code [Driver: Smb前І晖呁翘虲,

IRP_MJ_CLOSE]
Process: System Address: 0x8e4ba1f8 Address:

121

Object: Hidden Code [Driver: Smb前І晖呁翘虲,

IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8e4ba1f8 Address:

121

Object: Hidden Code [Driver: Smb前І晖呁翘虲,

IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8e4ba1f8

Address==EOF==

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:12 PM

Posted 22 July 2009 - 07:39 AM

Let me do some research with the log and I will be back soon... :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users