Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My worst computer nightmare


  • This topic is locked This topic is locked
13 replies to this topic

#1 Reaxku The Fox

Reaxku The Fox

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 28 July 2009 - 02:19 PM

I'll tell how this happened at the bottom of the post so we can get to the meat of the problem.
When I startup normally I get a plethora of error messages (my infection looks like this poor chap's here: http://www.bleepingcomputer.com/forums/topic238194.html) Very few applications will start, and no form of antivirus will run. In safe mode I just finished running Malwarebytes quick scan after trying to full scan served me a bsod, results;
---
Malwarebytes' Anti-Malware 1.39
Database version: 2522
Windows 6.0.6001 Service Pack 1

7/28/2009 3:11:31 PM
mbam-log-2009-07-28 (15-11-25).txt

Scan type: Quick Scan
Objects scanned: 83781
Time elapsed: 3 minute(s), 18 second(s)

Registry Values Infected: 1
Folders Infected: 1
Files Infected: 3

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19525734 (Rogue.Multiple.H) -> No action taken.

Folders Infected:
C:\ProgramData\19525734 (Rogue.Multiple.H) -> No action taken.

Files Infected:
c:\programdata\19525734\19525734 (Rogue.Multiple.H) -> No action taken.
c:\programdata\19525734\19525734.exe (Rogue.Multiple.H) -> No action taken.
C:\Windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
---
And don't worry that is certainly not all, before my last full scan crashed it reported 9 infections, these were not tracking cookies either. I've also found and deleted...
a.exe
b.exe
and c.exe
Very original names >.<, I remembered reading somewhere that these were malware related so I removed them with a restarting delete using killbox. There are many more things I could write about this infection, but I'll get down to how it happened...
I download rocketdock, but not from the original creator (I didn't know at the time), I scanned the downloaded file with AVG, Avast, SUPERAntispyware, and Malwarebyte's (Avast is the only real-time) Clean, so I installed. Avast then alerted me that my computer was trying to connect to some malwarey sites, then a 'Spoofed' Windows defender popup came up and calmly reported I had an infected file, not thinking if windows had popups like that I clicked remove malware, avast started popping up more often so I hit the off switch on my computer powerstrip, I keep it nearby because this happens a bit often to me.
Any ideas.. please?

I collect viruses... unintentionally.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 PM

Posted 29 July 2009 - 01:36 PM

Hello my first comment is did you click the Remove Selected after the MBAM scan. As the No action taken usually means this.

I would like you to also run DrWeb-CureIt
.Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 01:22 AM

Hello my first comment is did you click the Remove Selected after the MBAM scan. As the No action taken usually means this.

Yes, the removal was successful according to MBAM

Dr. Web's express scan turned up nothing, and some other interesting things this infection has done to my computer. It disabled my only user account besides the Administrator one, but all the files are still accessable. And every time I boot up normally I'm in "Windows Vista Test Mode" And it says "Test Mode" at the four corners at my desktop like how safemode says safemode...

Edited by Reaxku The Fox, 31 July 2009 - 02:34 AM.

I collect viruses... unintentionally.


#4 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 09:18 AM

Done, it found no malware but did find my reserve copies of SmitFraudFix and Navilog1... both remove malware, not create it... here's the log anyways;

Process.exe;C:\Documents and Settings\Reaxku\Goodies\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Reaxku\Goodies\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
Process.exe;C:\Program Files\Navilog1;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\Users\Reaxku\Goodies\SmitfraudFix;Tool.Prockill;Invalid path to file ;
restart.exe;C:\Users\Reaxku\Goodies\SmitfraudFix;Tool.ShutDown.14;Invalid path to file ;

I collect viruses... unintentionally.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 PM

Posted 31 July 2009 - 09:29 AM

OK,yhank you. If your AV still won't run then please run RootRepeal.

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
Not this >>> SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 09:40 AM

I've gotten AVAST to run smoothly for me and even did a boot-time scan... clean. AVG looks like it's been messed up pretty bad though, will not scan and resident protection has been disabled and I cannot re-enable it.
And do you want the ShadowSSDT scan with rootrepeal?

I collect viruses... unintentionally.


#7 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 09:48 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/31 10:38
Program Version: Version 1.3.2.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: 2NjYBB5e.sys
Image Path: C:\Users\ADMINI~1\AppData\Local\Temp\2NjYBB5e.sys
Address: 0x8FB8C000 Size: 183424 File Visible: No Signed: -
Status: -

Name: a4at5h0i.SYS
Image Path: C:\Windows\System32\Drivers\a4at5h0i.SYS
Address: 0x8E124000 Size: 229376 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x8FA81000 Size: 40960 File Visible: No Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x8FA8B000 Size: 151552 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xB0C57000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spqr.sys
Image Path: C:\Windows\System32\Drivers\spqr.sys
Address: 0x8260A000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 07-31-09 (10-37-54).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{422b67c5-7d80-11de-a962-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{422b67cb-7d80-11de-a962-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9e9a814b-7d98-11de-8065-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a4aee0b7-790e-11de-a1ed-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a4aee0be-790e-11de-a1ed-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a4aee0d8-790e-11de-a1ed-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a4aee0df-790e-11de-a1ed-0021976ab62d}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\ehome\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c2e857a23b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.363_none_8a15b9086beb7fdf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.363_none_8e06373e6966df58.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_57b67ceb7de564e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.363_none_10b3ee119bfeddb3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_c9dd3cb0e555217c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_118a7387f9d14a82.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.363_none_0c1882c59ee1cca8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b59bae9d65014b98.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.363_none_43f0c5a37830f5ec.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.363_none_8dd8d757d5a6c645.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.363_none_11eda95d9b2bd3f7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_9f63b3c292618dec.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.363_none_91949ed2671d02fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5926f98ceadc42c2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5ce47260749ddc2c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.0.6000.16856_none_bcd26caac1d45e84\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-aero_31bf3856ad364e35_6.0.6001.18000_none_abe3118b19699649\aero.msstyles.vgorg
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.0.6001.18000_en-us_7698ba05e403d673\winload.exe.mui.bak.vistamaster
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16651_none_3fe50116c43e1596\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16721_none_400572c0c425beea\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20788_none_40553023dd6dba94\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20885_none_4052312bdd706bb6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_408173e9dd4c5e75\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18032_none_41e1dfdec15387fc\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18112_none_41f7819cc1434d41\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22132_none_426b7ca9da7127c6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22233_none_426c7ed9da703e44\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4231a10dda9b7df4\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll.vgorg
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_3dfdf7ca2b1d3a0d\user32renamed.dll.mui
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-uxtheme_31bf3856ad364e35_6.0.6001.18000_none_a5e49ad4068f9b12\uxtheme.dll.vgorg
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16386_none_9e4413a31d88dd69\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16720_none_9e3e9a071d8dacdd\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8776b0ab372ff1d0\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.16720_none_c2e2272db9e7b99c\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.20883_none_c32de54ed3334d11\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.18111_none_c4d43609b70547f3\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.22230_none_c54732b2d0340648\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_f87832f6f02b1a0c\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_f8bcef12097cfc20\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_f9fb1fd6ed9c76a1\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6000.16708_none_74dcd7a292078251\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6000.20864_none_752193bdab596465\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6001.18096_none_765fc4828f78dee6\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6001.22208_none_774cb313a84bb30c\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_7aa059d88e5323b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_7ae515f3a7a505c4\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_7c2346b88bc48045\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_7d103549a497546b\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.0.6000.20868_none_bd533837daf84fc6\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.0.6000.21051_none_bd56e025daf6b2dd\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.0.6001.22212_none_bf6984bdd7fbbcf8\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.22230_none_5efce545badd1f03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.16720_none_ea4958dde0dcb61b\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.20883_none_d3816f81fa7efb0e\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.18111_none_ea243d93e12ec2bc\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.22230_none_d358ae2ffad43bcf\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.16720_none_879a188098bde787\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.20883_none_70d22f24b2602c7a\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.18111_none_8774fd36990ff428\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.22230_none_70a96dd2b2b56d3b\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18111_none_9e197ebd1ddfb97e\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.22230_none_874def5937853291\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6000.16720_none_fc112931b73e055f\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6000.16720_none_fc112931b73e055f\GLOBAL~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6000.20883_none_e5493fd5d0e04a52\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6000.20883_none_e5493fd5d0e04a52\GLOBAL~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6001.18111_none_fbec0de7b7901200\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6001.18111_none_fbec0de7b7901200\GLOBAL~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6001.22230_none_e5207e83d1358b13\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.0.6001.22230_none_e5207e83d1358b13\GLOBAL~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6000.16720_none_75ed8ff3a0e5994f\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6000.20883_none_5f25a697ba87de42\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ddd4d2342f7e88a6\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_f477a046162e5054\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ddac10e22fd3c967\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b01a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d66b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_f49cbb9015dc43b3\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.18111_none_75c874a9a137a5f0\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_c71adcbf2e98b7f5\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_c75f98da47ea9a09\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_c89dc99f2c0a148a\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_c98ab83044dce8b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.16708_none_9958372092944487\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.20864_none_999cf33babe6269b\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.18096_none_9adb24009005a11c\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.22208_none_9bc81291a8d87542\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_78c5c5708f85fc49\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_78c5c5708f85fc49\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_790a818ba8d7de5d\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_790a818ba8d7de5d\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_7a48b2508cf758de\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_7a48b2508cf758de\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_7b35a0e1a5ca2d04\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_7b35a0e1a5ca2d04\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.16708_none_c3d601207722394b\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.20864_none_c41abd3b90741b5f\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.18096_none_c558ee00749395e0\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.22208_none_c645dc918d666a06\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.18096_none_331e6bf4a0265421\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.22208_none_340b5a85b8f92847\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.16708_none_ac1fffb2b6ba9be9\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.20864_none_ac64bbcdd00c7dfd\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_b25b01638e2dbfa3\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_b29fbd7ea77fa1b7\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_b3ddee438b9f1c38\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_b4cadcd4a471f05e\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~2.INI
Status: Locked to the Windows API!

Path:Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x87140420 Address: 107

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x871411c0 Address: 1022

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86fbef08 Address: 249

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8714c198 Address: 406

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8713fb00 Address: 107

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x870e55d0 Address: 175

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x870e95d8 Address: 118

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x853331f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_CREATE]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_CLOSE]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_POWER]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: a4at5h0iЂ浍慐䖨藀ܜ舒П牄樀諥, IRP_MJ_PNP]
Process: System Address: 0x85c161f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x853311f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_CREATE]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_CLOSE]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_POWER]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: usbohcitП牄樀諥㐘諱, IRP_MJ_PNP]
Process: System Address: 0x85bfa1f8 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_CREATE]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_CLOSE]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_CLEANUP]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: Smb￿Ѝ摍, IRP_MJ_PNP]
Process: System Address: 0x86bc93b0 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_CREATE]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_CLOSE]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_CLEANUP]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: netbtYMTЇ䙡䍄戠蚽桨躘, IRP_MJ_PNP]
Process: System Address: 0x86bd71f8 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_POWER]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: iScsiPrtЅ浗灩, IRP_MJ_PNP]
Process: System Address: 0x85c19328 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_CREATE]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_CLOSE]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_READ]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_WRITE]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_POWER]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: cdromd, IRP_MJ_PNP]
Process: System Address: 0x85c151f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x845721f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_CREATE]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_CLOSE]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_POWER]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: nvstor32, IRP_MJ_PNP]
Process: System Address: 0x853321f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_POWER]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: usbehci薿Ѕ浗灩, IRP_MJ_PNP]
Process: System Address: 0x85bfb1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_CREATE]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_CLOSE]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_READ]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_WRITE]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_QUERY_EA]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SET_EA]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_CLEANUP]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_POWER]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: mrxsmb蛨Ї扏楃@, IRP_MJ_PNP]
Process: System Address: 0x85bae1f8 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_CREATE]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_CLOSE]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_READ]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_WRITE]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_CLEANUP]
Process: System Address: 0x85ba73e0 Address: 121

Object: Hidden Code [Driver: cdfsП牄炐諥치諲, IRP_MJ_PNP]
Process: System Address: 0x85ba73e0 Address: 121

==EOF==

I collect viruses... unintentionally.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 PM

Posted 31 July 2009 - 10:48 AM

Ok this is looking a lot better.. No I don't need the SSDt thanks.

You should reinstall the Avast
Avast Uninstall Utility (aswClear.exe)

The software removes all traces of Avast 4.xx and can uninstall the software even when the cancellation by the Windows Control Panel fails:

Avast Uninstall Utility: http://icifiles.avast.com/files/eng/aswclear.exe


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 03:39 PM

Alright...

Ok this is looking a lot better

I'm glad, I'll be pretty impressed with myself if I terminated it alone :thumbsup:

I collect viruses... unintentionally.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 PM

Posted 31 July 2009 - 07:41 PM

Please post the MBam log as we still need to cleanup if alls good.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 31 July 2009 - 09:38 PM

Is it odd that when I tried to boot up into normal mode I had to run the chkdsk utility from Vista's repair console? It said my disk was corrupted but safe mode boots fine... I booted into normal mode because connecting to the internet in safe mode for me is almost as much as a nightmare as this infection is/was, I'm monitoring all connections with TCPView as I update.

Just finished updating! Only one "infected" file. I made a copy of the cmd.exe (clean) onto my desktop and renamed it to svchost.exe I used it to help start some programs before you came to help. Malwarebyte's picks it up as "Heuristics.Reserved.Word.Exploit" this is a false positive I'm sure.

Edited by Reaxku The Fox, 31 July 2009 - 09:42 PM.

I collect viruses... unintentionally.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:52 PM

Posted 01 August 2009 - 10:03 AM

Hello, perhaps it's best to look a little deeper inside. Please run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Reaxku The Fox

Reaxku The Fox
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 01 August 2009 - 12:49 PM

Alright made a topic here http://www.bleepingcomputer.com/forums/t/246013/aftermath-of-a-roguemultipleh-infection/
Thanks for helping me a second time, you people are truly under appreciated!

I collect viruses... unintentionally.


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:52 PM

Posted 01 August 2009 - 07:47 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/246013/aftermath-of-a-roguemultipleh-infection/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users