Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A first for me


  • This topic is locked This topic is locked
11 replies to this topic

#1 easjogren

easjogren

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 23 August 2009 - 04:09 PM

Anytime any process is executed a blank command screen flashes with C:Windowssystem32Dllhost.exe at the top. Also noticed that CPU is running at 100%, even though computer speed isn't that out of the ordinary. More of an inconvenience than anything. Have run Ad Aware and Spybot S&D with no luck so I'm turning to you guys.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:09 PM, on 8/23/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:Program FilesDellTPadApoint.exe
C:WindowsOEM02Mon.exe
C:Program FilesCreativeSBAudigyVolume PanelVolPanlu.exe
C:WindowsSystem32WLTRAY.EXE
C:Program FilesJavajre6binjusched.exe
C:WindowsSystem32rundll32.exe
C:WindowsSystem32rundll32.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesSigmatelC-Major AudioWDMsttray.exe
C:Windowsehomeehtray.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Windowssystem32wbemunsecapp.exe
C:Program FilesDellTPadApMsgFwd.exe
C:Program FilesDellTPadHidFind.exe
C:Windowsehomeehmsas.exe
C:Program FilesDellTPadApntex.exe
C:UsersEASDesktopHiJackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Internet Explorer provided by Dell
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:Program Filesfree-downloads.nettbfree.dll
O1 - Hosts:  ( @
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6binssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesDellBAEBAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:Program Filesfree-downloads.nettbfree.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:Program Filesfree-downloads.nettbfree.dll
O4 - HKLM..Run: [Apoint] C:Program FilesDellTPadApoint.exe
O4 - HKLM..Run: [OEM02Mon.exe] C:WindowsOEM02Mon.exe
O4 - HKLM..Run: [VolPanel] "C:Program FilesCreativeSBAudigyVolume PanelVolPanlu.exe" /r
O4 - HKLM..Run: [UpdReg] C:WindowsUpdReg.EXE
O4 - HKLM..Run: [Broadcom Wireless Manager UI] C:Windowssystem32WLTRAY.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:Windowssystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:Windowssystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NVHotkey] rundll32.exe C:Windowssystem32nvHotkey.dll,Start
O4 - HKLM..Run: [IAAnotif] "C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe"
O4 - HKLM..Run: [SigmatelSysTrayApp] %ProgramFiles%SigmaTelC-Major AudioWDMsttray.exe
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:Windowssystem32aestsrv.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:Windowssystem32dllhost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:Program FilesCommon FilesCreative Labs SharedServiceCreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:Windowssystem32CTsvcCDA.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:ProgramDataEPSONEPW!3 SSRPE_S40RP7.EXE
O23 - Service: Intel Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:Windowssystem32nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:Windowssystem32PnkBstrA.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:WindowsSystem32rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:Windowssystem32STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:Program FilesCommon FilesSteamSteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:WindowsSystem32WLTRYSVC.EXE

What puzzles me is that if I right click on the empty command box I can change the preferences of it. Color, Positioning, Font (even though the text is blank), and Cursor size.

And upon further investigation of it's properties I think c:\windows\system32\ntvdm.exe is the culprit. Your thoughts?

Edited by easjogren, 23 August 2009 - 05:53 PM.
Merged posts.Tw


BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:45 AM

Posted 05 September 2009 - 09:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 easjogren

easjogren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 11 September 2009 - 03:38 PM

DDS (Ver_09-07-30.01) - NTFSx86
Run by EAS at 16:34:40.02 on Fri 09/11/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_11
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3581.2487 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rpcnet.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\EAS\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\eriksj~1\appdata\roaming\mozilla\firefox\profiles\0i6wu3nv.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-6-15 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-23 1153368]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-6-16 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-6-16 7424]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2008-6-16 209408]

=============== Created Last 30 ================

2009-09-07 20:09 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-07 20:09 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 21:41 2,048 a------- c:\windows\system32\tzres.dll
2009-08-23 18:01 <DIR> --d----- c:\program files\IDoser v4
2009-08-23 15:18 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-23 15:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-23 15:18 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-23 15:05 <DIR> --d----- c:\users\eriksj~1\appdata\roaming\Malwarebytes
2009-08-23 15:05 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-23 15:05 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-22 16:37 <DIR> --d----- c:\program files\I-Doser
2009-08-22 11:40 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-22 00:50 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-22 00:48 <DIR> --d----- c:\programdata\Lavasoft
2009-08-22 00:48 <DIR> --d----- c:\program files\Lavasoft
2009-08-22 00:48 <DIR> -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-22 00:48 <DIR> -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-13 11:38 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-13 11:38 71,680 a------- c:\windows\system32\atl.dll
2009-08-13 11:38 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-13 11:37 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-13 11:36 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-13 11:36 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-13 11:36 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-13 11:36 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-13 11:36 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-13 11:36 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-13 11:36 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-13 11:35 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-13 11:35 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-13 11:35 270,848 a------- c:\windows\system32\schannel.dll
2009-08-13 11:35 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-13 11:35 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-13 11:35 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 11:35 72,704 a------- c:\windows\system32\secur32.dll
2009-08-13 11:35 9,728 a------- c:\windows\system32\lsass.exe

==================== Find3M ====================

2009-09-11 16:29 56,680 a------- c:\windows\system32\rpcnet.dll
2009-09-11 16:28 2,140 a------- c:\windows\bthservsdp.dat
2009-09-11 16:10 28,504 a------- c:\programdata\nvModes.dat
2009-09-11 16:10 28,504 a------- c:\progra~2\nvModes.dat
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-14 12:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-07-11 15:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 15:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 15:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 15:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 13:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-06-10 22:32 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-10 22:32 86,016 a------- c:\windows\inf\infstor.dat
2009-06-10 22:32 51,200 a------- c:\windows\inf\infpub.dat
2009-06-10 22:28 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-29 12:45 22,328 a------- c:\users\eriksj~1\appdata\roaming\PnkBstrK.sys
2008-06-23 21:49 1,844 a------- c:\users\eriksj~1\appdata\roaming\install.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-06-15 22:41 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 16:35:28.08 ===============

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 11 September 2009 - 08:40 PM

Hi easjogren,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

There doesn't seem to be anything malicious in those logs but lately the malware isn't being all that visible. Your symptoms don't seem to be indicative of any infections but let's just double-check.

Let's start with rootkits

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Please run MBAM, a removal tool which finds most nasties or traces of them


Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 easjogren

easjogren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 12 September 2009 - 09:32 PM

removed, restarted, issue still prevalent. :thumbup2: :) :)

Malwarebytes' Anti-Malware 1.41
Database version: 2787
Windows 6.0.6002 Service Pack 2

9/12/2009 10:26:22 PM
mbam-log-2009-09-12 (22-26-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 226468
Time elapsed: 1 hour(s), 17 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\V CAST Music with Rhapsody\mpaplugins\rjdspln.dll (Malware.Packer) -> No action taken.
______

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/12 21:03
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x90F2A000 Size: 815104 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9E7F4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwu.sys
Image Path: C:\Windows\System32\Drivers\spwu.sys
Address: 0x8068D000 Size: 1052672 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2acf8841-5a95-11de-b509-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2acf889d-5a95-11de-b509-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{439ccd48-55f4-11de-8136-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{45011e7c-87e3-11de-bef4-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{65f283b7-5f99-11de-96a4-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6c753b01-9d00-11de-9e09-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6fc8a227-8f5c-11de-bb0f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6fc8a22c-8f5c-11de-bb0f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{816fba48-9022-11de-82f0-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94b6-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94dc-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94ef-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ba8504a1-965f-11de-9390-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bf750277-9024-11de-966f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\Temp\TMP0000005729B24DA6E4D28E65
Status: Visible to the Windows API, but not on disk.

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.0.6000.16386_none_792f8ff471a64e3b\$$DeleteMe.fdProxy.dll.01c9ea3c4ff82dde.001e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.0.6001.18000_none_3addf297743e6161\$$DeleteMe.fdSSDP.dll.01c9ea3c511cf6fe.004b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.0.6001.18000_none_7da88373c225d895\$$DeleteMe.fdWSD.dll.01c9ea3c52ef847e.0091
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.0.6001.18000_none_7be46ed83ae29055\$$DeleteMe.fundisc.dll.01c9ea3c509c6cbe.0036
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_6.0.6001.18000_none_420aa4b9c28d5162\$$DeleteMe.SmartcardCredentialProvider.dll.01c9ea3c52206cde.006d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_d51103be4cb9d6c3\$$DeleteMe.apphelp.dll.01c9ea3c52f6a89e.0094
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6001.18000_none_5f327439667d597c\$$DeleteMe.adsldpc.dll.01c9ea3c509a0b5e.0034
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18005_none_0e0fb1c9ef6c69c7\$$DeleteMe.AcGenral.dll.01ca310d130bae88.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0\$$DeleteMe.advapi32.dll.01c9ea3c4fcaf3be.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6001.18000_none_ab203fc659b26ce7\$$DeleteMe.atl.dll.01ca1c331cda97b0.0008
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiodg.exe.01c9ea3c4fcfb67e.001a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.AudioSes.dll.01c9ea3c520fc33e.0069
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiosrv.dll.01c9ea3c52c24a5e.008c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.0.6001.18000_none_b5dfbc3a51b01b87\$$DeleteMe.winmm.dll.01c9ea3c527fa3de.007f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6001.18000_none_0bf37d16f567e1f7\$$DeleteMe.authui.dll.01c9ea3c51ec0e9e.0062
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6001.18000_none_589bbe5841e2df00\$$DeleteMe.dsound.dll.01c9ea3c51965d1e.005c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_ee8c936cef65a88f\$$DeleteMe.bcrypt.dll.01c9ea3c4fe0601e.001c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\$$DeleteMe.qmgr.dll.01c9ea3c516de5be.0057
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-igdsearcher_31bf3856ad364e35_6.0.6001.18000_none_b16c3d098f004f58\$$DeleteMe.bitsigd.dll.01c9ea3c513be8de.0050
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bth-user_31bf3856ad364e35_6.0.6001.18000_none_65193febd52e137a\$$DeleteMe.wshbth.dll.01c9ea3c4fa9a07e.0014
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_0cbe918751dfdd3f\$$DeleteMe.es.dll.01c9ea3c52bd879e.008b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..rformance-xperfcore_31bf3856ad364e35_6.0.6001.18000_none_d71173946e986845\$$DeleteMe.diagperf.dll.01c9ea3c539624be.00a5
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.18000_none_d77db57c3ca78826\$$DeleteMe.certcli.dll.01c9ea3c50a8539e.003b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.0.6001.18000_none_a9ce4a485a8ade99\$$DeleteMe.cmiv2.dll.01c9ea3c56d4e49e.00ba
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18000_none_ac1da75bf2516084\$$DeleteMe.ole32.dll.01c9ea3c50ed5b7e.0046
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\$$DeleteMe.rpcss.dll.01c9ea3c52b8c4de.0089
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.6001.18000_none_b5b111a1a5a793a5\$$DeleteMe.comdlg32.dll.01c9ea3c50aab4fe.003c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6001.18000_none_7701ab362cebf905\$$DeleteMe.umpnpmgr.dll.01c9ea3c534c5a1e.009d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.0.6001.18000_none_db374cc18eed7408\$$DeleteMe.credui.dll.01c9ea3c4f5b131e.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\$$DeleteMe.crypt32.dll.01c9ea3c5241c01e.0074
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\$$DeleteMe.cryptsvc.dll.01c9ea3c50e1749e.0042
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.0.6001.18000_none_85ee5b5e98235317\$$DeleteMe.cryptui.dll.01c9ea3c519d813e.005d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6001.18000_none_8da39414bd31fb37\$$DeleteMe.uxsms.dll.01c9ea3c530c14fe.0097
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc.dll.01c9ea3c531a5d3e.0099
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc6.dll.01c9ea3c4f695b5e.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samlib.dll.01c9ea3c5158795e.0052
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samsrv.dll.01c9ea3c4fbf0cde.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.0.6000.16386_none_571790f3532b2696\$$DeleteMe.winrnr.dll.01c9ea3c53adf27e.00a8
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsapi.dll.01c9ea3c4fae633e.0015
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsrslvr.dll.01c9ea3c5078b81e.002f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eappcfg.dll.01c9ea3c4f6bbcbe.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eapphost.dll.01c9ea3c538f009e.00a4
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18098_none_9e329f52f6fc276d\$$DeleteMe.emdmgmt.dll.01c9ea3c5248e43e.0076
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6001.18000_none_f1e446e12c0bbf09\$$DeleteMe.esent.dll.01c9ea3c51f5941e.0065
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6001.18000_none_2076b21605e43be9\$$DeleteMe.wer.dll.01c9ea3c50f47f9e.0047
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.18000_none_dcc45c1a12d92f84\$$DeleteMe.wevtsvc.dll.01c9ea3c4fc8925e.0017
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feclient_31bf3856ad364e35_6.0.6001.18000_none_beda112b5794d4e0\$$DeleteMe.feclient.dll.01c9ea3c53537e3e.009f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18145_none_79a5b70991018b47\$$DeleteMe.wersvc.dll.01c9ea3c52252f9e.006e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpapi.dll.01c9ea3c5164603e.0056
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpsvc.dll.01c9ea3c526c98de.007d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-hid-user_31bf3856ad364e35_6.0.6000.16386_none_d47586718a839763\$$DeleteMe.hidserv.dll.01c9ea3c5284669e.0080
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\$$DeleteMe.wininet.dll.01c9ea3c51d440de.0060
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-icm-base_31bf3856ad364e35_6.0.6001.18000_none_22c7ea5489633945\$$DeleteMe.mscms.dll.01c9ea3c5164603e.0055
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\$$DeleteMe.iertutil.dll.01c9ea3c5132635e.004f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\$$DeleteMe.imm32.dll.01c9ea3c5023069e.0026
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\$$DeleteMe.kernel32.dll.01c9ea3c5023069e.0025
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6001.18000_none_f33c4797566bb3db\$$DeleteMe.Wldap32.dll.01c9ea3c515f9d7e.0054
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01c9ea3c4c12cdbe.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsass.exe.01ca1c331c9cb3f0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01c9ea3c4c1eb49e.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.lsasrv.dll.01ca1c331c9f1550.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.lsass.exe.01ca1c331c9cb3f0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.secur32.dll.01ca1c331c9f1550.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18000_none_9c5f2f3c0cc1aa83\$$DeleteMe.mf.dll.01c966324aa24420.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.0.6001.18000_none_f6aa98ad53755122\$$DeleteMe.mfplat.dll.01c9ea3c4f91d2be.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6001.18000_none_55044397b961da8a\$$DeleteMe.MMDevAPI.dll.01c9ea3c5374d17e.00a2
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6001.18000_none_140c84ec53049b39\$$DeleteMe.mprapi.dll.01c9ea3c4f5fd5de.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.0.6001.18000_none_c7427a4e786d74bc\$$DeleteMe.adtschema.dll.01c9ea3c5235d93e.0071
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6001.18000_none_add5c97257f151a1\$$DeleteMe.mpr.dll.01c9ea3c50c4e41e.003f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\$$DeleteMe.msxml3.dll.01c9ea3c52bb263e.008a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6001.18000_none_d15536209ee61dad\$$DeleteMe.msvcrt.dll.01c9ea3c512da09e.004e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\$$DeleteMe.FwRemoteSvr.dll.01c9ea3c51919a5e.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.FwRemoteSvr.dll.01c9ea3c51919a5e.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.IPSECSVC.DLL.01c9ea3c5111101e.004a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\$$DeleteMe.NaturalLanguage6.dll.01c9ea3c535f651e.00a1
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\$$DeleteMe.NlsLexicons0009.dll.01c9ea3c50a5f23e.0039
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_5dde5591f19c0ea3\$$DeleteMe.ncrypt.dll.01c9ea3c51d1df7e.005f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\$$DeleteMe.netapi32.dll.01c9ea3c52a0f71e.0084
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\$$DeleteMe.netshell.dll.01c9ea3c52b6637e.0088
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.BFE.DLL.01c9ea3c4c02241e.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.FWPUCLNT.DLL.01c9ea3c4bfd615e.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.IKEEXT.DLL.01c9ea3c4c1c533e.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6001.18000_none_58d6de41fc2dac16\$$DeleteMe.ntdll.dll.01c9ea3c4c0ba99e.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6001.18000_none_ab6af9d0f92539f0\$$DeleteMe.cscapi.dll.01c9ea3c530e765e.0098
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6001.18000_none_bd002a8dfb7a3328\$$DeleteMe.oleaut32.dll.01c9ea3c5073f55e.002e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-onex_31bf3856ad364e35_6.0.6001.18000_none_a5cb1bed1d5ba052\$$DeleteMe.onex.dll.01c9ea3c4f81291e.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5dfb92ae18db\$$DeleteMe.localspl.dll.01c9ea00e8bc7fe8.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18247_none_2ff7241d92c8344e\$$DeleteMe.localspl.dll.01c9ea3c52fdccbe.0095
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..pooler-core-spoolss_31bf3856ad364e35_6.0.6001.18000_none_5b3992df8e604356\$$DeleteMe.spoolss.dll.01c9ea3c51f5941e.0064
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.0.6001.18000_none_8ad265adc8633a42\$$DeleteMe.inetpp.dll.01c9ea3c5059c63e.002b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_6.0.6001.18000_none_d2ac9d5aa723258e\$$DeleteMe.tcpmon.dll.01c9ea3c538a3dde.00a3
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-wsdportmonitor_31bf3856ad364e35_6.0.6001.18000_none_16d3442ddf994157\$$DeleteMe.WSDMon.dll.01c9ea3c4ffcf09e.0020
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.0.6001.18000_none_932df61f18add086\$$DeleteMe.winspool.drv.01c9ea3c52af3f5e.0087
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.0.6001.18000_none_ae116f90a5d6b7d4\$$DeleteMe.wdscore.dll.01c9ea3c5180f0be.0059
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\$$DeleteMe.spoolsv.exe.01c9ea3c52c70d1e.008e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-profsvc_31bf3856ad364e35_6.0.6001.18000_none_fbb1576d32ad0ba9\$$DeleteMe.profsvc.dll.01c9ea3c5250085e.0078
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6001.16503_none_f3d11aeeb9526bbb\$$DeleteMe.propsys.dll.01c9ea3c502567fe.0027
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01c9ea3c50680e7e.002c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasdlg_31bf3856ad364e35_6.0.6001.18000_none_6d133c0e4fa0edb1\$$DeleteMe.rasdlg.dll.01c9ea3c4f5d747e.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6001.18000_none_0d159410ea7a8f9d\$$DeleteMe.rtutils.dll.01c9ea3c50849efe.0030
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6001.18000_none_9ebd9641a0a88359\$$DeleteMe.rasmans.dll.01c9ea3c521948be.006c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasplap_31bf3856ad364e35_6.0.6001.18000_none_1236753177b2477f\$$DeleteMe.rasplap.dll.01c9ea3c52dc797e.0090
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasppp_31bf3856ad364e35_6.0.6001.18000_none_6c94b11e4fff8902\$$DeleteMe.rasppp.dll.01c9ea3c50cc083e.0040
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastapi_31bf3856ad364e35_6.0.6001.18000_none_0ee42a5979dd0144\$$DeleteMe.rastapi.dll.01c9ea3c522790fe.006f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastls_31bf3856ad364e35_6.0.6001.18000_none_6c652bee5023e04d\$$DeleteMe.rastls.dll.01c9ea3c5185b37e.005a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-riched32_31bf3856ad364e35_6.0.6001.18000_none_9d00b3d6829ba4d0\$$DeleteMe.riched20.dll.01c9ea3c50a5f23e.003a
Status: Locked to thProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1280 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CREATE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CLOSE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_READ]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_WRITE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_EA]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_EA]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CLEANUP]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_PNP]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_CREATE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_CLOSE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_READ]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_WRITE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_POWER]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_PNP]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_CREATE]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_CLOSE]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_POWER]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_PNP]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CREATE]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CLOSE]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CLEANUP]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_PNP]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CREATE]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CLOSE]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CLEANUP]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_PNP]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_CREATE]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_CLOSE]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_POWER]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_PNP]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CLOSE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_READ]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_WRITE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_EA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_EA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CLEANUP]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_POWER]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_PNP]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CREATE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CLOSE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_READ]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_WRITE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CLEANUP]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_PNP]
Process: System Address: 0x8995d1f8 Size: 121

==EOF==

Malwarebytes' Anti-Malware 1.41
Database version: 2787
Windows 6.0.6002 Service Pack 2

9/12/2009 10:26:22 PM
mbam-log-2009-09-12 (22-26-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 226468
Time elapsed: 1 hour(s), 17 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\V CAST Music with Rhapsody\mpaplugins\rjdspln.dll (Malware.Packer) -> No action taken.
______

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/12 21:03
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x90F2A000 Size: 815104 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9E7F4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwu.sys
Image Path: C:\Windows\System32\Drivers\spwu.sys
Address: 0x8068D000 Size: 1052672 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2acf8841-5a95-11de-b509-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2acf889d-5a95-11de-b509-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{439ccd48-55f4-11de-8136-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{45011e7c-87e3-11de-bef4-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{65f283b7-5f99-11de-96a4-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6c753b01-9d00-11de-9e09-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6fc8a227-8f5c-11de-bb0f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6fc8a22c-8f5c-11de-bb0f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{816fba48-9022-11de-82f0-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94b6-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94dc-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a43a94ef-6b88-11de-80a7-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ba8504a1-965f-11de-9390-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bf750277-9024-11de-966f-001fe1f10a5c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\Temp\TMP0000005729B24DA6E4D28E65
Status: Visible to the Windows API, but not on disk.

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.0.6000.16386_none_792f8ff471a64e3b\$$DeleteMe.fdProxy.dll.01c9ea3c4ff82dde.001e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.0.6001.18000_none_3addf297743e6161\$$DeleteMe.fdSSDP.dll.01c9ea3c511cf6fe.004b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.0.6001.18000_none_7da88373c225d895\$$DeleteMe.fdWSD.dll.01c9ea3c52ef847e.0091
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fundisc_31bf3856ad364e35_6.0.6001.18000_none_7be46ed83ae29055\$$DeleteMe.fundisc.dll.01c9ea3c509c6cbe.0036
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_6.0.6001.18000_none_420aa4b9c28d5162\$$DeleteMe.SmartcardCredentialProvider.dll.01c9ea3c52206cde.006d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_d51103be4cb9d6c3\$$DeleteMe.apphelp.dll.01c9ea3c52f6a89e.0094
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6001.18000_none_5f327439667d597c\$$DeleteMe.adsldpc.dll.01c9ea3c509a0b5e.0034
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c3_31bf3856ad364e35_6.0.6002.18005_none_0e0fb1c9ef6c69c7\$$DeleteMe.AcGenral.dll.01ca310d130bae88.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0\$$DeleteMe.advapi32.dll.01c9ea3c4fcaf3be.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6001.18000_none_ab203fc659b26ce7\$$DeleteMe.atl.dll.01ca1c331cda97b0.0008
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiodg.exe.01c9ea3c4fcfb67e.001a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.AudioSes.dll.01c9ea3c520fc33e.0069
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiosrv.dll.01c9ea3c52c24a5e.008c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.0.6001.18000_none_b5dfbc3a51b01b87\$$DeleteMe.winmm.dll.01c9ea3c527fa3de.007f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6001.18000_none_0bf37d16f567e1f7\$$DeleteMe.authui.dll.01c9ea3c51ec0e9e.0062
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-dsound_31bf3856ad364e35_6.0.6001.18000_none_589bbe5841e2df00\$$DeleteMe.dsound.dll.01c9ea3c51965d1e.005c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_ee8c936cef65a88f\$$DeleteMe.bcrypt.dll.01c9ea3c4fe0601e.001c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\$$DeleteMe.qmgr.dll.01c9ea3c516de5be.0057
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-igdsearcher_31bf3856ad364e35_6.0.6001.18000_none_b16c3d098f004f58\$$DeleteMe.bitsigd.dll.01c9ea3c513be8de.0050
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bth-user_31bf3856ad364e35_6.0.6001.18000_none_65193febd52e137a\$$DeleteMe.wshbth.dll.01c9ea3c4fa9a07e.0014
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_0cbe918751dfdd3f\$$DeleteMe.es.dll.01c9ea3c52bd879e.008b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..rformance-xperfcore_31bf3856ad364e35_6.0.6001.18000_none_d71173946e986845\$$DeleteMe.diagperf.dll.01c9ea3c539624be.00a5
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.18000_none_d77db57c3ca78826\$$DeleteMe.certcli.dll.01c9ea3c50a8539e.003b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.0.6001.18000_none_a9ce4a485a8ade99\$$DeleteMe.cmiv2.dll.01c9ea3c56d4e49e.00ba
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6001.18000_none_ac1da75bf2516084\$$DeleteMe.ole32.dll.01c9ea3c50ed5b7e.0046
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\$$DeleteMe.rpcss.dll.01c9ea3c52b8c4de.0089
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.6001.18000_none_b5b111a1a5a793a5\$$DeleteMe.comdlg32.dll.01c9ea3c50aab4fe.003c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6001.18000_none_7701ab362cebf905\$$DeleteMe.umpnpmgr.dll.01c9ea3c534c5a1e.009d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.0.6001.18000_none_db374cc18eed7408\$$DeleteMe.credui.dll.01c9ea3c4f5b131e.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\$$DeleteMe.crypt32.dll.01c9ea3c5241c01e.0074
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\$$DeleteMe.cryptsvc.dll.01c9ea3c50e1749e.0042
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.0.6001.18000_none_85ee5b5e98235317\$$DeleteMe.cryptui.dll.01c9ea3c519d813e.005d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6001.18000_none_8da39414bd31fb37\$$DeleteMe.uxsms.dll.01c9ea3c530c14fe.0097
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc.dll.01c9ea3c531a5d3e.0099
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc6.dll.01c9ea3c4f695b5e.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samlib.dll.01c9ea3c5158795e.0052
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samsrv.dll.01c9ea3c4fbf0cde.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.0.6000.16386_none_571790f3532b2696\$$DeleteMe.winrnr.dll.01c9ea3c53adf27e.00a8
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsapi.dll.01c9ea3c4fae633e.0015
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsrslvr.dll.01c9ea3c5078b81e.002f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eappcfg.dll.01c9ea3c4f6bbcbe.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eapphost.dll.01c9ea3c538f009e.00a4
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18098_none_9e329f52f6fc276d\$$DeleteMe.emdmgmt.dll.01c9ea3c5248e43e.0076
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6001.18000_none_f1e446e12c0bbf09\$$DeleteMe.esent.dll.01c9ea3c51f5941e.0065
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6001.18000_none_2076b21605e43be9\$$DeleteMe.wer.dll.01c9ea3c50f47f9e.0047
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.18000_none_dcc45c1a12d92f84\$$DeleteMe.wevtsvc.dll.01c9ea3c4fc8925e.0017
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feclient_31bf3856ad364e35_6.0.6001.18000_none_beda112b5794d4e0\$$DeleteMe.feclient.dll.01c9ea3c53537e3e.009f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18145_none_79a5b70991018b47\$$DeleteMe.wersvc.dll.01c9ea3c52252f9e.006e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpapi.dll.01c9ea3c5164603e.0056
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpsvc.dll.01c9ea3c526c98de.007d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-hid-user_31bf3856ad364e35_6.0.6000.16386_none_d47586718a839763\$$DeleteMe.hidserv.dll.01c9ea3c5284669e.0080
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\$$DeleteMe.wininet.dll.01c9ea3c51d440de.0060
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-icm-base_31bf3856ad364e35_6.0.6001.18000_none_22c7ea5489633945\$$DeleteMe.mscms.dll.01c9ea3c5164603e.0055
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\$$DeleteMe.iertutil.dll.01c9ea3c5132635e.004f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\$$DeleteMe.imm32.dll.01c9ea3c5023069e.0026
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\$$DeleteMe.kernel32.dll.01c9ea3c5023069e.0025
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6001.18000_none_f33c4797566bb3db\$$DeleteMe.Wldap32.dll.01c9ea3c515f9d7e.0054
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01c9ea3c4c12cdbe.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsass.exe.01ca1c331c9cb3f0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01c9ea3c4c1eb49e.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.lsasrv.dll.01ca1c331c9f1550.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.lsass.exe.01ca1c331c9cb3f0.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.18005_none_a83603ce59ed0382\$$DeleteMe.secur32.dll.01ca1c331c9f1550.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18000_none_9c5f2f3c0cc1aa83\$$DeleteMe.mf.dll.01c966324aa24420.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.0.6001.18000_none_f6aa98ad53755122\$$DeleteMe.mfplat.dll.01c9ea3c4f91d2be.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6001.18000_none_55044397b961da8a\$$DeleteMe.MMDevAPI.dll.01c9ea3c5374d17e.00a2
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6001.18000_none_140c84ec53049b39\$$DeleteMe.mprapi.dll.01c9ea3c4f5fd5de.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.0.6001.18000_none_c7427a4e786d74bc\$$DeleteMe.adtschema.dll.01c9ea3c5235d93e.0071
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6001.18000_none_add5c97257f151a1\$$DeleteMe.mpr.dll.01c9ea3c50c4e41e.003f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\$$DeleteMe.msxml3.dll.01c9ea3c52bb263e.008a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6001.18000_none_d15536209ee61dad\$$DeleteMe.msvcrt.dll.01c9ea3c512da09e.004e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\$$DeleteMe.FwRemoteSvr.dll.01c9ea3c51919a5e.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.FwRemoteSvr.dll.01c9ea3c51919a5e.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.IPSECSVC.DLL.01c9ea3c5111101e.004a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\$$DeleteMe.NaturalLanguage6.dll.01c9ea3c535f651e.00a1
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\$$DeleteMe.NlsLexicons0009.dll.01c9ea3c50a5f23e.0039
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_5dde5591f19c0ea3\$$DeleteMe.ncrypt.dll.01c9ea3c51d1df7e.005f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\$$DeleteMe.netapi32.dll.01c9ea3c52a0f71e.0084
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\$$DeleteMe.netshell.dll.01c9ea3c52b6637e.0088
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.BFE.DLL.01c9ea3c4c02241e.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.FWPUCLNT.DLL.01c9ea3c4bfd615e.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.IKEEXT.DLL.01c9ea3c4c1c533e.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6001.18000_none_58d6de41fc2dac16\$$DeleteMe.ntdll.dll.01c9ea3c4c0ba99e.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6001.18000_none_ab6af9d0f92539f0\$$DeleteMe.cscapi.dll.01c9ea3c530e765e.0098
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6001.18000_none_bd002a8dfb7a3328\$$DeleteMe.oleaut32.dll.01c9ea3c5073f55e.002e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-onex_31bf3856ad364e35_6.0.6001.18000_none_a5cb1bed1d5ba052\$$DeleteMe.onex.dll.01c9ea3c4f81291e.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5dfb92ae18db\$$DeleteMe.localspl.dll.01c9ea00e8bc7fe8.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18247_none_2ff7241d92c8344e\$$DeleteMe.localspl.dll.01c9ea3c52fdccbe.0095
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..pooler-core-spoolss_31bf3856ad364e35_6.0.6001.18000_none_5b3992df8e604356\$$DeleteMe.spoolss.dll.01c9ea3c51f5941e.0064
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.0.6001.18000_none_8ad265adc8633a42\$$DeleteMe.inetpp.dll.01c9ea3c5059c63e.002b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_6.0.6001.18000_none_d2ac9d5aa723258e\$$DeleteMe.tcpmon.dll.01c9ea3c538a3dde.00a3
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-wsdportmonitor_31bf3856ad364e35_6.0.6001.18000_none_16d3442ddf994157\$$DeleteMe.WSDMon.dll.01c9ea3c4ffcf09e.0020
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.0.6001.18000_none_932df61f18add086\$$DeleteMe.winspool.drv.01c9ea3c52af3f5e.0087
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.0.6001.18000_none_ae116f90a5d6b7d4\$$DeleteMe.wdscore.dll.01c9ea3c5180f0be.0059
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\$$DeleteMe.spoolsv.exe.01c9ea3c52c70d1e.008e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-profsvc_31bf3856ad364e35_6.0.6001.18000_none_fbb1576d32ad0ba9\$$DeleteMe.profsvc.dll.01c9ea3c5250085e.0078
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6001.16503_none_f3d11aeeb9526bbb\$$DeleteMe.propsys.dll.01c9ea3c502567fe.0027
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01c9ea3c50680e7e.002c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasdlg_31bf3856ad364e35_6.0.6001.18000_none_6d133c0e4fa0edb1\$$DeleteMe.rasdlg.dll.01c9ea3c4f5d747e.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6001.18000_none_0d159410ea7a8f9d\$$DeleteMe.rtutils.dll.01c9ea3c50849efe.0030
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6001.18000_none_9ebd9641a0a88359\$$DeleteMe.rasmans.dll.01c9ea3c521948be.006c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasplap_31bf3856ad364e35_6.0.6001.18000_none_1236753177b2477f\$$DeleteMe.rasplap.dll.01c9ea3c52dc797e.0090
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasppp_31bf3856ad364e35_6.0.6001.18000_none_6c94b11e4fff8902\$$DeleteMe.rasppp.dll.01c9ea3c50cc083e.0040
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastapi_31bf3856ad364e35_6.0.6001.18000_none_0ee42a5979dd0144\$$DeleteMe.rastapi.dll.01c9ea3c522790fe.006f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastls_31bf3856ad364e35_6.0.6001.18000_none_6c652bee5023e04d\$$DeleteMe.rastls.dll.01c9ea3c5185b37e.005a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-riched32_31bf3856ad364e35_6.0.6001.18000_none_9d00b3d6829ba4d0\$$DeleteMe.riched20.dll.01c9ea3c50a5f23e.003a
Status: Locked to thProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1280 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x856a61f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CREATE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CLOSE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_READ]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_WRITE]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_EA]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_EA]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_CLEANUP]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: fastfat䀀慖⁤І癅, IRP_MJ_PNP]
Process: System Address: 0x89a471f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x856a31f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x856a51f8 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_CREATE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_CLOSE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_READ]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_WRITE]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_POWER]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: cdromॸ, IRP_MJ_PNP]
Process: System Address: 0x86f82500 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_CREATE]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_CLOSE]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_POWER]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci࠰Ѕ潉†, IRP_MJ_PNP]
Process: System Address: 0x86efd1f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CREATE]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CLOSE]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_CLEANUP]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: Smb迟Е楆, IRP_MJ_PNP]
Process: System Address: 0x875c91f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CREATE]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CLOSE]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_CLEANUP]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: netbt蒐, IRP_MJ_PNP]
Process: System Address: 0x876031f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_CREATE]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_CLOSE]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_POWER]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄玈谦쭘跾, IRP_MJ_PNP]
Process: System Address: 0x86ff61f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x84d151f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86f881f8 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CLOSE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_READ]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_WRITE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_EA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_EA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CLEANUP]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_POWER]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: mrxsmb緰蛌Ї敓, IRP_MJ_PNP]
Process: System Address: 0x8910c500 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CREATE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CLOSE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_READ]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_WRITE]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_CLEANUP]
Process: System Address: 0x8995d1f8 Size: 121

Object: Hidden Code [Driver: cdfsП牄㣀谦㝀躌, IRP_MJ_PNP]
Process: System Address: 0x8995d1f8 Size: 121

==EOF==

Attached Files


Edited by easjogren, 12 September 2009 - 09:40 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 13 September 2009 - 02:25 PM

Okay, let's try this.


First let's clean out your temp files/cookies/cache

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 easjogren

easjogren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 13 September 2009 - 10:17 PM

ComboFix 09-09-13.04 - EAS 09/13/2009 22:31.1.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3581.2441 [GMT -4:00]
Running from: c:\users\EAS\Desktop\Combo-Fix.exe
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2043879451-4132286930-3751040699-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\users\EAS\AppData\Roaming\install.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 02:56 . 2009-09-14 02:57 -------- d-----w- c:\users\EAS\AppData\Local\temp
2009-09-14 02:56 . 2009-09-14 02:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-13 01:03 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 01:03 . 2009-09-13 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 01:03 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 00:09 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-08 00:09 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-07 07:28 . 2009-09-07 07:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-28 01:41 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-23 22:01 . 2009-08-28 01:39 -------- d-----w- c:\program files\IDoser v4
2009-08-23 19:18 . 2009-08-23 20:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-23 19:18 . 2009-08-23 20:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 19:05 . 2009-08-23 19:05 -------- d-----w- c:\users\EAS\AppData\Roaming\Malwarebytes
2009-08-23 19:05 . 2009-08-23 19:05 -------- d-----w- c:\programdata\Malwarebytes
2009-08-22 20:37 . 2009-08-23 20:31 -------- d-----w- c:\program files\I-Doser
2009-08-22 15:40 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-22 04:50 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-22 04:48 . 2009-08-22 04:50 -------- d-----w- c:\programdata\Lavasoft
2009-08-22 04:48 . 2009-08-22 04:48 -------- d-----w- c:\program files\Lavasoft
2009-08-22 04:48 . 2009-08-23 20:32 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 02:20 . 2008-06-24 01:34 28504 ----a-w- c:\programdata\nvModes.dat
2009-09-13 02:35 . 2008-06-24 01:53 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-09-13 02:34 . 2008-06-15 21:26 2140 ----a-w- c:\windows\bthservsdp.dat
2009-09-07 04:09 . 2008-12-24 22:27 -------- d-----w- c:\users\EAS\AppData\Roaming\uTorrent
2009-08-23 20:32 . 2009-01-09 19:54 -------- d-----w- c:\users\EAS\AppData\Roaming\vlc
2009-08-23 20:31 . 2008-12-24 22:27 -------- d-----w- c:\program files\uTorrent
2009-08-14 16:27 . 2009-09-11 05:13 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-11 05:13 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-11 05:13 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-11 05:13 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-11 05:13 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-11 05:13 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-11 05:13 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-11 05:13 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-11 05:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-11 05:13 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-11 05:13 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-21 03:55 . 2008-06-25 18:19 -------- d-----w- c:\users\EAS\AppData\Roaming\Creative
2009-07-17 13:54 . 2009-08-13 15:38 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-13 15:36 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-13 15:36 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-13 15:36 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-13 15:36 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-11 05:13 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-11 05:13 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-11 05:13 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-11 05:13 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-11 05:13 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-07-08 05:55 . 2008-12-25 01:43 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-19 05:24 . 2008-12-01 18:04 680 ----a-w- c:\users\EAS\AppData\Local\d3d9caps.dat
2008-06-16 02:41 . 2008-06-16 02:41 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2009-03-10 15:47 2079256 ----a-w- c:\program files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-03-10 2079256]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-24 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-03 13552160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-03 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-09-03 96800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::cb,e5,59,28,3d,ea,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2043879451-4132286930-3751040699-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AC49A44C-97F5-4098-A9EB-2E0A505DD80D}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{B1F6A4EC-E574-4702-89BC-9BF231CA7532}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{FC61379E-9281-4A31-BBBF-4F7B0EE5372B}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{CC115FFF-784D-47CB-9AE6-9A05BB3D7B25}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{9F977422-4892-4B9D-9D27-433FB16BDCD1}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0928F626-F960-4EC3-B341-0948C60EF9C1}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{CAE9545A-E2F1-4639-9257-FC70E3EB36C3}c:\\program files\\steam\\steamapps\\gfsplat\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\gfsplat\counter-strike source\hl2.exe:hl2
"UDP Query User{D670F2C3-32B4-461E-BB6B-896A31BB1DCB}c:\\program files\\steam\\steamapps\\gfsplat\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\gfsplat\counter-strike source\hl2.exe:hl2
"TCP Query User{2166C30B-6FD0-4236-9571-5DF24BF32A30}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"UDP Query User{4A064FC5-FCF8-4A1E-B42B-81C09EDEB445}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"{73BC2521-6D51-4013-AA6D-918B1D381A60}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{C67605E8-962D-4F39-93C8-79DB339E6AEB}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{90EE4434-4C63-469C-80B4-4B2DA2AF391F}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"UDP Query User{003DFF71-C026-4A73-A789-5433FF54654D}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java™ Platform SE binary
"TCP Query User{336A2540-03D7-444D-947B-17F47AE6ACC6}c:\\program files\\steam\\steamapps\\gfsplat\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\gfsplat\counter-strike source\hl2.exe:hl2
"UDP Query User{76349306-EE29-4090-9CC7-EB0A4382D344}c:\\program files\\steam\\steamapps\\gfsplat\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\gfsplat\counter-strike source\hl2.exe:hl2
"TCP Query User{60B2A088-D341-461D-A415-2BD289F825FF}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= UDP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{BD06C254-B5F2-4797-89C7-2E14293E6712}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= TCP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{D8A87346-FF96-4B16-BCC5-9E4067D1EE99}"= UDP:c:\program files\uTorrent\uTorrent.exe:Torrent (TCP-In)
"{183E6D13-3D4D-4798-8321-0AC1F96C93A0}"= TCP:c:\program files\uTorrent\uTorrent.exe:Torrent (UDP-In)
"{16B988B9-7652-4B29-BC66-2EC174C8EB50}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{71CF0A43-7B54-44EB-9DF2-259CB61CC7AD}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{587F6882-2B63-4C4A-B488-47A4EDDF4844}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{AFB1D721-78E9-4F1F-A41B-8AC1E759829C}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{8E958AB4-A1A3-49ED-9F8F-0441448A6C79}c:\\program files\\steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"= UDP:c:\program files\steam\steamapps\common\call of duty 4\iw3mp.exe:iw3mp
"UDP Query User{60E6CAB5-4AF8-42C7-9193-A477166878D8}c:\\program files\\steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"= TCP:c:\program files\steam\steamapps\common\call of duty 4\iw3mp.exe:iw3mp
"TCP Query User{2FD166CA-BCDD-434E-BE54-72882B82D136}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8AF47340-2822-439B-AE2F-EDA427BCB658}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{6238463D-05CC-4F11-869C-B66A03C50520}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1B6114F8-A0D4-4E48-813B-2C2E7A7CDA67}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{89A1A50F-9F65-4EAF-9AAF-A2D6327344AA}c:\\program files\\steam\\steamapps\\gfsplat\\half-life 2 deathmatch\\hl2.exe"= UDP:c:\program files\steam\steamapps\gfsplat\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{9CB6F8B8-BB31-4B22-B62E-7C2DD38658C6}c:\\program files\\steam\\steamapps\\gfsplat\\half-life 2 deathmatch\\hl2.exe"= TCP:c:\program files\steam\steamapps\gfsplat\half-life 2 deathmatch\hl2.exe:hl2
"TCP Query User{91E17B1E-B135-481F-BE39-A3E37FC72693}c:\\program files\\steam\\steamapps\\gfsplat\\day of defeat source\\hl2.exe"= UDP:c:\program files\steam\steamapps\gfsplat\day of defeat source\hl2.exe:hl2
"UDP Query User{61AC1B27-3C49-4761-A0D8-B1491AE5F5E2}c:\\program files\\steam\\steamapps\\gfsplat\\day of defeat source\\hl2.exe"= TCP:c:\program files\steam\steamapps\gfsplat\day of defeat source\hl2.exe:hl2
"TCP Query User{B1E83313-3418-494A-8E1A-C1926B0A8760}c:\\program files\\steam\\steamapps\\gfsplat\\team fortress classic\\hl.exe"= UDP:c:\program files\steam\steamapps\gfsplat\team fortress classic\hl.exe:Half-Life Launcher
"UDP Query User{9FF4E75C-93A7-4D6A-9AEF-6B6B544EA53A}c:\\program files\\steam\\steamapps\\gfsplat\\team fortress classic\\hl.exe"= TCP:c:\program files\steam\steamapps\gfsplat\team fortress classic\hl.exe:Half-Life Launcher
"TCP Query User{97903108-497F-4032-871F-C43C2A9755AA}c:\\program files\\steam\\steamapps\\gfsplat\\half-life\\hl.exe"= UDP:c:\program files\steam\steamapps\gfsplat\half-life\hl.exe:Half-Life Launcher
"UDP Query User{6E3A3770-0634-475D-8085-9B487B842659}c:\\program files\\steam\\steamapps\\gfsplat\\half-life\\hl.exe"= TCP:c:\program files\steam\steamapps\gfsplat\half-life\hl.exe:Half-Life Launcher
"TCP Query User{A84DCB01-18C4-4BAD-9BEB-C06C23739985}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:Torrent
"UDP Query User{58B58825-62AC-4339-BEFC-69F7DF4BC55A}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:Torrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [8/22/2009 12:50 AM 64160]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/15/2008 5:24 PM 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/23/2009 3:18 PM 1153368]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/16/2008 1:19 AM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/16/2008 1:19 AM 7424]
S4 iaNvStor;Intel® Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [6/16/2008 1:19 AM 209408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080616
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\EAS\AppData\Roaming\Mozilla\Firefox\Profiles\0i6wu3nv.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 22:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2009-09-14 23:00
ComboFix-quarantined-files.txt 2009-09-14 03:00

Pre-Run: 156,023,033,856 bytes free
Post-Run: 156,013,207,552 bytes free

243 --- E O F --- 2009-09-11 05:17

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 14 September 2009 - 01:52 PM

Nothing showing up on any scans, easjogren.

The next time the CPU shoots up attempt to run the following program. It will capture the processes that are running at the time.

Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Under File and Save As, create a log and post here

Copy and paste the log into your next reply
Posted Image
m0le is a proud member of UNITE

#9 easjogren

easjogren
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 15 September 2009 - 10:19 AM

I can't seem to find how to save it into a log.

NTVDM.exe is the cause of the issue though.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 15 September 2009 - 11:55 AM

This could be a corrupt file.

It's a system file so you should navigate to the folder (shown below) and delete it. Rebooting it will then allow it to be replaced with a cache file.

Windows\System32\ntvdm.exe

Be aware that if it isn't corrupt this will not fix the issue but it is still a safe process to carry out thanks to System File Protection.

Edited by m0le, 15 September 2009 - 11:56 AM.

Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 20 September 2009 - 07:07 AM

Are you still there, easjogren?
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:45 PM

Posted 21 September 2009 - 06:58 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users