Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit issue


  • Please log in to reply
25 replies to this topic

#1 mrrowe

mrrowe

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 24 September 2009 - 06:52 PM

ok for the paast few days i have been having a issue with my computer to the point i cantget on the intternet with it any more andd with all the research i have done . i have been told and came to thee conclusion that i have a rootkit virus. when ever i run antivirus scans the scans closes and many programss wont start up and i did a registry scanner that revealed many registry issues also. apperently i hhad a friend with a infected junk drive that ended up being a host that infected 2 of my computers. any help can be offered to get me at a stable state would be appreciated . as i seee i has been helpful or many others here

why doo ppl have to be so malicious and want to cause harm to ppls system they should use that power for good instead of pain lol

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 PM

Posted 24 September 2009 - 07:54 PM

Hello, Yes they are horrible people.
We can start cleaning this, some things to consider.. You will need to make a post in the HiJackThis section eventually from here. That said you will be about a week till cleaning. WE are that busy with this crap they write. Are you opposed to a reformat and reinstall..

Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 24 September 2009 - 08:11 PM

i want to avoid it yes. 500 gig harddrive used for music and viideo editing. the goal is get stable annd running and when opportunity comes upggrade and move over with acronis back up image tool. i currently dont have that luxury

#4 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 24 September 2009 - 08:20 PM

You will need to make a post in the HiJackThis section eventually from here.


do i do this now or later? im not sure if its letting me cus it has been shutting scanners down. fyi im on another computer thats safe the damaged one wont get online ALTHOGUH ITT SHOWS THE NETWORK IS RUNNING its not possible to browse. after i tried housecall.trendmicro.com i havent been able to get access since

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 PM

Posted 24 September 2009 - 08:36 PM

Ok , Let's try to confirm you rootkit first. I will help you get the logs posted. Let's see if we can run one of these.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
OR
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 25 September 2009 - 04:50 AM

ok thisi s where im at on rootrepeal id get it running then it will jsut close when i try to run again i get some sort of error in regular mode and then i will run it in safe mode it will close and if i try to run it again it will say access denied. then i ran the other i get a log file but i had to manaully go to the temp folder . the kick is it will not let me drag anything and it denied mee access to the log file to open. but i saw some of tthe processes that started this whole problem for me ideleted them to recycling bin ran root repeal again and this time i had a nice amouun of scanning before it shut down again .then i go to the folder i extracted root repeal to and there is something extra it was a cd icon that said settings i deleted that but once again denied use of root repeal. on the sophas i had several things show as removable but not rquired

#7 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 25 September 2009 - 05:35 AM

also curious of if i network the computer and scan it from a nother computerwill the host computer get the malware on it if thats an option to try

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 PM

Posted 25 September 2009 - 10:45 AM

Please post that sophos log,thanks..

Not sure if you tried this one,Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 25 September 2009 - 11:57 AM

when i attempt to move or open the sophos log i am denied access from opening it and dont have drag androp capability to move it to a storage drive nor able to copy and ppaste. malware bytes will run and thhen shut down and im unable to rerun it as if itt has been nuked. i also tried a portable version of malwarebytes. i dont have internet access on that computer. if i set the problem computer to a network and try to run the scans from another computer in the netwok will the i infect my other network comptuers??

#10 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 25 September 2009 - 06:02 PM

i may be getting some headway will be posting the sarscan log in some time

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 PM

Posted 25 September 2009 - 07:13 PM

:thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 September 2009 - 10:52 AM

ok i saved multiple logs in root repeal hope tihs is the one you want. i am also using ubcd4win to access the internet from the hijacked computer with the virtural xp shell fyi

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/25 23:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7EF8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA600000 Size: 8192 File Visible: No Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xBA5D0000 Size: 4128 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7789000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\zts2.exe\zts2.exe
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\rundl132.dll\rundl132.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB929338\KB929338
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931784\KB931784
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\KAV6Upgrade\KAV6Upgrade
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000147\tmp00000147
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000273\tmp00000273
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000002c6\tmp000002c6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000320\tmp00000320
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000354\tmp00000354
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000376\tmp00000376
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000004c2\tmp000004c2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000006bf\tmp000006bf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000767\tmp00000767
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000780\tmp00000780
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000007c2\tmp000007c2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000008bb\tmp000008bb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000008d1\tmp000008d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000097b\tmp0000097b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000995\tmp00000995
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000009d8\tmp000009d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000009eb\tmp000009eb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000a2c\tmp00000a2c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000a72\tmp00000a72
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000b25\tmp00000b25
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000b2c\tmp00000b2c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000b61\tmp00000b61
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000bb1\tmp00000bb1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000bb9\tmp00000bb9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000bff\tmp00000bff
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000c0d\tmp00000c0d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000c4b\tmp00000c4b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000d70\tmp00000d70
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000e14\tmp00000e14
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000e2f\tmp00000e2f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000e44\tmp00000e44
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003625\tmp00003625
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003755\tmp00003755
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000375a\tmp0000375a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000375d\tmp0000375d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000037e0\tmp000037e0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000390e\tmp0000390e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003998\tmp00003998
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003a30\tmp00003a30
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003a86\tmp00003a86
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003a8f\tmp00003a8f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003aa2\tmp00003aa2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003aa3\tmp00003aa3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003aa7\tmp00003aa7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003ad2\tmp00003ad2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003ad7\tmp00003ad7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003b0c\tmp00003b0c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003c92\tmp00003c92
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003c99\tmp00003c99
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003ca9\tmp00003ca9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003ce0\tmp00003ce0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003d6d\tmp00003d6d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003dac\tmp00003dac
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003e0b\tmp00003e0b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003e1d\tmp00003e1d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003e1e\tmp00003e1e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003e6f\tmp00003e6f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003f69\tmp00003f69
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000047fc\tmp000047fc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000484d\tmp0000484d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004907\tmp00004907
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004922\tmp00004922
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000049c9\tmp000049c9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004a8e\tmp00004a8e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004adc\tmp00004adc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004b2e\tmp00004b2e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004b75\tmp00004b75
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004cf3\tmp00004cf3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004d0d\tmp00004d0d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004d2c\tmp00004d2c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004d57\tmp00004d57
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004db4\tmp00004db4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004e21\tmp00004e21
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004f37\tmp00004f37
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004f92\tmp00004f92
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005005\tmp00005005
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005087\tmp00005087
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000051f6\tmp000051f6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000539d\tmp0000539d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005413\tmp00005413
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005440\tmp00005440
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005e5f\tmp00005e5f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005e80\tmp00005e80
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005f22\tmp00005f22
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005f2e\tmp00005f2e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005fa4\tmp00005fa4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005fc8\tmp00005fc8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000601b\tmp0000601b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000609c\tmp0000609c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000060b8\tmp000060b8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000614a\tmp0000614a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000061b1\tmp000061b1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000061bd\tmp000061bd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000061db\tmp000061db
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000062f4\tmp000062f4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000063d7\tmp000063d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006403\tmp00006403
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006445\tmp00006445
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000647a\tmp0000647a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000064ba\tmp000064ba
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006547\tmp00006547
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006563\tmp00006563
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006585\tmp00006585
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006642\tmp00006642
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000066e7\tmp000066e7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000671d\tmp0000671d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000019ac\tmp000019ac
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001b22\tmp00001b22
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001c29\tmp00001c29
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001c5c\tmp00001c5c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001c9f\tmp00001c9f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001ca9\tmp00001ca9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001d49\tmp00001d49
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001d5d\tmp00001d5d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001ddd\tmp00001ddd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001dfb\tmp00001dfb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001e8e\tmp00001e8e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001e95\tmp00001e95
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001fc4\tmp00001fc4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001ff7\tmp00001ff7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000202f\tmp0000202f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002167\tmp00002167
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000021df\tmp000021df
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002360\tmp00002360
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002391\tmp00002391
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002447\tmp00002447
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000024c2\tmp000024c2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000025cb\tmp000025cb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002615\tmp00002615
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002684\tmp00002684
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000ff6\tmp00000ff6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000101d\tmp0000101d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000105c\tmp0000105c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001068\tmp00001068
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001074\tmp00001074
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000012ad\tmp000012ad
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000012c5\tmp000012c5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000131b\tmp0000131b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001329\tmp00001329
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000013f7\tmp000013f7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001409\tmp00001409
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001549\tmp00001549
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000157b\tmp0000157b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000015c4\tmp000015c4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000015d6\tmp000015d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001623\tmp00001623
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001687\tmp00001687
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000016b6\tmp000016b6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000016c9\tmp000016c9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000172e\tmp0000172e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001759\tmp00001759
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000017ed\tmp000017ed
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001865\tmp00001865
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00001949\tmp00001949
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000019a5\tmp000019a5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000678b\tmp0000678b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000681d\tmp0000681d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000682d\tmp0000682d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000068b3\tmp000068b3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000068dd\tmp000068dd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006905\tmp00006905
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000691d\tmp0000691d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006a3b\tmp00006a3b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006a5a\tmp00006a5a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006b05\tmp00006b05
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006bfe\tmp00006bfe
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006c05\tmp00006c05
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006c2b\tmp00006c2b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006c47\tmp00006c47
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006c4f\tmp00006c4f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006c5a\tmp00006c5a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006cdc\tmp00006cdc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006d33\tmp00006d33
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006e1e\tmp00006e1e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006e2d\tmp00006e2d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006eb9\tmp00006eb9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006ef0\tmp00006ef0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006f6a\tmp00006f6a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006fb3\tmp00006fb3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006ff8\tmp00006ff8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000701d\tmp0000701d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000070f6\tmp000070f6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000711b\tmp0000711b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000072a8\tmp000072a8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000072c3\tmp000072c3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007387\tmp00007387
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000073cf\tmp000073cf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007422\tmp00007422
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007432\tmp00007432
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000074d3\tmp000074d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000074d5\tmp000074d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003fbd\tmp00003fbd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003fea\tmp00003fea
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004028\tmp00004028
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004047\tmp00004047
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004076\tmp00004076
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000040db\tmp000040db
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000041d8\tmp000041d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000041dd\tmp000041dd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000424e\tmp0000424e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004285\tmp00004285
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000429a\tmp0000429a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000042a6\tmp000042a6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000042c6\tmp000042c6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004300\tmp00004300
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004384\tmp00004384
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000043b3\tmp000043b3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000043d6\tmp000043d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000043e7\tmp000043e7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000442c\tmp0000442c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000443d\tmp0000443d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000448d\tmp0000448d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000044b5\tmp000044b5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004529\tmp00004529
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00004553\tmp00004553
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000461a\tmp0000461a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000046a3\tmp000046a3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000034\tmp00000034
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00000e8b\tmp00000e8b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000019a6\tmp000019a6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002687\tmp00002687
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000034de\tmp000034de
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003f8d\tmp00003f8d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000479b\tmp0000479b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000547a\tmp0000547a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005e41\tmp00005e41
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00006736\tmp00006736
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000074fc\tmp000074fc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000554d\tmp0000554d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000555e\tmp0000555e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000055c0\tmp000055c0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000055f9\tmp000055f9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000560c\tmp0000560c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000056b2\tmp000056b2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000056b9\tmp000056b9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000056eb\tmp000056eb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005776\tmp00005776
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005813\tmp00005813
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000059e8\tmp000059e8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005a4f\tmp00005a4f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005aa0\tmp00005aa0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005aba\tmp00005aba
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005b0f\tmp00005b0f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005b79\tmp00005b79
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005b96\tmp00005b96
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005c02\tmp00005c02
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005c65\tmp00005c65
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005cb5\tmp00005cb5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005d04\tmp00005d04
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00005e14\tmp00005e14
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000026f8\tmp000026f8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002825\tmp00002825
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000293a\tmp0000293a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002989\tmp00002989
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000029d1\tmp000029d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002a3b\tmp00002a3b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002aad\tmp00002aad
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002b03\tmp00002b03
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002b70\tmp00002b70
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002bc3\tmp00002bc3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002bec\tmp00002bec
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002c3e\tmp00002c3e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002ce1\tmp00002ce1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002da0\tmp00002da0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002e64\tmp00002e64
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002eb2\tmp00002eb2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002f63\tmp00002f63
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002fc8\tmp00002fc8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002fcc\tmp00002fcc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00002fe5\tmp00002fe5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003073\tmp00003073
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003180\tmp00003180
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000031b0\tmp000031b0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003254\tmp00003254
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003318\tmp00003318
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000033ef\tmp000033ef
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00003405\tmp00003405
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007594\tmp00007594
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000075b8\tmp000075b8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000075cb\tmp000075cb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp000075d5\tmp000075d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007668\tmp00007668
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007685\tmp00007685
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007718\tmp00007718
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp0000775b\tmp0000775b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007801\tmp00007801
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007841\tmp00007841
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007894\tmp00007894
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007a64\tmp00007a64
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007b2f\tmp00007b2f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007b4a\tmp00007b4a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007c62\tmp00007c62
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007d48\tmp00007d48
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007e8e\tmp00007e8e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007e99\tmp00007e99
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007ed0\tmp00007ed0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007f11\tmp00007f11
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007f53\tmp00007f53
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\tmp00007f83\tmp00007f83
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\vmgr7673.tmp\vmgr7673.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\_avast4_\_avast4_
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Status: Locked to the Windows API!

Path: C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setupupd\temp\temp
Status: Locked to the Win==EOF==

#13 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 26 September 2009 - 07:43 PM

any ideas?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:01 PM

Posted 26 September 2009 - 08:35 PM

Hi can you run any/all of these with that setup?
Next run MBAM (MalwareBytes):
NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer),
they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed
with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing
all the malware.



Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware

, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 mrrowe

mrrowe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 28 September 2009 - 07:36 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/27/2009 at 01:13 AM

Application Version : 4.25.1012

Core Rules Database Version : 3852
Trace Rules Database Version: 1805

Scan type : Complete Scan
Total Scan Time : 02:39:55

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 1172
Registry threats detected : 0
File items scanned : 309837
File threats detected : 2

Adware.Vundo/Variant-MSFake
C:\PROGRAM FILES\ANTI TROJAN ELITE\MSVCRTD.DLL

Adware.k8l
C:\PROGRAM FILES\MSN\RTERTEPROL.HTML


Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 2

9/27/2009 7:45:04 PM
mbam-log-2009-09-27 (19-45-04).txt

Scan type: Quick Scan
Objects scanned: 265376
Time elapsed: 12 hour(s), 23 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\RECYCLER\S-1-5-21-3188686955-1190947155-3331656970-500\Dc1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP218\A0073371.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



i dont kno if these scans are missing this but i got 2files and folders i think for certain are problems but dont want to touch em unless you direct me too but one is rundl132 and zts2.exe and some other questionable ones i was hoping would show up. the atf also cleared almost 1 gig of memeory




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users