Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried Everything I could find/Dont know what else to do?


  • Please log in to reply
12 replies to this topic

#1 xcrystalxartsavesx

xcrystalxartsavesx

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 01:23 AM

HI :)I have been dealing for about 3 weeks now. I realized that my VISTA security windows defender was just shutting off. Then I couldnt get it to turn back on at all. Then my Spy ware stopped working. I found this site by a miracle. Read through a bunch of blogs and downloaded every scan and anti malware and virus scanner i found that you guys have suggested. DrWeb cure it and malware bytes did find some trojans and things and deleted all those. Now both the scans run clean. Then I bought the super anti spy software and it is also running clean (no infections) But after they ran clean after finding things, I bought Norton antivirus 2010 and within a day the virus protecter is just shutting off and so is the sonar protection for no reason. I went to uninstall and reinstall and now it wont install. I went to download the internet security verison of AVG and it keeps giving me this error:Local machine: install actions planned
Installation:
Error: MSVC Redistributables installation failed. Installation of AVG can not continue.

My windows defender wont work at all now. It seems like if there is a security patch its not downloading either from windows update.

I was trying to do everything and anything to not reformat but I dont know what to do at this point. Other then security issues nothing else seems to be failing..at least not yet.

In other post i saw someone told someone to run Win32K and I did and this was those results if it helps:

Running from: C:\Users\John\Downloads\Win32kDiag.exe

Log file at : C:\Users\John\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-18 01:04:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-18 01:04:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-18 01:04:27 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-18 01:04:26 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()





Finished!

Any help you can give, I'll appreciate more then you know :thumbsup:

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 18 October 2009 - 01:51 AM

Hello, and :thumbsup: to BleepingComputer!

Can you please run a scan with Rootrepeal?

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 02:50 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/18 03:28
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8D8C1000 Size: 753664 File Visible: No Signed: -
Status: -

Name: PctWfpFilter.sys
Image Path: \ArcName\multi(0)disk(0)rdisk(0)partition(2)\Windows\system32\drivers\PctWfpFilter.sys
Address: 0x87FBC000 Size: 118784 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA9965000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{97720221-b057-11de-a44a-dbc64eb11efb}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9772023c-b057-11de-a44a-dbc64eb11efb}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9772025a-b057-11de-a44a-db5d778afdad}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ac76583c-ac44-11de-b44a-b032c5a85141}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ac765852-ac44-11de-b44a-b032c5a85141}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ac765858-ac44-11de-b44a-b032c5a85141}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b8ae82eb-ac49-11de-a570-951e8640cc7b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b8ae831e-ac49-11de-a570-951e8640cc7b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b8ae832a-ac49-11de-a570-951e8640cc7b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b8ae8337-ac49-11de-a570-951e8640cc7b}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{384df0a1-ab37-11de-af96-d9e2e1707175}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{40f73f32-abde-11de-9383-91d0cd9a0052}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{47853703-ac93-11de-bfb8-b094f0723079}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c3de23df-ab86-11de-9686-cf1b0fafd379}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c3de23e5-ab86-11de-9686-cf1b0fafd379}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c3de23eb-ab86-11de-9686-cf1b0fafd379}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c3de2401-ab86-11de-9686-cf1b0fafd379}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: c:\program files\pc tools firewall plus\fwservice.txt
Status: Allocation size mismatch (API: 8, Raw: 0)

Path: C:\Windows\System32\NLSLEX~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NLSLEX~2.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NLSLEX~3.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL04CE~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL0CCE~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL00DE~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL08DE~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL100C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL140C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1C0C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL102C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL142C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14CC~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL10DC~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL100A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL140A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL180A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL101A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL181A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1C1A~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14CA~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1428~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14D8~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL141E~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL181E~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1C1E~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL142E~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14C6~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL18C6~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14D6~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL181C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL102C~2.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL182C~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL14DC~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1A2D~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NLSMOD~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL18CC~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\NL1CC6~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\PLA\System\System Diagnostics.xml:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_5c94f2bbe7d4aaf6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugmfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_bfff6c932d60651e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16651_none_3fe50116c43e1596\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16721_none_400572c0c425beea\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16917_none_40164834c4183551\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_9eec237d3c4b6ca7\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_9eec237d3c4b6ca7\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_9eec237d3c4b6ca7\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_9f30df98559d4ebb\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_9f30df98559d4ebb\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_9f30df98559d4ebb\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_a0ca5ded397935b9\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_a0ca5ded397935b9\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_a0ca5ded397935b9\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.16720_none_a54ef540d05f91fc\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.20883_none_8e870be4ea01d6ef\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.18111_none_a529d9f6d0b19e9d\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.22230_none_8e5e4a92ea5717b0\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.16720_none_c39efe8a3f927437\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.20883_none_acd7152e5934b92a\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.18111_none_c379e3403fe480d8\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.22230_none_acae53dc5989f9eb\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee51e2d7\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f427ca\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea3ef78\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f00849688b\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.18111_none_75c874a9a137a5f0\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\INSTAL~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.16720_none_173a294b153205b9\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.20883_none_00723fef2ed44aac\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18000_none_171424a31584df11\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18111_none_17150e011584125a\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.22230_none_00497e9d2f298b6d\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6002.18005_none_16efa9df15d67325\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.16720_none_ea5553f167a4fe69\REGSVC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.20883_none_d38d6a958147435c\REGSVC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.16708_none_1dbee32b03599791\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.20864_none_1e039f461cab79a5\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.18096_none_1f41d00b00caf426\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.22208_none_202ebe9c199dc84c\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6002.18005_none_218896a6fda92bef\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\WiProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1172 Status: Locked to the Windows API!

SSDT
-------------------
#: 018 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf45e0

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4216

#: 042 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf42ce

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4310

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf43be

#: 072 Function Name: NtCreateProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4c66

#: 073 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4cf2

#: 078 Function Name: NtCreateThread
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4d82

#: 116 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf440e

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4450

#: 165 Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4494

#: 189 Function Name: NtOpenKey
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf44d6

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4518

#: 201 Function Name: NtOpenThread
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf455a

#: 210 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4628

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf459c

#: 280 Function Name: NtRestoreKey
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf466a

#: 282 Function Name: NtResumeThread
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf46b2

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4742

#: 324 Function Name: NtSetValueKey
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf46f4

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf47e6

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4828

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf486a

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf48b8

#: 382 Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4e24

#: 383 Function Name: NtCreateUserProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4bf6

Shadow SSDT
-------------------
#: 317 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf48fa

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4a0e

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4a66

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4abe

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4b16

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4bac

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\system32\drivers\PCTAppEvent.sys" at address 0x8dbf4b5e

==EOF==

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 18 October 2009 - 03:11 AM

Can you please start MBAM, and look on the Logs tab. See if you can find the log in which is showed what items were detected/deleted. If you find it, post it here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 03:22 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2900
Windows 6.0.6001 Service Pack 1

10/3/2009 7:04:08 PM
mbam-log-2009-10-03 (19-04-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 252576
Time elapsed: 2 hour(s), 49 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d97fc677-694d-4a75-ac89-a5b85c2bcfed} (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7adf7c1-14fb-4110-b2df-187884cac12a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\kdiue732.txt (Malware.Trace) -> Quarantined and deleted successfully.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 18 October 2009 - 03:32 AM

Please follow the steps below...

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 10:27 AM

I did the TFC, when i first ran it; it instantly went to what we call at work "the blue screen of death", its the all blue screen that dumps physical memory...then i restarted the computer and I got this..( i dont know if this matters to you) its the first time i have ever gotten this message. I have PC TOOLS firewall and this is what it said : "Some of the firewall initialization files have been tampered with by an external source. These files have been restored to provide maximum security for your system. You are advised to run an Anti-Spyware product to make sure your system is clean from malware."

I then went to run TFC again, this time it finished and went to restart but right before it restarted the computer it went to the blue screen and dump physical memory again...

Then I ran ESET. The first time i ran that it was done within seconds like lightening fast and it just said nothing found. There was no threat list i could click or anything and everything was zero... I thought it was odd...So i did it again..

C:\Users\John\Downloads\vlcsetup.exe probably a variant of Win32/Genetik trojan

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 18 October 2009 - 11:02 AM

Lets scan here also for hardware conflicts. You mentioned you ran Dr. Web already, please do so again as per instructions below (download a fresh copy).

Please download ConflictInfo by aommaster to your desktop.
  • Double click Posted Image
  • Press Posted Image to begin.
  • It shall produce a ConflictInfo.txt on your desktop.
  • Please copy and paste the log in your next reply.
DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 05:59 PM

Conflict Info results:

Logfile of Aommaster's ConflictInfo v.1.0.0
#############
Conflicting Devices
#############
----------------------------
Name: 6TO4 Adapter
----------------------------
Manufacturer: Microsoft
Description: Microsoft 6to4 Adapter
Problem: Device is not working properly. Windows cannot load the required device drivers

----------------------------
Name: isatap.hsd1.pa.comcast.net.
----------------------------
Manufacturer: Microsoft
Description: Microsoft ISATAP Adapter
Problem: Device is not working properly. Windows cannot load the required device drivers

----------------------------
Name: isatap.{4A9DCEBD-31C1-49F1-95AA-F64B1D22A92D}
----------------------------
Manufacturer: Microsoft
Description: Microsoft ISATAP Adapter
Problem: Device is not working properly. Windows cannot load the required device drivers

----------------------------
Name: isatap.{4A9DCEBD-31C1-49F1-95AA-F64B1D22A92D}
----------------------------
Manufacturer: Microsoft
Description: Microsoft ISATAP Adapter
Problem: Device is not working properly. Windows cannot load the required device drivers


~~~EOF~~~

DrWeb Cure it. Found nothing. Everything was zero.

#10 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 18 October 2009 - 07:29 PM

Thank you for all your help. I dont know what happened but after I posted my last post....i realized a little bit later my windows defender was on and working again, and then i tried to redownload the AVG internet sercurity and downloaded this time! I am just going to stick with it instead of norton. But everything seems to be okay now, i guess.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 19 October 2009 - 01:08 AM

The ConflictInfo log shows a few problems, that according to Microsoft are glitches, so I will leave those alone.

Keep in mind that PCTools firewall is a resource-consuming application. Vista has a good in-build firewall. I would recommend to uninstall PCTools firewall and turning on Vista firewall.

Edited by elise025, 19 October 2009 - 01:41 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#12 xcrystalxartsavesx

xcrystalxartsavesx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Steeler Country
  • Local time:03:16 PM

Posted 20 October 2009 - 01:13 AM

thanks for all your help. I didnt know that about PC tools. My VISTA firewall was disabled and it wouldnt come back on when i had the problem. BUt when defender went back up it let me turn back on the firewall. I turned it on and because my AVG internet security has a firewall to i got them both on and i uninstalled the PC tools one. I just didnt know what to do at the time cause whatever it was it was disabling all my virus and spyware protectors. I think probably between malware bytes and drweb cure it. it grabbed all the trojans and that one TFC scan it seem to be after that things got better so maybe it cleaned something out that was left.

thanks so much!!! :thumbsup:

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,644 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 October 2009 - 01:42 AM

Its normal Vista firewall was down once you had PC Tools installed. Its not a good idea to have two firewalls enabled at the same time, since they start competing each other and let all baddies slip by in the process.

Please follow the steps below and read the information to keep staying safe :trumpet:

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :flowers:.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users