Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it really gone?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Miyuki

Miyuki

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 12 December 2009 - 09:40 PM

alright so many many months ago my laptop got a nasty virus called win32 virut, and lets just say....whoever made it should suffer a horrible torturous death D8 it is a demon and I lost everything on my laptop. Now, after that I sort of jump at anything that says win32, and yesterday(on my birthday D8) I had an oopsie moment and downloaded a program with a tojan. Kaspersky found some of it, and warned me that it was trying to edit run.dll. So I told it NO, dont edit and for some reason kaspersky said it was modified. So at this point I freaked and turned off my net connection(to prevent it populating itself or spreading) and started scanning, which is a long process. Now Kaspersky only found one thing, but it freaked me out because it said 'win32' in it and I was going spastic that I might lose several years worth of programs and files if its what I had before. I backed up my most important files and have been scanning since but kaspersky hasn't found anything. I am still nervous so I want to know how do i know its really gone for good? I dont want something to be hidden somewhere, and turn my net on just to find it populating like bubbles in a bubble bath! What was found was called trojan.win32.antavmu.gaz(looked through kaspersky's found and deleted viruses to get the name) so what I want to know is what you people think of this and what suggestions you have. I am currently scanning for the fourth time(yah, I am that paranoid ;XD) though this time in safemode, and it hasn't found anything yet. Its at 75%. I caught this thing the second it happened so I hope I stopped it, I just want to be certain ^^ so I hoping you can help me make sure I am safe =)

p.s. I am using my laptop at the moment, since I am too nervous to turnt he net back on my desktop just yet XD

IN SHORT here is what I am asking. Kaspersky found and deleted trojan.win32.antavmu.gaz on my desktop computer. My laptop is clean, harddrive replaced and everything so its not an issue. The beginning is about an OLD issue, leading up to why I am so paranoid about thing thing that was found because I recognize the term win32 from the last one. But, NOTHING found has virut in the name, so I am not sure if its the same thing or not which is why I am asking. I want to know if I have to reformat my desktop or not. As of now Kasperksy is finding nothing on my computer I just want to make sure it really IS clean before I reconnect my net since I dont want to risk it populating from it. Whatever you need me to do to get more information I can do, unless you know what that term means and can tell me right off if I am screwed or fine.

Edited by Miyuki, 12 December 2009 - 10:34 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:34 AM

Posted 12 December 2009 - 09:56 PM

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a sm÷rgňsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
If your laptop uses a recovery partition, chances are that it could also be infected

It is recommended to use the installation disk that came with the computer
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Miyuki

Miyuki
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 12 December 2009 - 10:07 PM

well I know that is what I had before on my laptop, and the hardrive has actually been replaced since(long story) and isn't the issue. So..you are saying my desktop has the same thing!? Fu..dge D8 I was hpoing it oculd be saved =( before on my laptop my virus scanner found thousands of viruses. With this one it stopped finding them. Its really teh same thing? D8

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:34 AM

Posted 13 December 2009 - 07:15 PM

Thank you for adding the edit

There is no fool-proof way to guarantee to remain virus-free.Just remember to keep you AV and malware scanners up to date and to scan often


To set your mind at ease, run these:

:flowers:

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

=============================

:thumbsup:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Miyuki

Miyuki
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 14 December 2009 - 02:42 AM

Okay so I did a scan with the mbam one and it came up with some stuff and cleared everything after a reboot, I scanned again just to be sure and it didn't find anything. THen I ran a rootkit scan and this is the log



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/13 23:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: nnchj.sys
Image Path: nnchj.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: -
Status: -

Name: PCI_PNP4170
Image Path: \Driver\PCI_PNP4170
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAFED1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sprr.sys
Image Path: sprr.sys
Address: 0xF7436000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\drivers\fidbox.dat
Status: Size mismatch (API: 5700384, Raw: 5678880)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp7\report\4e8e_file_monitoring_eventlog.rpt
Status: Size mismatch (API: 29778528, Raw: 29424537)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\54\119-{D5224450-DF60-41C4-9338-051809515C30}-v154-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v119-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\00\50-{D5224450-DF60-41C4-9338-051809515C30}-v100-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v50-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\04\171-{D5224450-DF60-41C4-9338-051809515C30}-v204-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v171-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\173-{D5224450-DF60-41C4-9338-051809515C30}-v206-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v173-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\55-{D5224450-DF60-41C4-9338-051809515C30}-v106-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v55-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\10\77-{D5224450-DF60-41C4-9338-051809515C30}-v110-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v77-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\11\179-{D5224450-DF60-41C4-9338-051809515C30}-v211-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v179-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\12\75-{D5224450-DF60-41C4-9338-051809515C30}-v112-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v75-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\13\79-{D5224450-DF60-41C4-9338-051809515C30}-v113-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v79-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\15\83-{D5224450-DF60-41C4-9338-051809515C30}-v115-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\16\182-{D5224450-DF60-41C4-9338-051809515C30}-v216-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v182-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\17\183-{D5224450-DF60-41C4-9338-051809515C30}-v217-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v183-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\18\184-{D5224450-DF60-41C4-9338-051809515C30}-v218-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v184-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\185-{D5224450-DF60-41C4-9338-051809515C30}-v219-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v185-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\82-{D5224450-DF60-41C4-9338-051809515C30}-v119-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v82-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\186-{D5224450-DF60-41C4-9338-051809515C30}-v220-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v186-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\87-{D5224450-DF60-41C4-9338-051809515C30}-v120-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v87-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\23\189-{D5224450-DF60-41C4-9338-051809515C30}-v223-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v189-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\24\190-{D5224450-DF60-41C4-9338-051809515C30}-v224-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v190-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\25\191-{D5224450-DF60-41C4-9338-051809515C30}-v225-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v191-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\27\93-{D5224450-DF60-41C4-9338-051809515C30}-v127-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v93-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\28\94-{D5224450-DF60-41C4-9338-051809515C30}-v128-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v94-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\29\195-{D5224450-DF60-41C4-9338-051809515C30}-v229-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v195-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\30\196-{D5224450-DF60-41C4-9338-051809515C30}-v230-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v196-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\31\197-{D5224450-DF60-41C4-9338-051809515C30}-v231-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v197-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\33\100-{D5224450-DF60-41C4-9338-051809515C30}-v133-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v100-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\34\101-{D5224450-DF60-41C4-9338-051809515C30}-v134-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v101-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\35\102-{D5224450-DF60-41C4-9338-051809515C30}-v135-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v102-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\36\103-{D5224450-DF60-41C4-9338-051809515C30}-v136-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v103-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\40\107-{D5224450-DF60-41C4-9338-051809515C30}-v140-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v107-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\44\110-{D5224450-DF60-41C4-9338-051809515C30}-v144-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v110-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\49\114-{D5224450-DF60-41C4-9338-051809515C30}-v149-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v114-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\50\115-{D5224450-DF60-41C4-9338-051809515C30}-v150-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v115-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\51\116-{D5224450-DF60-41C4-9338-051809515C30}-v151-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v116-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\52\29-{D5224450-DF60-41C4-9338-051809515C30}-v52-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\53\118-{D5224450-DF60-41C4-9338-051809515C30}-v153-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v118-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\55\120-{D5224450-DF60-41C4-9338-051809515C30}-v155-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v120-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\56\121-{D5224450-DF60-41C4-9338-051809515C30}-v156-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v121-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\122-{D5224450-DF60-41C4-9338-051809515C30}-v157-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v122-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\19-{D5224450-DF60-41C4-9338-051809515C30}-v57-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\123-{D5224450-DF60-41C4-9338-051809515C30}-v158-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v123-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\21-{D5224450-DF60-41C4-9338-051809515C30}-v58-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\60\125-{D5224450-DF60-41C4-9338-051809515C30}-v160-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v125-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\61\126-{D5224450-DF60-41C4-9338-051809515C30}-v161-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v126-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\62\27-{D5224450-DF60-41C4-9338-051809515C30}-v62-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\63\28-{D5224450-DF60-41C4-9338-051809515C30}-v63-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\64\130-{D5224450-DF60-41C4-9338-051809515C30}-v164-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v130-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\65\31-{D5224450-DF60-41C4-9338-051809515C30}-v65-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\66\132-{D5224450-DF60-41C4-9338-051809515C30}-v166-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v132-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\67\133-{D5224450-DF60-41C4-9338-051809515C30}-v167-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v133-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\69\135-{D5224450-DF60-41C4-9338-051809515C30}-v169-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\136-{D5224450-DF60-41C4-9338-051809515C30}-v170-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\36-{D5224450-DF60-41C4-9338-051809515C30}-v70-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v36-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\71\137-{D5224450-DF60-41C4-9338-051809515C30}-v171-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v137-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\73\139-{D5224450-DF60-41C4-9338-051809515C30}-v173-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v139-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\74\140-{D5224450-DF60-41C4-9338-051809515C30}-v174-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v140-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\75\41-{D5224450-DF60-41C4-9338-051809515C30}-v75-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\76\142-{D5224450-DF60-41C4-9338-051809515C30}-v176-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v142-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\77\43-{D5224450-DF60-41C4-9338-051809515C30}-v77-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\79\145-{D5224450-DF60-41C4-9338-051809515C30}-v179-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v145-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\81\147-{D5224450-DF60-41C4-9338-051809515C30}-v181-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v147-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\83\149-{D5224450-DF60-41C4-9338-051809515C30}-v183-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\150-{D5224450-DF60-41C4-9338-051809515C30}-v184-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v150-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\66-{D5224450-DF60-41C4-9338-051809515C30}-v84-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v66-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\85\67-{D5224450-DF60-41C4-9338-051809515C30}-v85-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v67-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\86\152-{D5224450-DF60-41C4-9338-051809515C30}-v186-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v152-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\153-{D5224450-DF60-41C4-9338-051809515C30}-v187-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v153-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\69-{D5224450-DF60-41C4-9338-051809515C30}-v87-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v69-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\156-{D5224450-DF60-41C4-9338-051809515C30}-v190-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v156-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\64-{D5224450-DF60-41C4-9338-051SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09531e0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09512f0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944750

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0952f10

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0953080

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0953d00

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09537b0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954600

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944860

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09448e0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0953380

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944990

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944a40

#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944af0

#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944b70

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0950e50

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945590

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944b90

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944c70

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xbae28030

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944d50

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0952d00

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0953b20

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944e30

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944ee0

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09542b0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0944f90

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945070

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0951900

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945100

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09545b0

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945300

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954940

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954f60

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945390

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb094fa10

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09539a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945430

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954560

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09511b0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954150

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0945550

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0953240

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x89b5c020, TID: 1488]
Process: avp.exe (PID: 1484) Address: 0x0041ee88 Size: -

Object: Hidden Thread [ETHREAD: 0x89886298, TID: 1496]
Process: avp.exe (PID: 1484) Address: 0x77dede99 Size: -

Object: Hidden Thread [ETHREAD: 0x8996bc88, TID: 1500]
Process: avp.exe (PID: 1484) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x89800da8, TID: 1620]
Process: avp.exe (PID: 1484) Address: 0x10002490 Size: -

Object: Hidden Thread [ETHREAD: 0x89b30a00, TID: 1696]
Process: avp.exe (PID: 1484) Address: 0x02e13272 Size: -

Object: Hidden Thread [ETHREAD: 0x89923da8, TID: 1816]
Process: avp.exe (PID: 1484) Address: 0x68101131 Size: -

Object: Hidden Thread [ETHREAD: 0x897be020, TID: 248]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x89771468, TID: 276]
Process: avp.exe (PID: 1484) Address: 0x039120de Size: -

Object: Hidden Thread [ETHREAD: 0x899d0870, TID: 652]
Process: avp.exe (PID: 1484) Address: 0x77e76bf9 Size: -

Object: Hidden Thread [ETHREAD: 0x89ca9498, TID: 672]
Process: avp.exe (PID: 1484) Address: 0x6a104ad0 Size: -

Object: Hidden Thread [ETHREAD: 0x899425f8, TID: 664]
Process: avp.exe (PID: 1484) Address: 0x6a104590 Size: -

Object: Hidden Thread [ETHREAD: 0x899da7c8, TID: 668]
Process: avp.exe (PID: 1484) Address: 0x302f6ab0 Size: -

Object: Hidden Thread [ETHREAD: 0x896a8940, TID: 660]
Process: avp.exe (PID: 1484) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x897d1638, TID: 116]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x89b351e8, TID: 884]
Process: avp.exe (PID: 1484) Address: 0x06066554 Size: -

Object: Hidden Thread [ETHREAD: 0x89ba3968, TID: 1104]
Process: avp.exe (PID: 1484) Address: 0x6a104ad0 Size: -

Object: Hidden Thread [ETHREAD: 0x896c7290, TID: 1072]
Process: avp.exe (PID: 1484) Address: 0x6a104590 Size: -

Object: Hidden Thread [ETHREAD: 0x8968f2e0, TID: 1132]
Process: avp.exe (PID: 1484) Address: 0x6a104ad0 Size: -

Object: Hidden Thread [ETHREAD: 0x897be888, TID: 1172]
Process: avp.exe (PID: 1484) Address: 0x6a104590 Size: -

Object: Hidden Thread [ETHREAD: 0x89ba3da8, TID: 1184]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x8968f720, TID: 1188]
Process: avp.exe (PID: 1484) Address: 0x61f0baac Size: -

Object: Hidden Thread [ETHREAD: 0x897a37a0, TID: 1192]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x898495c8, TID: 1208]
Process: avp.exe (PID: 1484) Address: 0x071c2560 Size: -

Object: Hidden Thread [ETHREAD: 0x8977b7a0, TID: 1212]
Process: avp.exe (PID: 1484) Address: 0x071c2560 Size: -

Object: Hidden Thread [ETHREAD: 0x8980c3a0, TID: 1228]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x898825e8, TID: 1276]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x89bdf888, TID: 1316]
Process: avp.exe (PID: 1484) Address: 0x05de1990 Size: -

Object: Hidden Thread [ETHREAD: 0x8982e3a0, TID: 2376]
Process: avp.exe (PID: 1484) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x897bbc70, TID: 2524]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x896c63b8, TID: 2636]
Process: avp.exe (PID: 1484) Address: 0x7c927125 Size: -

Object: Hidden Thread [ETHREAD: 0x8994a280, TID: 2644]
Process: avp.exe (PID: 1484) Address: 0x7c928c87 Size: -

Object: Hidden Thread [ETHREAD: 0x896cda20, TID: 3036]
Process: avp.exe (PID: 1484) Address: 0x769c8831 Size: -

Object: Hidden Thread [ETHREAD: 0x894ef320, TID: 2112]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x88091c20, TID: 3376]
Process: avp.exe (PID: 1484) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x898a43c8, TID: 2404]
Process: avp.exe (PID: 2400) Address: 0x0041ee88 Size: -

Object: Hidden Thread [ETHREAD: 0x89bdfda8, TID: 2584]
Process: avp.exe (PID: 2400) Address: 0x10002490 Size: -

Object: Hidden Thread [ETHREAD: 0x89c17418, TID: 2600]
Process: avp.exe (PID: 2400) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x898ac970, TID: 2608]
Process: avp.exe (PID: 2400) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x8977e020, TID: 2612]
Process: avp.exe (PID: 2400) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x89813988, TID: 2676]
Process: avp.exe (PID: 2400) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x899aa8a0, TID: 2680]
Process: avp.exe (PID: 2400) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x8967ab08, TID: 2812]
Process: avp.exe (PID: 2400) Address: 0x6bc04e5c Size: -

Object: Hidden Thread [ETHREAD: 0x8992c770, TID: 2816]
Process: avp.exe (PID: 2400) Address: 0x72d230e8 Size: -

Object: Hidden Thread [ETHREAD: 0x89884890, TID: 2820]
Process: avp.exe (PID: 2400) Address: 0x76b44dd6 Size: -

Object: Hidden Thread [ETHREAD: 0x896bbda8, TID: 3628]
Process: avp.exe (PID: 2400) Address: 0x68001a50 Size: -

Object: Hidden Thread [ETHREAD: 0x878d06d0, TID: 400]
Process: avp.exe (PID: 2400) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x85111da8, TID: 3840]
Process: avp.exe (PID: 2400) Address: 0x77e76bf9 Size: -

Object: Hidden Code [ETHREAD: 0x89999510]
Process: System Address: 0x89645020 Size: 1584

Object: Hidden Code [ETHREAD: 0x89974da8]
Process: System Address: 0x89623000 Size: 87

Object: Hidden Code [ETHREAD: 0x89972be8]
Process: System Address: 0x89618770 Size: 887

Object: Hidden Code [ETHREAD: 0x8975e460]
Process: System Address: 0x89623000 Size: 87

Object: Hidden Code [ETHREAD: 0x89923958]
Process: System Address: 0x895f07e0 Size: 87

Object: Hidden Code [ETHREAD: 0x8998cda8]
Process: System Address: 0x895f07e0 Size: 87

Object: Hidden Code [ETHREAD: 0x89652600]
Process: System Address: 0x895f27d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x89b31890]
Process: System Address: 0x895f27d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x89973da8]
Process: System Address: 0x895f27d0 Size: 2097

Object: Hidden Code [ETHREAD: 0x89653da8]
Process: System Address: 0x895f07e0 Size: 87

Object: Hidden Code [ETHREAD: 0x89907b30]
Process: System Address: 0x88e85190 Size: 87

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a0c31f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x896a2500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a0541f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89e751f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_CREATE]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_CLOSE]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_POWER]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_PNP]
Process: System Address: 0x89e5f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89ebd500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a0c51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89916500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89ebe500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8988d500 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_CREATE]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_CLOSE]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_READ]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_CLEANUP]
Process: System Address: 0x89ba81f8 Size: 121

Object: Hidden Code [Driver: CdfsЅ卆浩桠뎘Ђః瑎て椘유, IRP_MJ_PNP]
Process: System Address: 0x89ba81f8 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0951080

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09519e0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0950a20

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb094f920

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb094f9a0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb094f960

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0950920

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954d40

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb09509d0

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb094fe90

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954b30

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xb0954d90

==EOF==


I hope that helps to see if my computer is clean or not. I dont know what all that means

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:34 AM

Posted 14 December 2009 - 06:19 PM

Hidden Code [Driver: acfgr0y2؅౨瑎晦܂╚䩈, IRP_MJ_INTERNAL_DEVICE_CONTROL]
You're still infected
I recommend you submit a DDS log for review

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

You will also be instructed to create a Root Repeal Log Use the one you just ran

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:34 AM

Posted 18 December 2009 - 12:09 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/278932/infected-withsomething/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users