Debugger detected [97]

[Blade81]

Hi,

Reboot and run ComboFix again. Post back its report.

 

[thegraz]

The file is quite large for some reason. I had to zip it

 

[thegraz]

I ran it again and this is more managable.

ComboFix 09-09-17.04 - Jim's Laptop 09/18/2009 10:48.5.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2193 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 15:58 . 2009-09-18 15:59 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-18 15:58 . 2009-09-18 15:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-17 22:08 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-09-17 21:54 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-17 21:54 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-17 21:54 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-17 21:54 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-17 21:54 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-17 21:54 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-17 21:53 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-09-17 21:46 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-09-17 21:46 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-09-17 21:46 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-17 21:45 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-09-17 21:45 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-09-17 21:44 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-17 21:44 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-17 21:44 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-17 21:44 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-17 21:44 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-17 21:44 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-17 21:44 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-17 21:44 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-17 21:44 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-17 21:44 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-17 21:41 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-17 21:41 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-17 21:41 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-17 21:41 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-17 21:40 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-17 21:39 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-09-17 21:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-17 21:39 . 2008-08-28 03:40 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-17 21:39 . 2008-08-28 03:40 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-17 21:39 . 2008-08-28 03:40 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-17 21:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-09-17 21:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-09-17 21:39 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-09-17 21:38 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-09-17 21:38 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-09-17 21:38 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-09-17 21:38 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-17 21:38 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-09-17 21:38 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-09-17 21:38 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-09-17 21:34 . 2009-09-17 21:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-17 21:20 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\program files\MSXML 4.0
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-09-17 18:27 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-17 18:25 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-09-17 18:25 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-17 18:24 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-09-17 18:24 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-17 18:24 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-17 18:24 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-17 18:24 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2009-09-17 18:24 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-17 18:24 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-09-17 18:24 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-09-17 18:24 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-17 18:24 . 2008-04-10 05:12 738304 ----a-w- c:\windows\system32\inetcomm.dll
2009-09-17 18:24 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-09-17 18:24 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-17 18:19 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll
2009-09-17 16:12 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Apple Computer
2009-09-17 12:51 . 2009-09-18 15:31 -------- d-----w- c:\program files\SDistTest
2009-09-17 12:40 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Adobe
2009-09-16 20:22 . 2009-09-16 20:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 19:36 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-16 19:36 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-16 19:36 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-16 19:36 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-16 19:36 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-16 19:36 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-16 19:36 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-16 19:36 . 2008-10-16 19:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-16 19:36 . 2008-10-16 18:56 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-11 20:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-11 20:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-17 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 15:31 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-18 15:28 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-17 22:32 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 22:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 21:18 . 2008-05-27 06:50 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 21:11 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-17 15:43 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-16 20:22 . 2008-05-27 06:33 -------- d-----w- c:\program files\Java
2009-09-16 20:18 . 2008-07-29 13:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-16 20:18 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 21:52 . 2009-09-17 22:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-17 22:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-17 22:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-17 22:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-11 19:32 . 2009-09-17 18:27 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-17 18:27 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-17 18:27 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-17 18:27 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-09-18_15.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 06:32 . 2009-09-18 15:33 58786 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-18 15:33 89482 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 00:52 . 2009-09-18 15:33 11244 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3084967135-3038832120-1763337499-1000_UserData.bin
+ 2008-05-30 22:32 . 2009-09-18 15:47 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-18 15:30 . 2009-09-18 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-18 15:30 . 2009-09-18 15:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 634976 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-18 15:36 634976 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 113246 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-18 15:36 113246 c:\windows\System32\perfc009.dat
+ 2008-05-30 22:32 . 2009-09-18 15:47 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 22:32 . 2009-09-18 15:47 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exeell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exerototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exerototype(TM)
"{DA10F685-190F-4A8E-802D-3B8A4C6DEA6E}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{99982A2B-1417-4AA4-8FD7-83DD7AB0E6AA}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux

R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe [9/29/2008 6:01 PM 255472]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/11/2009 3:08 PM 1153368]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\SDistTest\SDistTestSvc.exe [9/17/2009 7:51 AM 907680]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe [9/29/2008 6:01 PM 218608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]

2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{3CB618B7-6EFC-4281-9D80-D5CD6BDE8C16}.job
- c:\windows\system32\msfeedssync.exe [2009-09-17 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 10:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-09-18 11:03
ComboFix-quarantined-files.txt 2009-09-18 16:02
ComboFix2.txt 2009-09-18 15:21
ComboFix3.txt 2009-09-16 19:35
ComboFix4.txt 2009-09-16 14:57

Pre-Run: 54,724,177,920 bytes free
Post-Run: 54,130,978,816 bytes free

383 --- E O F --- 2009-09-17 22:34

 

[Blade81]

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\users\Jim's Laptop\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log as an attachment.

 

[thegraz]

Hi and here you go

 

[Blade81]

Hi,

Delete these files:
c:\users\Jim's Laptop\AppData\Local\temp\catchme.dll
c:\users\Jim's Laptop\AppData\Local\temp\Jim's Laptop.bmp

How's the system running?

 

[thegraz]

Hi,
I could not find catchme.dll, but I go the other one.

It seems to be running much better. There are a few files like qhj8nnlk.exe and z4q4sbsr.exe that are on my desktop that I can't delete, stating I need permission. any ideas on that?


ComboFix is still showing cerstore.dll being made somehow.


ComboFix 09-09-18.02 - Jim's Laptop 09/19/2009 6:56.8.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2339 [GMT -5:00]
Running from: c:\users\Jim's Laptop\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\certstore.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\temp
2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-19 12:02 . 2009-09-19 12:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-17 22:08 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-09-17 21:54 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-17 21:54 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-09-17 21:54 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-09-17 21:54 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-09-17 21:54 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-09-17 21:54 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-09-17 21:53 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-09-17 21:46 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-09-17 21:46 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-09-17 21:46 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-09-17 21:45 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-09-17 21:45 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-09-17 21:44 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-17 21:44 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-17 21:44 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-17 21:44 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-17 21:44 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-17 21:44 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-17 21:44 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-17 21:44 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-17 21:44 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-17 21:44 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-17 21:41 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-17 21:41 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-17 21:41 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-17 21:41 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-17 21:40 . 2008-08-27 01:05 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-17 21:39 . 2008-10-21 05:25 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-09-17 21:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-17 21:39 . 2008-08-28 03:40 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-17 21:39 . 2008-08-28 03:40 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-17 21:39 . 2008-08-28 03:40 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-17 21:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-09-17 21:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-09-17 21:39 . 2008-08-12 03:39 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-09-17 21:38 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-09-17 21:38 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-09-17 21:38 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2009-09-17 21:38 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-17 21:38 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2009-09-17 21:38 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2009-09-17 21:38 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-09-17 21:34 . 2009-09-17 21:34 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-17 21:20 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\program files\MSXML 4.0
2009-09-17 21:09 . 2009-09-17 21:09 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-09-17 18:27 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-09-17 18:25 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-09-17 18:25 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-17 18:24 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-09-17 18:24 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-17 18:24 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-17 18:24 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-17 18:24 . 2008-10-21 05:25 1645568 ----a-w- c:\windows\system32\connect.dll
2009-09-17 18:24 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-17 18:24 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2009-09-17 18:24 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2009-09-17 18:24 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-17 18:24 . 2008-04-10 05:12 738304 ----a-w- c:\windows\system32\inetcomm.dll
2009-09-17 18:24 . 2008-04-18 05:48 269312 ----a-w- c:\windows\system32\es.dll
2009-09-17 18:24 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-17 18:19 . 2008-09-10 03:40 1334272 ----a-w- c:\windows\system32\msxml6.dll
2009-09-17 16:12 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Apple Computer
2009-09-17 12:51 . 2009-09-18 16:36 -------- d-----w- c:\program files\SDistTest
2009-09-17 12:40 . 2009-09-17 16:12 -------- d-----w- c:\users\Jim's Laptop\AppData\Local\Adobe
2009-09-16 20:22 . 2009-09-16 20:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 19:36 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-16 19:36 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-16 19:36 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-16 19:36 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-16 19:36 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-16 19:36 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-16 19:36 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-16 19:36 . 2008-10-16 19:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-16 19:36 . 2008-10-16 18:56 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-11 22:38 . 2009-09-11 22:54 -------- d--h--w- c:\windows\PIF
2009-09-11 20:08 . 2009-09-18 19:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 20:08 . 2009-09-18 19:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-11 19:52 . 2009-09-11 19:57 -------- d-----w- c:\program files\SpywareBlaster
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Malwarebytes
2009-09-08 22:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 22:09 . 2009-09-17 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 22:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 22:09 . 2009-09-08 22:09 -------- d-----w- c:\program files\Trend Micro
2009-09-08 14:55 . 2009-09-08 15:52 -------- d-----w- C:\Root
2009-09-08 14:55 . 2009-09-08 14:55 -------- d-----w- c:\program files\Activision
2009-09-08 02:10 . 2009-09-08 02:10 -------- d-----w- c:\windows\system32\xlive
2009-09-08 02:10 . 2009-09-08 02:11 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-09-08 01:49 . 2009-09-08 01:49 -------- d-----w- c:\program files\Eidos
2009-09-07 13:56 . 2009-09-07 18:25 -------- d-----w- c:\program files\Paradox Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 11:42 . 2008-06-25 02:43 65816 ----a-w- c:\programdata\nvModes.dat
2009-09-18 23:04 . 2008-05-27 06:22 836 ----a-w- c:\windows\bthservsdp.dat
2009-09-18 16:44 . 2008-09-01 21:55 -------- d-----w- c:\programdata\Google Updater
2009-09-17 22:32 . 2009-07-21 18:30 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 22:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 21:18 . 2008-05-27 06:50 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 21:11 . 2008-06-05 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-16 20:22 . 2008-05-27 06:33 -------- d-----w- c:\program files\Java
2009-09-16 20:18 . 2008-07-29 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-16 12:53 . 2008-06-30 22:21 1356 ----a-w- c:\users\Jim's Laptop\AppData\Local\d3d9caps.dat
2009-09-11 17:13 . 2008-11-08 23:55 -------- d-----w- c:\program files\PokerStars
2009-09-08 20:22 . 2008-05-27 06:45 -------- d-----w- c:\program files\McAfee
2009-09-08 15:52 . 2008-05-27 06:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-08 02:09 . 2009-01-08 19:05 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-01 11:51 . 2008-06-12 11:23 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\FileZilla
2009-08-20 04:21 . 2008-05-30 22:36 101856 ----a-w- c:\users\Jim's Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 04:20 . 2009-08-20 04:20 -------- d-----w- c:\programdata\FLEXnet
2009-08-20 04:15 . 2009-08-20 04:15 -------- d-----w- c:\programdata\ALM
2009-08-20 04:14 . 2008-06-24 14:26 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-20 04:10 . 2009-08-20 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 04:06 . 2009-08-20 04:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-10 19:02 . 2009-08-10 19:02 -------- d-----w- c:\program files\PHP
2009-08-09 00:11 . 2009-08-09 00:11 733782 ----a-w- C:\lynx_v283.zip
2009-08-08 00:51 . 2009-08-08 00:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-08 00:51 . 2009-08-08 00:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-30 22:11 . 2009-07-30 22:06 -------- d-----w- c:\users\Jim's Laptop\AppData\Roaming\Easy Thumbnails
2009-07-30 22:06 . 2009-07-30 22:06 -------- d-----w- c:\program files\Easy Thumbnails
2009-07-21 21:52 . 2009-09-17 22:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-17 22:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-17 22:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-17 22:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 18:32 . 2009-07-21 18:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-07-21 18:32 . 2009-07-21 18:30 -------- d-----w- c:\program files\Microsoft Expression
2009-07-20 14:34 . 2009-07-20 14:34 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-07-11 19:32 . 2009-09-17 18:27 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-17 18:27 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-17 18:27 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-17 18:27 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-06-24 20:03 . 2009-07-17 17:00 54776 ----a-w- c:\windows\system32\drivers\mozy.sys
2008-05-27 14:09 . 2008-05-27 13:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-09-18_15.16.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 06:32 . 2009-09-18 23:07 59186 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-18 23:07 89746 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 00:52 . 2009-09-18 23:07 11654 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3084967135-3038832120-1763337499-1000_UserData.bin
- 2008-05-30 22:32 . 2009-09-18 15:16 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-18 23:05 . 2009-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-18 12:10 . 2009-09-18 12:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-18 23:05 . 2009-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-09-18 23:11 634976 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 634976 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-18 23:11 113246 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-09-18 12:17 113246 c:\windows\System32\perfc009.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-18 21:15 . 2009-09-18 21:15 245760 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-05-30 22:32 . 2009-09-19 11:54 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 22:32 . 2009-09-18 15:16 2654208 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-06-24 20:03 2835256 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-27 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-09-20 455968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-29 13145448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Preview\TurbineDownloadManagerIcon.exe" [2008-09-26 468472]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-12-08 96800]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-03-09 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-03-07 316672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2007-02-14 124488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-12 101136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-5-27 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-6-24 2876216]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-5-27 679936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-27 06:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3084967135-3038832120-1763337499-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CE84CBC5-F93C-46B8-9202-233E5F1EED3C}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{4D9D0324-4459-443D-BE21-15A890182068}"= c:\program files\Dell\MediaDirect\MediaDirect.exeell MediaDirect
"{CED74689-F482-4C18-A913-0DA7C1709CF6}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{DE230269-2C38-4DF1-B70E-E4EAB8836085}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{2AE869B9-6C9B-47A1-AF04-0356A118A620}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{BF0DEC8A-0265-4F42-ABA8-61307EC68AB7}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{B11143BF-E808-4D2B-ADFE-4D3900BC2B67}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe:TurbineNetworkService
"{967969BB-353C-401B-A774-5C1E94301F55}"= UDP:990:LocalSubnet:LocalSubnet|IF={23F757CE-01BD-490B-9857-37CB844CE054}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{08A36910-F113-4ADC-BC48-1955C8C3086A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{94F2EC27-B2B4-4285-A85F-EBC68786409C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4078B395-D7FB-4E61-AE80-4757EC73B23F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B8031410-630E-4EDD-B42B-56C7F2D6C2D0}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8B4C4D89-834D-4284-B519-691473AC2335}"= UDP:5353:Adobe CSI CS4
"{3ED057A5-A674-417B-8646-FEEDD09EBF6B}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8AB875E7-7B33-4875-9D50-195C768DECD5}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9B151F95-93AF-4A44-9D0F-C0C7E5B02607}"= UDP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{314B0B85-D9D5-4759-BA60-020532161007}"= TCP:c:\program files\Eidos\Batman Arkham Asylum\Binaries\ShippingPC-BmGame.exe:Batman: Arkham Asylum
"{2C79DE66-0987-4DF9-B167-1BF72BBCE03E}"= UDP:c:\program files\Activision\Prototype\prototypef.exerototype(TM)
"{7E74F5C9-B6D4-443A-9752-B40AFC2263C6}"= TCP:c:\program files\Activision\Prototype\prototypef.exerototype(TM)
"{0A8BBCF9-ACD1-4345-B912-33212D00CFCF}"= UDP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService
"{8BC8272A-F57E-431E-8814-E13CCB0BCCF1}"= TCP:c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe:TurbineMessageService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"= c:\program files\Sprint\Sprint SmartView\SwiApiMux.exe:*:Enabled:SwiApiMux

R1 mozyFilter;mozyFilter;c:\windows\System32\drivers\mozy.sys [7/17/2009 12:00 PM 54776]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [5/27/2008 1:21 AM 73728]
R2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineMessageService.exe [9/29/2008 6:01 PM 255472]
S3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [3/6/2009 11:28 PM 124160]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\Turbine\Turbine Download Manager - Preview\TurbineNetworkService.exe [9/29/2008 6:01 PM 218608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 19:03]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-15 15:53]

2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{3CB618B7-6EFC-4281-9D80-D5CD6BDE8C16}.job
- c:\windows\system32\msfeedssync.exe [2009-09-17 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 07:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-09-19 7:05
ComboFix-quarantined-files.txt 2009-09-19 12:04
ComboFix2.txt 2009-09-18 23:02
ComboFix3.txt 2009-09-18 22:46
ComboFix4.txt 2009-09-18 16:03
ComboFix5.txt 2009-09-19 11:55

Pre-Run: 53,851,344,896 bytes free
Post-Run: 53,489,401,856 bytes free

383 --- E O F --- 2009-09-17 22:34

 

[Blade81]

Hi,

Download this file to your desktop and then drag'n'drop problematic two files to it. You should be able to delete them after that.

Please run a scan with GMER like you did earlier and attach its log to your post.

 

[thegraz]

GMER vanishes before it finishes, so I can't copy to clipboard

 

[Blade81]

Please delete current GMER version and get a fresh one using download exe -button on GMER site. Then try to run scan again. If it still fails see if you're able to run it in safe mode.

 

[thegraz]

Hi,

It won't run there either. Crashed to blue screen memory error

 

[Blade81]

1. Download RootRepeal from the following location and save it to your desktop.
   • Direct Download (Recommended)
     • Primary Mirror
     • Secondary Mirror
     • Secondary Mirror
     • Secondary Mirror
2. Open
   
   on your desktop.
3. Click the
   
   tab.
4. Click the
   
   button.
5. Check all seven boxes:
   
6. Push Ok
7. Check the box for your main system drive (Usually C, and press Ok.
8. Allow RootRepeal to run a scan of your system. This may take some time.
9. Once the scan completes, push the
   
   button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

 

[thegraz]

Not sure if you wanted it posted or attached, but here it is.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 06:54
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8C039000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9BDE8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spbf.sys
Image Path: C:\Windows\System32\Drivers\spbf.sys
Address: 0x80693000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6e0edb60-a3d8-11de-b9a4-a96092ec8b96}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6e0edb79-a3d8-11de-b9a4-a96092ec8b96}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b77d38bd-a546-11de-b8db-e1e113775b5e}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c5caa923-a4a7-11de-9b0f-9425fec545d9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\PIF\PIF
Status: Locked to the Windows API!

Path: C:\$Recycle.Bin\S-1-5-21-3084967135-3038832120-1763337499-1000\$RILV5HK\Globalization
Status: Locked to the Windows API!

Path: C:\Windows\AppPatch\Custom\Custom
Status: Locked to the Windows API!

Path: C:\Windows\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\authman\authman
Status: Locked to the Windows API!

Path: c:\windows\microsoft.net\framework\netfxsbs12.hkf
Status: Allocation size mismatch (API: 36864, Raw: 45056)

Path: C:\Windows\nap\configuration\configuration
Status: Locked to the Windows API!

Path: C:\Windows\registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\Windows\security\templates\templates
Status: Locked to the Windows API!

Path: C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Status: Locked to the Windows API!

Path: C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18069_none_9e540f60f6e2ecf1\$$DeleteMe.emdmgmt.dll.01ca37e4f8567c58.0012
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6001.18000_none_93bde541564b88ae\$$DeleteMe.kernel32.dll.01ca37e4fa57f1a8.001a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01ca37e4fa14ce28.0018
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01ca37e4fa4294e8.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6001.18000_none_0278b57e8399bfdb\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\$$DeleteMe.wmp.dll.01ca37e4f7c70d98.0010
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\$$DeleteMe.wmploc.DLL.01ca37e4f7eeb9d8.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18000_none_39733ab970ea03f2\$$DeleteMe.win32spl.dll.01ca37e4f8c39608.0013
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_6.0.6001.18000_none_025d66bd2e6eb866\$$DeleteMe.propsys.dll.01c8ed9383de6240.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18000_none_e6d6dd2bb0cd8ff8\$$DeleteMe.kerberos.dll.01ca37e4fad203a8.001d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18175_none_21cf9ef255771632\$$DeleteMe.schannel.dll.01ca37e4fae08298.001e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-workstationservice_31bf3856ad364e35_6.0.6001.18000_none_cc3a17edd6d1c174\$$DeleteMe.wkssvc.dll.01ca37e4fdfc4188.0021
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16720_none_9e3e9a071d8dacdd\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8776b0ab372ff1d0\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18000_none_9e18955f1de08635\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b01a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d66b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee51e2d7\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f427ca\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea3ef78\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f00849688b\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18111_none_9e197ebd1ddfb97e\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.0.6001.18111_none_03110f538dcda3f4\ILASME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-mscoree_dll_31bf3856ad364e35_6.0.6001.18000_none_b55ffc255629a804\$$DeleteMe.mscoree.dll.01ca37e4e2c9aba8.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.18000_none_1ff6260de878daa7\$$DeleteMe.mscorsvw.exe.01ca37e4ebd901a8.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_a05f40e791345747\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8997578baad69c3a\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_a03a259d918663e8\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_896e9639ab2bdcfb\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-mscorrc_res_dll_b03f5f7f11d50a3a_6.0.6001.18000_none_f0272add9c4990ad\$$DeleteMe.mscorrc.dll.01ca37e4e9dff0c8.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.16720_none_173a294b153205b9\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.20883_none_00723fef2ed44aac\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18000_none_171424a31584df11\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18111_none_17150e011584125a\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.22230_none_00497e9d2f298b6d\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.16720_none_ea5553f167a4fe69\REGSVC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6000.20883_none_d38d6a958147435c\REGSVC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.0.6001.18000_none_ea2f4f4967f7d7c1\REGSVC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_325856a50f01ab0d\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_329d12c028538d21\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_33db43850c7307a2\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_34c832162545dbc8\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_c8df4fb390304286\_SERVI~1.INI
Status: Locked toProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1220 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x860d01f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CREATE]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CLOSE]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_READ]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_WRITE]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_EA]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_CLEANUP]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: fastfat譵Љ慖浤査謞譅風謙Ġ, IRP_MJ_PNP]
Process: System Address: 0x8b75c1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CREATE]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_CLOSE]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_POWER]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: iaStorV, IRP_MJ_PNP]
Process: System Address: 0x860cd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x860cf1f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_CREATE]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_CLOSE]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_READ]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_WRITE]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_POWER]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: cdrom€
, IRP_MJ_PNP]
Process: System Address: 0x87ca11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_CREATE]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_CLOSE]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_POWER]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: usbuhci牃П牄婸貆熸貒
, IRP_MJ_PNP]
Process: System Address: 0x87ae11f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_CREATE]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_CLOSE]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_POWER]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: affwrtmyЍ䵆汳`뮤載뮤載瀈螀뭸載͜评, IRP_MJ_PNP]
Process: System Address: 0x87c1a1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x8aa431f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_CREATE]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_CLOSE]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_CLEANUP]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: netbtY
, IRP_MJ_PNP]
Process: System Address: 0x8a9fe1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_CREATE]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_CLOSE]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_POWER]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: iScsiPrtП牄婸貆ᑐ載
, IRP_MJ_PNP]
Process: System Address: 0x87cb61f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x853151f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x87b651f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x87a8f1f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CREATE]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CLOSE]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_READ]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_WRITE]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_SHUTDOWN]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_CLEANUP]
Process: System Address: 0xa65181f8 Size: 121

Object: Hidden Code [Driver: cdfsЇ慖⁤ⰛꙆ䶈Ꙇའꙇ孰宁ܠ, IRP_MJ_PNP]
Process: System Address: 0xa65181f8 Size: 121

==EOF==

 

[Blade81]

Nothing that I see there. Please delete that c:\windows\system32\certstore.dat file, disconnect network cable (or wireless connection), reboot (keep system offline) and see if the file appears after boot.

 

[thegraz]

Hi

I disconected from the internet and the file did not reappear

 

[thegraz]

But once I connected to the net it downloaded it within 5 mins.

 

[Blade81]

Hi,

Could you upload the certstore.dat file to my channel here? Kindly include a link to this topic.

 

[thegraz]

Hi,

Submitted

 

[Blade81]

Hi,

I checked the file with some scanners and none of them flagged it. Let's see if the latest MBAM definitions still find it bad.

Reboot system. Then please update MBAM definitions (current version is 2831 at the moment) and then run scan with it again.

 

[thegraz]

Hi,

Here is the log

Malwarebytes' Anti-Malware 1.41
Database version: 2831
Windows 6.0.6001 Service Pack 1

9/20/2009 4:13:41 PM
mbam-log-2009-09-20 (16-13-37).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 304414
Time elapsed: 1 hour(s), 56 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.


I deleted the file again