Multiple explorer.exe in task manager

Will2301 · #1 September 30th, 2009, 10:32 AM

Hello,

I need help with my computer, I believe I have some malware or spyware, I've scanned the computer with avg, malwarebytes and spybot in normal mode and in safe mode and still nothing.

What happened was, I was watching a movie on it and then all of a sudden a crap load of folders started opening and wouldn't stop. So I opened the Task Manager and it had like 7 explorer.exe I ended the processes and ran explorer.exe again. My desktop came back but now it's way slower. Also the ffd-show and haali media splitter codecs keep running but I don't have any media players running.

I've looked everywhere online for a solution and I can't find any. Somebody Please help. I've taken the liberty to use HijackThis and here's the report. If someone knows a way to fix this please let me know. Thank you very much!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:39 AM, on 9/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EEA06F7-6E12-408F-8402-01B0015EB72E}: NameServer = 209.18.47.61,209.18.47.62
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9ee2c660b7cfb) (gupdate1c9ee2c660b7cfb) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - - C:\Windows\system32\lxbtcoms.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe

--
End of file - 7368 bytes

AnnMarie · #2 October 1st, 2009, 01:55 AM

Hi Will2301 and welcome. There is no evidence of any malware in that log however I will look at more comprehensive logs for you. Before you provide them, you need to know that I will not help remove malware from computers that have file sharing software installed (such as Limewire and Bit Torrent) so if you want my help, please uninstall any such programs now and reboot.

Go here and download DDS to your Desktop and doubleclick on DDs.scr to run it. If your security software includes script blocking features, please disable these before you run this utility. When the scan has finished, two logs will open. Copy and paste both reports in this topic. The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.

Also go here and download RootRepeal (the zipped version) and save it to your Desktop. Doubleclick to extract the compressed file to it's own folder and then rightclick on RootRepeal.exe and choose "Run as Administrator" Click on the Report tab and then click on Scan. A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: (or the drive your operating system is installed on if not C) and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

Please do not run any programs other than those that I suggest or install any new software while I am helping you.

Will2301 · #3 October 1st, 2009, 02:19 AM

here are the reports from the dds this is the first part

DDS (Ver_09-09-29.01) - NTFSx86
Run by Will at 18:16:31.90 on Wed 09/30/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3582.2433 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\lxbtcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\calc.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Will\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtim e.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {9EEA06F7-6E12-408F-8402-01B0015EB72E} = 209.18.47.61,209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: ,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\prof iles\8m8po0xb.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dl l
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-1 108552]
R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\system32\drivers\RLVrtAuCbl.sys [2009-9-19 31616]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.s ys [2009-3-28 15656]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.s ys [2007-1-25 91496]

=============== Created Last 30 ================

2009-09-29 17:09 1,688 a------- c:\windows\wininit.ini
2009-09-29 16:48 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-29 16:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-29 16:48 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-29 16:39 <DIR> --d----- c:\program files\Trend Micro
2009-09-28 16:51 <DIR> --d----- c:\users\will\appdata\roaming\Yuuguu
2009-09-23 13:13 <DIR> --d----- c:\program files\iPod
2009-09-23 13:13 <DIR> --d----- c:\program files\iTunes
2009-09-19 23:11 <DIR> --d----- c:\users\will\appdata\roaming\Reallusion
2009-09-19 23:10 <DIR> --d----- c:\program files\Snapshot Tool
2009-09-19 23:09 5,632,000 a------- c:\windows\system32\RLVirtualCamera.ocx
2009-09-19 23:09 31,616 a------- c:\windows\system32\drivers\RLVrtAuCbl.sys
2009-09-19 23:08 <DIR> --d----- c:\program files\common files\Reallusion
2009-09-19 23:08 <DIR> --d----- c:\program files\Reallusion
2009-09-17 19:48 97,800 a------- c:\windows\system32\infocardapi.dll
2009-09-17 19:48 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNativ e_v0300.dll
2009-09-17 19:48 622,080 a------- c:\windows\system32\icardagt.exe
2009-09-17 19:48 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-09-17 19:48 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-09-17 19:48 11,264 a------- c:\windows\system32\icardres.dll
2009-09-17 19:48 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-09-17 19:48 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-09-17 19:40 96,760 a------- c:\windows\system32\dfshim.dll
2009-09-17 19:40 282,112 a------- c:\windows\system32\mscoree.dll
2009-09-17 19:40 41,984 a------- c:\windows\system32\netfxperf.dll
2009-09-17 19:40 158,720 a------- c:\windows\system32\mscorier.dll
2009-09-17 19:40 83,968 a------- c:\windows\system32\mscories.dll
2009-09-17 19:38 <DIR> --d----- c:\windows\system32\xlive
2009-09-17 19:38 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-17 19:35 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-09-17 19:35 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-09-17 19:35 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-09-17 19:35 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-09-17 19:35 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-09-17 19:35 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-09-17 19:35 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2009-09-17 19:18 <DIR> --d----- c:\program files\Eidos
2009-09-10 23:50 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-10 23:50 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-10 23:49 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 23:49 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-10 23:35 <DIR> --d----- c:\users\will\appdata\roaming\uTorrent
2009-09-08 16:18 6,561,064 a------- c:\windows\system32\WacomTablet.cpl
2009-09-08 16:18 1,651,768 a------- c:\windows\system32\WacomTablet.znc
2009-09-08 16:17 2,789,672 a------- c:\windows\system32\Wacom_Tablet.exe
2009-09-08 16:17 213,288 a------- c:\windows\system32\Wacom_Tablet.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-09-19 23:09 51,200 a------- c:\windows\inf\infpub.dat
2009-09-19 23:09 86,016 a------- c:\windows\inf\infstrng.dat
2009-09-19 23:09 86,016 a------- c:\windows\inf\infstor.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-19 09:14 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-19 09:14 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-20 00:51 35,473 a------- c:\windows\scunin.dat
2009-07-20 00:51 94,208 a------- c:\windows\ScUnin.exe
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-01-16 22:08 87,608 a------- c:\users\will\appdata\roaming\inst.exe
2009-01-16 22:08 47,360 a------- c:\users\will\appdata\roaming\pcouffin.sys
2008-01-20 19:41 174 a--sh--- c:\program files\desktop.ini
2008-01-20 19:30 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-04-02 00:29 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-04-02 00:29 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-04-02 00:29 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:17:48.08 ===============

Will2301 · #4 October 1st, 2009, 02:19 AM

dds file 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 1/16/2009 2:38:04 AM
System Uptime: 9/30/2009 6:08:08 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3R
Processor: Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz | Socket 775 | 3000/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 650 GiB total, 74.349 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 4.911 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is CDROM ()
I: is CDROM ()
J: is CDROM ()
K: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_50011458&REV_02\3&13C 0B0C5&2&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_50011458&REV_02\3&13C 0B0C5&2&FB
Service:

==== System Restore Points ===================

==== Installed Programs ======================

Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Autodesk DirectConnect 2009
AvatarSD 0.1.5.5
AVG 8.5
Avidemux 2.4
Batman: Arkham Asylum
BCWipe 3.0
Bonjour
CDisplay 1.8
Combined Community Codec Pack 2008-09-21 16:18
ConvertXtoDVD 3.1.3.40
CrazyTalk Cam Suite
Fate/stay night English v3.2
GiPo@MoveOnBoot 1.9.5
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
ImgBurn
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Lexmark 5200 Series
Malwarebytes' Anti-Malware
Maya 2009
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mirror's Edge™
Mozilla Firefox (3.5.3)
NDSROM Player
NVIDIA Drivers
NVIDIA PhysX
PDF Settings
Pen Tablet
PowerISO
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Spybot - Search & Destroy
Starcraft
Startup Manager 2.4.2
The Rosetta Stone
Trapcode 3DStroke
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
Wacom Tablet
Windows Media Player Firefox Plugin
WinRAR archiver
Xvid Converter 1.5
Yahoo! Messenger
Yuuguu

==== End Of File ===========================

AnnMarie · #5 October 1st, 2009, 03:48 AM

Those logs are fine too. One more log. Download the latest version of Gmer from here to your Desktop. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, close all running programs including those in your notification area (bottom righthand corner of your screen) and doubleclick on Gmer.exe to run it. Click on the Rootkit tab and look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Save the file and copy the information and post it here please.

Warning! Please do not select the "Show all" checkbox during the scan

Will2301 · #6 October 1st, 2009, 04:17 AM

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 18:21
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x91257000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x9124C000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_dumpfve.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
Address: 0x9125F000 Size: 69632 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x8B512000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spvg.sys
Image Path: C:\Windows\System32\Drivers\spvg.sys
Address: 0x80698000 Size: 1052672 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1041246c-a86a-11de-aafd-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{38a98dc2-ac59-11de-949a-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6d6e044d-abc9-11de-bb77-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cba1fcff-ab30-11de-a848-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d5950464-aa39-11de-83ca-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d6b71efb-ad1c-11de-8570-001a4d50e524}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcl oc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd 3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_ 1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7 ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcl oc_1fc8b3b9a1e18e3b_8.0.50727.163_none_43f0c1d7783 0fb9e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcl oc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf1783 1d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_8a1 5b53c6beb8591.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsof t.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5d f56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e0 53e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c1 1df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_5 8843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c40 03bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_ 1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf 3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_ 1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91 .cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7 658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_919 3a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.open mp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e50 7087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_ 1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8 f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_ 1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af 1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_ 1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d2 5a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_ 1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee3 65.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_ 8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a1 4c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_ 1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24a d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_ 1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a 2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_919 49b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsof t.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b1 9c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.open mp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218 504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.0.6000.16386_e n-us_8945d572a01e6a1a\$$DeleteMe.authui.dll.mui.01c8 5bd5f421f48f.0104
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386 _en-us_1652b637b3e9dec3\$$DeleteMe.advapi32.dll.mui.01 c85bd5f80c176f.010e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6000.16609_no ne_75246f2a2fbd4c23\$$DeleteMe.umpnpmgr.dll.01c85b d5db10798f.00d8
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.0.6000.166 09_none_68015a2337d92e69\$$DeleteMe.dpx.dll.01c85b d5cf8d934f.0092
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.0.6000.16386_e n-us_4777ffb339c4e9f8\$$DeleteMe.FXSRESM.dll.mui.01c 85bd5f400a14f.0103
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.0.6000.16386 _en-us_3ae40182285968c3\$$DeleteMe.kernel32.dll.mui.01 c85bd5f70fc5af.010c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8471125599b04653\$$DeleteMe.lsasrv.dll.mui.01c8 5bd5f6fa594f.010b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.0.6000.16386 _en-us_4bff07e547a87678\$$DeleteMe.bfe.dll.mui.01c85bd 5f230752f.00ff
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6000.16609_none_bb 22ee81fe4b8646\$$DeleteMe.oleaut32.dll.01c85bd5c01 9660f.004d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..-localspl.resources_31bf3856ad364e35_6.0.6000.16386 _en-us_6550c2bd9d5506b8\$$DeleteMe.localspl.dll.mui.01 c85bd5f576592f.0107
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasdlg.resources_31bf3856ad364e35_6.0.6000.16386_e n-us_b3d770224b17bcea\$$DeleteMe.rasdlg.dll.mui.01c8 5bd5f5efbf4f.0108
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..nsing-slc.resources_31bf3856ad364e35_6.0.6000.16386_en-us_cc9601aaa8e38997\$$DeleteMe.SLsvc.exe.mui.01c85 bd5f200d9af.00fe
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.0.6000.16603_en-us_606250c3962a1d2f\$$DeleteMe.CbsMsg.dll.mui.01c8 5bd28e59a4b5.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.0.6000.16609_en-us_6068527f9624b539\$$DeleteMe.CbsMsg.dll.mui.01c8 5bd607934faf.0113
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-servicingstack-msg_31bf3856ad364e35_6.0.6000.16603_none_3cbc2c2b2 dde229a\$$DeleteMe.CbsMsg.dll.01c85bd28e528095.000 6
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-servicingstack-msg_31bf3856ad364e35_6.0.6000.16609_none_3cc22de72 dd8baa4\$$DeleteMe.CbsMsg.dll.01c85bd60776bf2f.011 0
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.0.6000.16609 _en-us_688391467a338aaa\$$DeleteMe.setupapi.dll.mui.01 c85bd5f546bdaf.0106
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-setupapi_31bf3856ad364e35_6.0.6000.16609_none_3318 1da4c90f2d73\$$DeleteMe.setupapi.dll.01c85bd5d40da ccf.00ad
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.0.6000.16386_ en-us_5773049ddbf09320\$$DeleteMe.shell32.dll.mui.01c 85bd5f306b0ef.0102
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6000.1 6386_en-us_64f3d4fcc5c084a0\$$DeleteMe.TrustedInstaller.ex e.mui.01c85bd6078768cf.0112
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.0.6000.1 6386_en-us_da5b0bda3feb82a8\$$DeleteMe.lsm.exe.mui.01c85bd 5f6e28b8f.0109
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-t..r-service.resources_31bf3856ad364e35_6.0.6000.16386_ en-us_bd2d20fd727b8e51\$$DeleteMe.schedsvc.dll.mui.01 c85bd5f7904fef.010d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.16609_none_2d23e 28599d3cbd6\$$DeleteMe.schedsvc.dll.01c85bd5c4d03f 2f.0064
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16609_n one_8f2ff7784ff80919\$$DeleteMe.TrustedInstaller.e xe.01c85bd6076876ef.010f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6000.16386_e n-us_3bc735ce2e322939\$$DeleteMe.user32.dll.mui.01c8 5bd5f19a7e8f.00fd
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.0.6000.16386_e n-us_e35953a4d64965cf\$$DeleteMe.vsstrace.dll.mui.01 c85bd5f2c8cd2f.0101
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_6.0.6000.16386_en-us_02200873e1481824\$$DeleteMe.wuaueng.dll.mui.01c 85bd5f4a7418f.0105
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_6.0.6000.16386_none_92bcd538c 06ec160\$$DeleteMe.wuapi.dll.01c85bd5b384c1af.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_6.0.6000.16386_none_acab9aec acae685d\$$DeleteMe.wuaueng.dll.01c85bd5b592d18f.0 024
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft.windows.winhttp_31 bf3856ad364e35_5.1.6000.16386_none_22973772c538532 6\$$DeleteMe.winhttp.dll.01c85bd5bd2b94ef.003d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.16720_none_a5 4ef540d05f91fc\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6000.20883_none_8e 870be4ea01d6ef\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.18111_none_a5 29d9f6d0b19e9d\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_mof_b03f5f7f11d50a3a_6.0.6001.22230_none_8e 5e4a92ea5717b0\ASPNET~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6 000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6 000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6 001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6 001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 00.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!

Will2301 · #7 October 1st, 2009, 04:17 AM

part 2 root repeal

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.60 01.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 0.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 001.18111_none_94e532e5da90ed5b\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 001.22230_none_7e19a381f436666e\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6 001.22230_none_7e19a381f436666e\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000 .16720_none_4cb2b120b7498755\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000 .16720_none_4cb2b120b7498755\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000 .20883_none_35eac7c4d0ebcc48\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000 .20883_none_35eac7c4d0ebcc48\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001 .18111_none_4c8d95d6b79b93f6\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001 .18111_none_4c8d95d6b79b93f6\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001 .22230_none_35c20672d1410d09\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001 .22230_none_35c20672d1410d09\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 0.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.600 0.16720_none_c39efe8a3f927437\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.600 0.20883_none_acd7152e5934b92a\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.600 1.18111_none_c379e3403fe480d8\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.600 1.22230_none_acae53dc5989f9eb\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.600 0.16720_none_b103fb905f6db0d9\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.600 0.20883_none_9a3c1234790ff5cc\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.600 1.18111_none_b0dee0465fbfbd7a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.22230_none_3804510a8394f0bd\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.22230_none_3804510a8394f0bd\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.600 1.22230_none_3804510a8394f0bd\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6001.181 11_none_7c6b3231b9c3046e\WEBADM~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6001.181 11_none_7c6b3231b9c3046e\WEBADM~3.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6001.181 11_none_7c6b3231b9c3046e\WEBADM~4.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.0.6001.181 11_none_7c6b3231b9c3046e\WEBB00~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.600 1.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.18 111_none_75c874a9a137a5f0\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.600 1.22230_none_9a1350e27965368d\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001. 18111_none_a335242e0936a3fd\INSTAL~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001. 18111_none_a335242e0936a3fd\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8531f236918d1acc\$$DeleteMe.FirewallAPI.dll.mui .01c85bd5f6f3352f.010a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.secu rity.azroles_31bf3856ad364e35_6.0.6000.16386_none_ ea83414c2e75b887\Microsoft.Interop.Security.AzRole s.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.1 8096_none_33db43850c7307a2\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.2 2208_none_34c832162545dbc8\_SMSVC~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_windowssearchengine.resource s_31bf3856ad364e35_6.0.6000.16386_en-us_8cee37712b17ca53\$$DeleteMe.tquery.dll.mui.01c8 5bd5f2a9db4f.0100
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001. 22230_none_8c6994ca22dc1d10\INSTAL~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001. 22230_none_8c6994ca22dc1d10\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.600 0.16720_none_2c88b9b71ca44e71\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.600 0.20883_none_15c0d05b36469364\WEB_ME~1.COProcesses

Will2301 · #8 October 1st, 2009, 04:18 AM

part 3 root repeal

-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1336 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x854b01f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x854af1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x869b11f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_CREATE]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_CLOSE]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_POWER]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: av97xvhcА䑎湡, IRP_MJ_PNP]
Process: System Address: 0x86b851f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x86ba8500 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x86f851f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_CREATE]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_CLOSE]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_CLEANUP]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: netbt蜃, IRP_MJ_PNP]
Process: System Address: 0x86f891f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_CREATE]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_CLOSE]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_POWER]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_PNP]
Process: System Address: 0x86b4b1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x854ad1f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_CREATE]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_CLOSE]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_POWER]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: ND, IRP_MJ_PNP]
Process: System Address: 0x869b21f8 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_CREATE]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_CLOSE]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_READ]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_WRITE]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_QUERY_EA]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SET_EA]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_CLEANUP]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_POWER]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: mrxsmb㐸蝕П牄Ꞁ该஠胤, IRP_MJ_PNP]
Process: System Address: 0x86a2c500 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_CREATE]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_CLOSE]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_READ]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_WRITE]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_CLEANUP]
Process: System Address: 0x87df51f8 Size: 121

Object: Hidden Code [Driver: cdfsЏ䵆捦捅䡰, IRP_MJ_PNP]
Process: System Address: 0x87df51f8 Size: 121

==EOF==

Will2301 · #9 October 1st, 2009, 04:50 AM

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-30 20:49:39
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Will\AppData\Local\Temp\kxldqpod.sys

---- System - GMER 1.0.15 ----

INT 0x52 ? 864B5F00
INT 0x52 ? 864B5F00
INT 0x52 ? 864B5F00
INT 0x52 ? 864B5F00
INT 0x62 ? 864B5F00
INT 0x72 ? 84B1DBF8
INT 0x82 ? 84B1DBF8
INT 0x92 ? 84B1DBF8
INT 0x92 ? 84B1DBF8
INT 0x92 ? 84B1DBF8
INT 0x92 ? 84B1DBF8
INT 0x92 ? 864B5F00
INT 0x92 ? 84B1DBF8
INT 0xA2 ? 864B5F00
INT 0xA2 ? 864B5F00
INT 0xA3 ? 864B5F00

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spvg.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8B3A446F 5 Bytes JMP 864B54E0
.text av97xvhc.SYS 82387000 22 Bytes [26, 82, FD, 81, 10, 81, FD, ...]
.text av97xvhc.SYS 82387017 47 Bytes [00, 32, 47, 7A, 80, 3D, 45, ...]
.text av97xvhc.SYS 82387047 99 Bytes [81, 60, BC, C6, 81, A0, A7, ...]
.text av97xvhc.SYS 823870AB 33 Bytes [81, 00, 00, 00, 00, 00, 00, ...]
.text av97xvhc.SYS 823870CE 73 Bytes [00, 00, 00, 00, 01, C2, 03, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A6D6] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069A042] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A800] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8069A0C0] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069A13E] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A9E9C] \SystemRoot\System32\Drivers\spvg.sys
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortNotification] 000000DC
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortWritePortUchar] 000000A2
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortWritePortUlong] 00000333
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 000003D8
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 0000024D
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortGetScatterGatherList] 00000201
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortReadPortUchar] 000001EF
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortStallExecution] 0000031F
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortGetParentBusType] 000000A1
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortRequestCallback] 0000025C
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 000003BE
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 00000215
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortCompleteRequest] 000000DD
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortMoveMemory] 00000190
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 00000182
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 00000363
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 00000258
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortReadPortUshort] 0000030E
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 0000017E
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortInitialize] 00000254
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortGetDeviceBase] 0000019E
IAT \SystemRoot\System32\Drivers\av97xvhc.SYS[ataport.SYS!AtaPortDeviceStateChange] 000000AB

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\SearchProtocolHost.exe[1920] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] [6E42DB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[1920] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [6E42DB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\SearchProtocolHost.exe[1920] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [6E42DB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 854B01F8
Device \Driver\volmgr \Device\VolMgrControl 854AD1F8
Device \Driver\usbuhci \Device\USBPDO-0 869B11F8
Device \Driver\usbuhci \Device\USBPDO-1 869B11F8
Device \Driver\usbuhci \Device\USBPDO-2 869B11F8
Device \Driver\sptd \Device\2763530386 spvg.sys
Device \Driver\usbehci \Device\USBPDO-3 869B21F8
Device \Driver\PCI_PNP6377 \Device\00000047 spvg.sys
Device \Driver\usbuhci \Device\USBPDO-4 869B11F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 869B11F8
Device \Driver\usbuhci \Device\USBPDO-6 869B11F8
Device \Driver\volmgr \Device\HarddiskVolume1 854AD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 869B21F8
Device \Driver\volmgr \Device\HarddiskVolume2 854AD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86BA8500
Device \Driver\cdrom \Device\CdRom1 86BA8500
Device \Driver\atapi \Device\Ide\IdePort0 854AF1F8
Device \Driver\atapi \Device\Ide\IdePort1 854AF1F8
Device \Driver\atapi \Device\Ide\IdePort2 854AF1F8
Device \Driver\atapi \Device\Ide\IdePort3 854AF1F8
Device \Driver\atapi \Device\Ide\IdePort4 854AF1F8
Device \Driver\atapi \Device\Ide\IdePort5 854AF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-5 854AF1F8
Device \Driver\cdrom \Device\CdRom2 86BA8500
Device \Driver\netbt \Device\NetBt_Wins_Export 86F891F8
Device \Driver\Smb \Device\NetbiosSmb 86F851F8
Device \Driver\iScsiPrt \Device\RaidPort0 86B4B1F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 869B11F8
Device \Driver\usbuhci \Device\USBFDO-1 869B11F8
Device \Driver\usbuhci \Device\USBFDO-2 869B11F8
Device \Driver\usbehci \Device\USBFDO-3 869B21F8
Device \Driver\usbuhci \Device\USBFDO-4 869B11F8
Device \Driver\usbuhci \Device\USBFDO-5 869B11F8
Device \Driver\netbt \Device\NetBT_Tcpip_{9EEA06F7-6E12-408F-8402-01B0015EB72E} 86F891F8
Device \Driver\usbuhci \Device\USBFDO-6 869B11F8
Device \Driver\usbehci \Device\USBFDO-7 869B21F8
Device \Driver\av97xvhc \Device\Scsi\av97xvhc1Port7Path0Target0Lun0 86B851F8
Device \Driver\av97xvhc \Device\Scsi\av97xvhc1Port7Path0Target2Lun0 86B851F8
Device \Driver\av97xvhc \Device\Scsi\av97xvhc1 86B851F8
Device \Driver\av97xvhc \Device\Scsi\av97xvhc1Port7Path0Target1Lun0 86B851F8
Device \FileSystem\cdfs \Cdfs 87DF51F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x6F 0x69 0xFC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD7 0x32 0xC8 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x99 0x26 0xD1 0xEF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCA 0x19 0x6F 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x4E 0x27 0x5F 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x6F 0x69 0xFC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD7 0x32 0xC8 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x99 0x26 0xD1 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCA 0x19 0x6F 0x3F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x4E 0x27 0x5F 0xD0 ...

---- EOF - GMER 1.0.15 ----

AnnMarie · #10 October 1st, 2009, 06:11 AM

Those logs are fine. The rootkit-like activity that you can see in both ARK's is generated by Daemon Tools Pro.

As a final check, go here and run the online scanner (disable your antivirus program first). Choose to scan My Computer and when the scan has finished, save the report and post it here please.

Will2301 · #11 October 1st, 2009, 04:32 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 1, 2009
Operating system: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 01, 2009 09:44:44
Records in database: 2937627
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 287744
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:46:02

No threats found. Scanned area is clean.

Selected area has been scanned.

AnnMarie · #12 October 1st, 2009, 08:59 PM

There is no evidence of infection in any log Will2301. Have you rebooted since the incident occurred and if so, is it still slow?

Will2301 · #13 October 2nd, 2009, 07:15 AM

I have rebooted it. It's lagging compared to how it was a few days ago. I started uninstalling and deleting stuff so maybe that helped but I'm not sure.

Anyways, Thank you very much for your help. I'll observe it for a few days and if something happens I'll post it up again. For now, I guess I'll deal with it. I really appreciate the help.

AnnMarie · #14 October 2nd, 2009, 07:27 AM

You are welcome.

It's possible that the events you described were the result of software corruption. Try cleanbooting and run this way for a day (see here, Step 1: Perform a clean boot). Dont troubleshoot it yet and make sure you dont download anything or surf to dodgy sites while you are running in this state because your antivirus will be disabled. Did you notice any difference?

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
No task manager/ No explorer.exe at bootup	blademaster591	Windows XP	1	March 18th, 2009 02:28 PM
Windows Explorer Flickers and Disappears, Having to use Task Manager to run things	leftbak	Malware Removal	15	February 14th, 2008 06:09 AM
Multiple IExplorer in Task Manager	Ken025m	Malware Removal	8	December 4th, 2005 12:58 AM
Xp task bar freezes and Task manager will not display	rulepar	Windows XP	1	October 10th, 2004 06:29 PM
NO task bar or programs in task manager!!!	pd1362	Windows 98	3	September 27th, 2004 03:47 AM