Help Required, computer has been hijacked!

[jewelz]

Application cannot be executed. The file *.* is infected...

I have seen several posts with this problem which I now have, can someone please help me to fix this problem. currently unable to run any apps as I get the message:

`Application cannot be executed. The file nclmstsrex.exe is infected. Do you want to activate your antivirus software now?`

Thanks in advance for for any replies.

Currently running Vista.

[harry 48]

to go below and try to complete post 3 logs

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[jewelz]

So sorry, I didn't see that bit of the thread.

I found a program called: Search Settings.1.2.2, which was on the malware list, I was able to uninstall it using the Add or Remove Programs tool in Control Panel.

I ran through everything else and my machine seems to be fine now, but just in case there is anything else that should do here are my logs:



[recovering disk space - old attachment deleted by admin]

[jewelz]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/28/2010 at 11:58 PM

Application Version : 4.47.1000

Core Rules Database Version : 6003
Trace Rules Database Version: 3815

Scan type       : Complete Scan
Total Scan Time : 01:03:32

Memory items scanned      : 328
Memory threats detected   : 0
Registry items scanned    : 7325
Registry threats detected : 1
File items scanned        : 114636
File threats detected     : 7

Malware.Trace
   HKU\S-1-5-21-1900899137-3597166765-57595471-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
   C:\Users\Sam\AppData\Roaming\Microsoft\Windows\Cookies\Low\sam@*censored*[2].txt
   .doubleclick.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]
   .revsci.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]
   .revsci.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]
   .revsci.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]
   .revsci.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]
   .revsci.net [ C:\Users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\cookies.sqlite ]


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5409

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

29/12/2010 00:22:01
mbam-log-2010-12-29 (00-22-01).txt

Scan type: Quick scan
Objects scanned: 134209
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fxjwmmbr (Trojan.Dropper) -> Value: fxjwmmbr -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Sam\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Sam\AppData\Roaming\jajjdaydo\levjrttlajb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:13:15, on 29/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\O2 Assistant\bin\sprtcmd.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Users\Sam\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=2080614
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mirostart.com/?cfg=2-365-0-1htl1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [O2DA] "C:\Program Files\O2 Assistant\bin\sprtcmd.exe" /P O2DA
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SansaDispatch] C:\Users\Sam\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6120/mcfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\Windows\System32\SUPDSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (O2DA) (sprtsvc_O2DA) - SupportSoft, Inc. - C:\Program Files\O2 Assistant\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (O2DA) (tgsrvc_O2DA) - SupportSoft, Inc. - C:\Program Files\O2 Assistant\bin\tgsrvc.exe

--
End of file - 8678 bytes

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
****************************************
•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
Copy and paste this file in your next reply.
******************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[jewelz]

Hey Dave, thank you for your reply.

Re: Hijack:
Found and deleted four files but couldn't find the following in the list:

R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)

Re: ComboFix:
'Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel'

I was not abe to to click start, as soon as I clicked on the icon the program started up and there was no search displayed, the 
scan just started up automatically, see output below.

--- HijackThis ---

Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
avast! Free Antivirus
Browser Address Error Redirector
CCleaner
Compatibility Pack for the 2007 Office system
Conduit Engine
Dell Getting Started Guide
Dell Support Center
Dell Support Center
Dell Touchpad
EDocs
Free Mp3 Wma Converter V 1.81
Google Desktop
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HyperTerminal Private Edition v7.0
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Miro
Mozilla Firefox (3.6.13)
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My O2
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
OGA Notifier 2.0.0048.0
Online Armor 4.0
Opera 10.00
Ovi Desktop Sync Engine
OviMPlatform
PC Connectivity Solution
PC Connectivity Solution
PowerDVD
QuickSet
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.90
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Samsung Universal Print Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype™ 4.0
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Vista Codec Package
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0)
Windows Media Player Firefox Plugin

--- checkup ---

 Results of screen317's Security Check version 0.99.8 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 avast! Free Antivirus   
 Online Armor 4.0   
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 23 
 Adobe Flash Player 10.1.102.64 
Adobe Reader X
````````````````````````````````
Process Check: 
objlist.exe by Laurent
``````````End of Log````````````


--- ComboFix ---

ComboFix 10-12-30.01 - Sam 30/12/2010  20:51:49.1.2 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.44.1033.18.2038.1056 [GMT 0:00]
Running from: c:\users\Sam\Desktop\commy.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: Online Armor Firewall *Disabled* {5841EF60-F43F-AE8D-642F-D79F12883626}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\PCDr\5744\Downloads\5a6257cc-a15e-41eb-b891-52f7e087b40f.dll
c:\programdata\PCDr\5744\Downloads\c229b02b-4e01-43e4-9587-37961f6873bc.dll
c:\programdata\PCDr\5744\Downloads\d242df42-c817-4c92-8e27-a770772ec980.dll
c:\programdata\PCDr\5744\Downloads\ef253e79-80d5-4656-b429-008ec2e1d22e.dll
c:\programdata\PCDr\5744\Downloads\fbaabbe1-30af-47f6-a8e1-dfd8bbc2f468.dll

----- BITS: Possible infected sites -----

hxxp://sync.mobilebroadband.o2.co.uk:8080
.
(((((((((((((((((((((((((   Files Created from 2010-11-28 to 2010-12-30  )))))))))))))))))))))))))))))))
.

2010-12-30 12:58 . 2010-12-30 14:25   --------   d-----w-   c:\programdata\OnlineArmor
2010-12-30 12:58 . 2010-12-30 12:58   --------   d-----w-   c:\users\Sam\AppData\Roaming\OnlineArmor
2010-12-30 12:57 . 2010-07-07 12:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-12-30 12:57 . 2010-07-07 12:25   29256   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-12-30 12:57 . 2010-07-07 12:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-12-30 12:57 . 2010-12-30 12:57   --------   d-----w-   c:\program files\Emsisoft
2010-12-30 11:38 . 2010-12-30 11:38   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-12-30 11:37 . 2010-12-30 11:37   --------   d-----w-   c:\programdata\McAfee
2010-12-30 11:33 . 2010-12-30 11:33   --------   d-----w-   c:\programdata\Apple Computer
2010-12-30 10:00 . 2010-09-07 15:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-30 10:00 . 2010-09-07 15:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-30 09:59 . 2010-09-07 15:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-30 09:59 . 2010-09-07 15:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-30 09:59 . 2010-09-07 15:47   50768   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2010-12-30 09:59 . 2010-09-07 16:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-30 09:59 . 2010-09-07 16:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-30 09:59 . 2010-12-30 09:59   --------   d-----w-   c:\programdata\Alwil Software
2010-12-30 09:59 . 2010-12-30 09:59   --------   d-----w-   c:\program files\Alwil Software
2010-12-30 09:36 . 2010-11-10 04:33   6273872   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{8332DDE4-7486-4492-AED0-E7BDDBC86BED}\mpengine.dll
2010-12-29 01:08 . 2010-12-29 01:08   388096   ----a-r-   c:\users\Sam\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-29 01:08 . 2010-12-29 01:08   --------   d-----w-   c:\program files\Trend Micro
2010-12-29 01:02 . 2010-12-29 01:02   --------   d-----w-   c:\program files\Common Files\Java
2010-12-29 01:02 . 2010-12-29 01:01   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-29 01:02 . 2010-12-29 01:01   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-12-29 00:17 . 2010-12-29 00:17   --------   d-----w-   c:\users\Sam\AppData\Roaming\Malwarebytes
2010-12-29 00:17 . 2010-12-20 18:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 00:17 . 2010-12-29 00:17   --------   d-----w-   c:\programdata\Malwarebytes
2010-12-29 00:17 . 2010-12-29 00:17   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-12-29 00:17 . 2010-12-20 18:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-12-28 22:45 . 2010-12-28 22:45   --------   d-----w-   c:\users\Sam\AppData\Roaming\SUPERAntiSpyware.com
2010-12-28 22:45 . 2010-12-28 22:45   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-12-28 22:45 . 2010-12-28 22:45   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-12-28 19:25 . 2010-12-29 00:22   --------   d-----w-   c:\users\Sam\AppData\Roaming\jajjdaydo
2010-12-23 19:56 . 2010-12-23 19:56   --------   d-----w-   c:\program files\DIFX
2010-12-18 17:50 . 2010-07-30 14:17   75264   ----a-w-   c:\windows\system32\nmwcdcls.dll
2010-12-18 17:46 . 2010-12-23 19:50   --------   d-----w-   c:\program files\Nokia
2010-12-15 03:20 . 2010-11-03 10:51   2409784   ----a-w-   c:\program files\Windows Mail\OESSamFilter.dat
2010-12-12 22:23 . 2010-12-12 22:23   --------   d-----w-   c:\program files\GetMiro Toolbar
2010-12-09 21:23 . 2010-12-28 21:59   --------   d-----w-   c:\users\Sam\AppData\Roaming\Azureus
2010-12-09 21:22 . 2010-12-20 15:38   --------   d-----w-   c:\program files\Conduit

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:38 . 2010-11-29 17:38   94208   ----a-w-   c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38   69632   ----a-w-   c:\windows\system32\QuickTime.qts
2010-10-19 10:41 . 2009-10-02 15:54   222080   ------w-   c:\windows\system32\MpSigStub.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 15:26   3908192   ----a-w-   c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-11 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-22 159744]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-22 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-02-04 548864]
"O2DA"="c:\program files\O2 Assistant\bin\sprtcmd.exe" [2010-04-23 206120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\OAui.exe" [2010-07-07 6854984]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-06-14 13:06   29744   ----a-w-   c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-11 18:28   135664   ----atw-   c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-04-16 12:36   24264488   ----a-r-   c:\program files\Skype\Phone\Skype.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-22 136176]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [2010-07-07 3364680]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-10-26 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2009-03-24 127656]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-17 691696]
S1 aswSP;aswSP;

S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-07-07 236104]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-07-07 22600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-22 77824]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\OAcat.exe [2010-07-07 1283400]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sprtsvc_O2DA;SupportSoft Sprocket Service (O2DA);c:\program files\O2 Assistant\bin\sprtsvc.exe [2010-04-23 206120]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2008-11-10 5120]
S2 tgsrvc_O2DA;SupportSoft Repair Service (O2DA);c:\program files\O2 Assistant\bin\tgsrvc.exe [2010-04-23 185640]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-22 48472]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-02-22 43480]
S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2010-07-07 29256]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 13:47]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-27 13:47]

2010-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900899137-3597166765-57595471-1000Core.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-11 18:28]

2010-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900899137-3597166765-57595471-1000UA.job
- c:\users\Sam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-11 18:28]

2010-12-24 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 09:56]

2010-12-30 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 09:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\users\Sam\AppData\Roaming\Mozilla\Firefox\Profiles\hw2p07aw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Speed Dial: {64161300-e22b-11db-8314-0800200c9a66} - %profile%\extensions\{64161300-e22b-11db-8314-0800200c9a66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 20:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-30  21:00:55
ComboFix-quarantined-files.txt  2010-12-30 21:00

Pre-Run: 52,385,853,440 bytes free
Post-Run: 52,326,662,144 bytes free

- - End Of File - - 77CD87D28214D15965FDD627277D3EBD

[SuperDave]

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[jewelz]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2011/01/01 00:18
Program Version:      Version 1.3.5.0
Windows Version:      Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x87F07000   Size: 815104   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAD4DF000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: spdn.sys
Image Path: C:\Windows\System32\Drivers\spdn.sys
Address: 0x8068C000   Size: 995328   File Visible: No   Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{da35b901-12a5-11e0-b884-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dff5a5b5-13fa-11e0-b6a0-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dff5a5bb-13fa-11e0-b6a0-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dff5a5c0-13fa-11e0-b6a0-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dff5a5e6-13fa-11e0-b6a0-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f5c115a-1381-11e0-bb63-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f5c115f-1381-11e0-bb63-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7d6208f9-0ff4-11e0-8f58-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7d6208fb-0ff4-11e0-8f58-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ecb-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ecf-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ed3-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d1679b50-12e1-11e0-b0da-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{188e65a8-12bb-11e0-aaf6-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{188e65bf-12bb-11e0-aaf6-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{188e65c0-12bb-11e0-aaf6-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{230954b6-149f-11e0-a8c6-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2874fb5e-125d-11e0-a667-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4676635a-13f7-11e0-8f4d-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8fa15fda-0f7e-11e0-91f6-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb5a5a27-140f-11e0-953b-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb5a5a2f-140f-11e0-953b-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bccee686-110f-11e0-b938-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d1679b3c-12e1-11e0-b0da-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d1679b40-12e1-11e0-b0da-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d1679b44-12e1-11e0-b0da-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d1679b4c-12e1-11e0-b0da-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ed7-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418edb-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418edf-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ee3-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84418ee7-0ec7-11e0-abca-001c2359a4d8}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.XSL
Status: Locked to the Windows API!

Path: c:\programdata\alwil software\avast5\log.db
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: C:\Windows\PLA\Reports\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\PLA\Rules\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\PLA\System\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c2e857a23b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30411.0_none_7f955bd5da1ee32d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_6b86c0e9b0196766.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30411.0_none_d48b2b1c591268e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.4148_none_80b7c8a91e9dd16a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.4148_none_0e9108e3b72e14d4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_b7e610287b2b4ea5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5ce47260749ddc2c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30411.0_none_d70c8009a3652bd4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f0bcaee084e72e5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_516e2e610f48bda6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5926f98ceadc42c2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30411.0_none_7816760bdeed6010.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f47e1bd6f6571810.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4db266e67dd280ef.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30411.0_none_dba7eb55a0823cdf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f0efb442f8a0f46c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_49ef489714173a89.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b59bae9d65014b98.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_ecff360cfb2594f3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30411.0_none_7bd3eedf68aef97a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9876.0_none_a6e4a7980e9b18a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6001.18096_none_67458179da6478e3\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.16720_none_c2e2272db9e7b99c\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.20883_none_c32de54ed3334d11\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.18111_none_c4d43609b70547f3\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.22230_none_c54732b2d0340648\INSTAL~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.16720_none_f570e12815568682\MACHIN~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.20883_none_dea8f7cc2ef8cb75\MACHIN~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.16720_none_7081409dee51e2d7\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6000.20883_none_59b9574207f427ca\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.18111_none_705c2553eea3ef78\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_commontypes_schema_b03f5f7f11d50a3a_6.0.6001.22230_none_599095f00849688b\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6000.16708_none_7ab8208b3397ed7d\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6000.20864_none_7afcdca64ce9cf91\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6001.18096_none_7c3b0d6b31094a12\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_7d27fbfc49dc1e38\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_807ba2c12fe38edc\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_80c05edc493570f0\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_81fe8fa12d54eb71\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_82eb7e324627bf97\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.16708_none_319b7f14a2b4f78c\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6000.20864_none_31e03b2fbc06d9a0\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.18096_none_331e6bf4a0265421\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6001.22208_none_340b5a85b8f92847\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globalserifcf_31bf3856ad364e35_6.0.6002.18005_none_356532909d048bea\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.16708_none_ac1fffb2b6ba9be9\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.20864_none_ac64bbcdd00c7dfd\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_7ee5ca744a684989\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_7ee5ca744a684989\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.22208_none_ae8fdb23ccfecca4\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6001.22208_none_6832700af3374d09\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6002.18005_none_698c4815d742b0ac\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6000.16708_none_65c29499dcf31c4e\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6000.20864_none_660750b4f644fe62\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6001.18111_none_f54bc5de15a89323\MACHIN~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6001.22230_none_de80367a2f4e0c36\MACHIN~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6002.18005_none_f52661bc15faf3ee\MACHIN~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\System32\migwiz\dlmanifests\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\System32\migwiz\dlmanifests\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\inf\MSDTC Bridge 3.0.0.0\0000\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Processes
-------------------
Path: System
PID: 4   Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1280   Status: Locked to the Windows API!

SSDT
-------------------
#: 018   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da69ed0

#: 021   Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da68590

#: 022   Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da67a80

#: 042   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da6a700

#: 054   Function Name: NtConnectPort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da67da0

#: 060   Function Name: NtCreateFile
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da779c0

#: 071   Function Name: NtCreatePort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da678e0

#: 075   Function Name: NtCreateSection
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da63ef0

#: 078   Function Name: NtCreateThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da65f20

#: 116   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66b90

#: 129   Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da676f0

#: 165   Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da69490

#: 186   Function Name: NtOpenFile
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da78040

#: 197   Function Name: NtOpenSection
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da64310

#: 201   Function Name: NtOpenThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66420

#: 210   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da6a350

#: 218   Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da69a70

#: 255   Function Name: NtQueueApcThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da6a8a0

#: 275   Function Name: NtRequestPort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da689a0

#: 276   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da68f90

#: 280   Function Name: NtRestoreKey
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da77550

#: 282   Function Name: NtResumeThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da67340

#: 286   Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da68190

#: 289   Function Name: NtSetContextThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66970

#: 317   Function Name: NtSetSystemInformation
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66d30

#: 326   Function Name: NtShutdownSystem
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da69370

#: 330   Function Name: NtSuspendProcess
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da67520

#: 331   Function Name: NtSuspendThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da67130

#: 332   Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66f40

#: 334   Function Name: NtTerminateProcess
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da65c80

#: 335   Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66760

#: 342   Function Name: NtUnloadDriver
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da69780

#: 358   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da6a520

#: 382   Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\system32\drivers\OADriver.sys" at address 0x8da66180

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System   Address: 0x84e0d1f8   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_CREATE]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_CLOSE]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_READ]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_WRITE]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_QUERY_EA]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_SET_EA]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_SHUTDOWN]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_CLEANUP]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: fastfat郜І卆乲
, IRP_MJ_PNP]
Process: System   Address: 0xad0aa358   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_CREATE]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_CLOSE]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_READ]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_WRITE]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_CLEANUP]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: udfsЉ捓⑳, IRP_MJ_PNP]
Process: System   Address: 0x867291f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System   Address: 0x84e0c1f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_CREATE]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_CLOSE]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_READ]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_WRITE]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_POWER]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: cdrom舐을舐Ѕ晖呉ꁌ豓鈴舯, IRP_MJ_PNP]
Process: System   Address: 0x868681f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System   Address: 0x867ac1f8   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System   Address: 0x8d19b500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_CREATE]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_CLOSE]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_CLEANUP]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: netbt蚋
, IRP_MJ_PNP]
Process: System   Address: 0x8d1c7500   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_CREATE]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_CLOSE]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_POWER]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: iScsiPrtЅ晖呉偤豘鈴舯, IRP_MJ_PNP]
Process: System   Address: 0x868721f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System   Address: 0x84e091f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System   Address: 0x867c31f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_CREATE]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_CLOSE]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_READ]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_WRITE]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_QUERY_EA]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SET_EA]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_CLEANUP]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_POWER]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x90c821f8   Size: 121

Object: Hidden Code [Driver: mrxsmb蜐阽Ј浗剩䤰괏끈鐒⛠꥟
, IRP_MJ_PNP]
Process: System   Address: 0x90c821f8   Size: 121

==EOF==

[SuperDave]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].

[jewelz]

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\spnk.sys
Service Name: ---
Module Base: 8068A000
Module End: 8077D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: 87F14000
Module End: 87FDB000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAllocateVirtualMemory
Address: 8DC8DED0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwAlpcConnectPort
Address: 8DC8C590
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwAlpcCreatePort
Address: 8DC8BA80
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwAssignProcessToJobObject
Address: 8DC8E700
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwConnectPort
Address: 8DC8BDA0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwCreateFile
Address: 8DC9B9C0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwCreatePort
Address: 8DC8B8E0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwCreateSection
Address: 8DC87EF0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwCreateThread
Address: 8DC89F20
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwDebugActiveProcess
Address: 8DC8AB90
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwDuplicateObject
Address: 8DC8B6F0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwLoadDriver
Address: 8DC8D490
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwOpenFile
Address: 8DC9C040
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwOpenSection
Address: 8DC88310
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwOpenThread
Address: 8DC8A420
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwProtectVirtualMemory
Address: 8DC8E350
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwQueryDirectoryFile
Address: 8DC8DA70
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwQueueApcThread
Address: 8DC8E8A0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwRequestPort
Address: 8DC8C9A0
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwRequestWaitReplyPort
Address: 8DC8CF90
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwRestoreKey
Address: 8DC9B550
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwResumeThread
Address: 8DC8B340
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSecureConnectPort
Address: 8DC8C190
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSetContextThread
Address: 8DC8A970
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSetSystemInformation
Address: 8DC8AD30
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwShutdownSystem
Address: 8DC8D370
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSuspendProcess
Address: 8DC8B520
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSuspendThread
Address: 8DC8B130
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwSystemDebugControl
Address: 8DC8AF40
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwTerminateProcess
Address: 8DC89C80
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwTerminateThread
Address: 8DC8A760
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwUnloadDriver
Address: 8DC8D780
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwWriteVirtualMemory
Address: 8DC8E520
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

Function Name: ZwCreateThreadEx
Address: 8DC8A180
Driver Base: 8DC6F000
Driver End: 8DCBD000
Driver Name: \??\C:\Windows\system32\drivers\OADriver.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateProcessEx
At Address: 822A790A
Jump To: 8DCF3BB2
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 821ED28F
Jump To: 8DCEF5D4
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 82246063
Jump To: 8DCF0FFA
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Users\Sam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Sam\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MPEWUBA6\www.somefile.com\somefile\DesktopModules\BizModules - UltraPhotoGallery\UltraPhotoGaller
Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied


------------------
Thanks Dave.

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[jewelz]

Seems like everything's fine now ....?

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=c79e043b73a36f4b89d9418353296134
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-02 08:35:47
# local_time=2011-01-02 08:35:47 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 364217 364217 0 0
# compatibility_mode=770 16774141 100 100 245933 70651807 0 0
# compatibility_mode=1026 16777214 0 2 56332918 56332918 0 0
# compatibility_mode=5892 16776573 100 100 175136 131478307 0 0
# compatibility_mode=6401 16777213 66 100 189172 15438361 0 0
# compatibility_mode=8192 67108863 100 0 23209 23209 0 0
# scanned=118277
# found=0
# cleaned=0
# scan_time=11812

[SuperDave]

Ok. Let's do some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys together for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
*********************************
If the above doesn't work, please use this. Please tell me which method you have to use.

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

***********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*******************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[jewelz]

Re: ComboFix - I was unable to use the first method to delete the program, I have deleted all the files that I could but the QooBox would not allow me to delete it.

What about the the rest of the programs which I installed along the way, is it wise to keep all programs for future use or can I delete some of them?

All other instructions/advice completed and everything seems to be running smoothly, actually it pretty much seems to be running faster than before the problem occurred, so I'm extremely pleased. 

Dave, you've been absolutely amazing! I fully intend to continue singing the praises of you and this site to anyone that will listen.
Thank you so much for all your help!!

[SuperDave]

Re: ComboFix - I was unable to use the first method to delete the program, I have deleted all the files that I could but the QooBox would not allow me to delete it.

Ok. Do this:

To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.
********************************************

What about the the rest of the programs which I installed along the way, is it wise to keep all programs for future use or can I delete some of them?

The only ones you should keep are SAS and MBAM. Update them and run them on a regular basis.Anything else can be deleted or uninstalled.

Thank you so much for all your help!!

You're welcome. It was my pleasure.