Disabled.SecurityCenter, Hijack.Regedit, Hijack.TaskManager

[qrius]

Hi

Posting on behalf of a family member who has had problems with the registry infections on her own laptop as mentioned in the title and as a result task manger is disabled, the security center plays up and internet doesn't appear to work. Windows update and CCleaner also does not work.

I was kindly advised by "noknojon" to follow instructions in the pinned topic "I'm infected - What do I do now?", which I have tried with mixed results that will be posted here shortly

The avira antivir personal program seemed to pick up a few problems but even after the full scan, the registry infections still remained.

Firstly the most recent MBAM log:

Malwarebytes' Anti-Malware 1.44

Database version: 3764

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18828

2010-02-20 16:04:58

mbam-log-2010-02-20 (16-04-58).txt

Scan type: Quick Scan

Objects scanned: 106481

Time elapsed: 8 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Next I tried Defogger- but I'm not sure it worked as after clicking OK on the "Finished" popup I was not asked to restart (I decided to restart manually), and the log created seems a bit short, but here it is:

defogger_disable by jpshortstuff (29.01.10.1)

Log created at 16:17 on 20/02/2010 (Krystal)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

I tried DDS next - DDS.txt follows

DDS (Ver_09-12-01.01) - NTFSx86

Run by Krystal at 16:23:05.20 on 2010-02-20

Internet Explorer: 8.0.6001.18828

============== Running Processes ===============

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avgls\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avgls\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgls\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avgls\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avgls\toolbar\IEToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Krystal] c:\users\krystal\Krystal.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [AVG8_TRAY] c:\progra~1\avg\avgls\avgtray.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

dRunOnce: [spybotDeletingB80] command.com /c del "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\antiviruspro_2010\AntivirusPro_2010.lnk"

dRunOnce: [spybotDeletingD2586] cmd.exe /c del "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\antiviruspro_2010\AntivirusPro_2010.lnk"

dRunOnce: [spybotDeletingB3406] command.com /c del "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\antiviruspro_2010\Uninstall.lnk"

dRunOnce: [spybotDeletingD2621] cmd.exe /c del "c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\start menu\programs\antiviruspro_2010\Uninstall.lnk"

dRunOnce: [spybotDeletingB9790] command.com /c del "c:\program files\antiviruspro_2010\data\daily.cvd"

dRunOnce: [spybotDeletingD7495] cmd.exe /c del "c:\program files\antiviruspro_2010\data\daily.cvd"

dRunOnce: [spybotDeletingB9342] command.com /c del "c:\windows\temp\kbiwkmadaxknpsii.tmp"

dRunOnce: [spybotDeletingD4264] cmd.exe /c del "c:\windows\temp\kbiwkmadaxknpsii.tmp"

dRunOnce: [spybotDeletingB8562] command.com /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingD4803] cmd.exe /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingB6736] command.com /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingD3192] cmd.exe /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingB5928] command.com /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingD5925] cmd.exe /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingB6286] command.com /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingD1472] cmd.exe /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingB2925] command.com /c del "c:\windows\system32\drivers\kbiwkmfhmeriyc.sys"

dRunOnce: [spybotDeletingD55] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmfhmeriyc.sys"

dRunOnce: [spybotDeletingB3366] command.com /c del "c:\windows\system32\drivers\kbiwkmstxvcpbf.sys"

dRunOnce: [spybotDeletingD2721] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmstxvcpbf.sys"

dRunOnce: [spybotDeletingB2958] command.com /c del "c:\windows\system32\drivers\kbiwkmyixuwqbm.sys"

dRunOnce: [spybotDeletingD9515] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmyixuwqbm.sys"

dRunOnce: [spybotDeletingB3835] command.com /c del "c:\windows\temp\kbiwkmhbvuhkspmd.tmp"

dRunOnce: [spybotDeletingD8489] cmd.exe /c del "c:\windows\temp\kbiwkmhbvuhkspmd.tmp"

dRunOnce: [spybotDeletingB5344] command.com /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingD8591] cmd.exe /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingB1292] command.com /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingD4809] cmd.exe /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingB744] command.com /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingD2662] cmd.exe /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingB2457] command.com /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingD2481] cmd.exe /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingB9414] command.com /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingB4646] command.com /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingD7151] cmd.exe /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingB6559] command.com /c del "c:\windows\system32\drivers\kbiwkmfhmeriyc.sys"

dRunOnce: [spybotDeletingD3152] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmfhmeriyc.sys"

dRunOnce: [spybotDeletingB4135] command.com /c del "c:\windows\system32\drivers\kbiwkmrxiwuoyx.sys"

dRunOnce: [spybotDeletingD8804] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmrxiwuoyx.sys"

dRunOnce: [spybotDeletingB3757] command.com /c del "c:\windows\system32\drivers\kbiwkmstxvcpbf.sys"

dRunOnce: [spybotDeletingD9190] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmstxvcpbf.sys"

dRunOnce: [spybotDeletingB3573] command.com /c del "c:\windows\system32\drivers\kbiwkmyixuwqbm.sys"

dRunOnce: [spybotDeletingD5663] cmd.exe /c del "c:\windows\system32\drivers\kbiwkmyixuwqbm.sys"

dRunOnce: [spybotDeletingB8155] command.com /c del "c:\windows\system32\kbiwkmcipirvmn.dat"

dRunOnce: [spybotDeletingD8396] cmd.exe /c del "c:\windows\system32\kbiwkmcipirvmn.dat"

dRunOnce: [spybotDeletingB7239] command.com /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingD5188] cmd.exe /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingB1071] command.com /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingD8507] cmd.exe /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingB9097] command.com /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingD382] cmd.exe /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingB9665] command.com /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingD7229] cmd.exe /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingB5116] command.com /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingD8956] cmd.exe /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingB5142] command.com /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingD6306] cmd.exe /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingB2181] command.com /c del "c:\windows\system32\kbiwkmcipirvmn.dat"

dRunOnce: [spybotDeletingD2872] cmd.exe /c del "c:\windows\system32\kbiwkmcipirvmn.dat"

dRunOnce: [spybotDeletingB3011] command.com /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingD5941] cmd.exe /c del "c:\windows\system32\kbiwkmcnedniqq.dat"

dRunOnce: [spybotDeletingB9449] command.com /c del "c:\windows\system32\kbiwkmhkaypgxg.dat"

dRunOnce: [spybotDeletingD4304] cmd.exe /c del "c:\windows\system32\kbiwkmhkaypgxg.dat"

dRunOnce: [spybotDeletingB5934] command.com /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingD4158] cmd.exe /c del "c:\windows\system32\kbiwkmpmxumxyn.dat"

dRunOnce: [spybotDeletingB502] command.com /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingD5481] cmd.exe /c del "c:\windows\system32\kbiwkmrapdeije.dat"

dRunOnce: [spybotDeletingB4604] command.com /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingD9399] cmd.exe /c del "c:\windows\system32\kbiwkmsvecvbwi.dat"

dRunOnce: [spybotDeletingB4144] command.com /c del "c:\windows\system32\kbiwkmucxeevns.dat"

dRunOnce: [spybotDeletingD996] cmd.exe /c del "c:\windows\system32\kbiwkmucxeevns.dat"

dRunOnce: [spybotDeletingB7343] command.com /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingD4662] cmd.exe /c del "c:\windows\system32\kbiwkmuxkqejxo.dat"

dRunOnce: [spybotDeletingB9843] command.com /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

dRunOnce: [spybotDeletingD491] cmd.exe /c del "c:\windows\system32\kbiwkmvfcnlnqi.dat"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableRegistryTools = 1 (0x1)

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.8.05.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgls\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-02-20 03:02:52 0 ----a-w- c:\users\krystal\defogger_reenable

2010-02-20 00:05:02 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-20 00:05:00 0 d-----w- c:\programdata\Avira

2010-02-20 00:04:59 0 d-----w- c:\program files\Avira

2010-02-19 01:51:46 0 ----a-w- C:\e8c8

2010-02-10 07:20:38 0 --sha-r- c:\windows\system32\setting.ini

==================== Find3M ====================

2010-02-15 00:26:11 371224 ----a-w- c:\windows\system32\hkcmd.exe

2010-01-21 23:21:07 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-21 23:21:07 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-21 23:21:07 1152444 ----a-w- c:\windows\UDB.zip

2010-01-21 23:21:06 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-01-21 23:21:05 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-13 22:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-07 03:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 03:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-02 09:14:38 86016 ----a-w- c:\windows\inf\infstor.dat

2009-11-02 09:14:38 51200 ----a-w- c:\windows\inf\infpub.dat

2009-11-02 09:14:38 143360 ----a-w- c:\windows\inf\infstrng.dat

2009-10-02 08:10:51 12120 ----a-w- c:\program files\common files\romir.db

2008-08-27 19:49:06 665600 ----a-w- c:\windows\inf\drvindex.dat

2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini

2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2008-08-27 04:10:33 76 --sh--r- c:\windows\CT4CET.bin

2009-10-20 10:25:19 16384 --sha-w- c:\windows\%appdata%\microsoft\windows\ietldcache\index.dat

2009-05-06 22:29:01 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-10-28 21:03:20 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat

2009-10-28 21:03:20 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat

2009-10-28 21:03:20 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

2009-10-28 21:03:20 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-11-06 20:56:24 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat

2009-10-20 07:52:28 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\internet explorer\domstore\index.dat

2009-11-06 20:55:48 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat

2009-11-06 20:56:24 851968 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\iecompatcache\index.dat

2009-11-06 20:56:24 5996544 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat

2009-10-02 09:55:19 16384 --sha-w- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\iecompatcache\index.dat

2009-10-02 09:55:19 32768 --sha-w- c:\windows\system32\config\systemprofile\desktop\%appdata%\microsoft\windows\privacie\index.dat

2009-10-27 00:19:30 16384 --sha-w- c:\windows\system32\config\systemprofile\documents\%appdata%\microsoft\windows\ietldcache\index.dat

2008-08-27 19:46:04 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:26:56.41 ===============

Attach.txt should be attached as a zip file, however I had problems running the GMER Rootkit scanner as it kept stopping shortly after running so there was no log created.

Defogger re-enable was carried out...but no log was created

Any help would be much appreciated!

Thanks

Q

Attach.zip

[fenzodahl512]

Uninstall Spybot S&D and then do below..

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".
  

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[qrius]

Thanks for the quick response. I deleted Spybot first and then ran the programs as instructed

TDSSKiller log as follows

18:08:25:934 2296 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31

18:08:25:934 2296 ================================================================================

18:08:25:934 2296 SystemInfo:

18:08:25:934 2296 OS Version: 6.0.6001 ServicePack: 1.0

18:08:25:934 2296 Product type: Workstation

18:08:25:934 2296 ComputerName: KRYSTAL-PC

18:08:25:934 2296 UserName: Krystal

18:08:25:934 2296 Windows directory: C:\Windows

18:08:25:934 2296 Processor architecture: Intel x86

18:08:25:934 2296 Number of processors: 2

18:08:25:934 2296 Page size: 0x1000

18:08:25:934 2296 Boot type: Normal boot

18:08:25:934 2296 ================================================================================

18:08:25:950 2296 UnloadDriverW: NtUnloadDriver error 2

18:08:25:950 2296 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

18:08:25:950 2296 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000

18:08:48:289 2296 UtilityInit: KLMD drop and load success

18:08:48:289 2296 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)

18:08:48:289 2296 UtilityInit: KLMD open success

18:08:48:289 2296 UtilityInit: Initialize success

18:08:48:289 2296

18:08:48:289 2296 Scanning Services ...

18:08:48:289 2296 CreateRegParser: Registry parser init started

18:08:48:320 2296 CreateRegParser: DisableWow64Redirection error

18:08:48:320 2296 wfopen_ex: Trying to open file C:\Windows\system32\config\system

18:08:48:320 2296 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043

18:08:48:320 2296 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:08:48:320 2296 wfopen_ex: Trying to KLMD file open

18:08:48:320 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system

18:08:48:320 2296 wfopen_ex: File opened ok (Flags 2)

18:08:48:367 2296 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 25E6FC0

18:08:48:367 2296 wfopen_ex: Trying to open file C:\Windows\system32\config\software

18:08:48:367 2296 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043

18:08:48:367 2296 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

18:08:48:367 2296 wfopen_ex: Trying to KLMD file open

18:08:48:367 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software

18:08:48:367 2296 wfopen_ex: File opened ok (Flags 2)

18:08:48:367 2296 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 25E1318

18:08:48:367 2296 CreateRegParser: EnableWow64Redirection error

18:08:48:367 2296 CreateRegParser: RegParser init completed

18:08:49:412 2296 GetAdvancedServicesInfo: Raw services enum returned 470 services

18:08:49:412 2296 fclose_ex: Trying to close file C:\Windows\system32\config\system

18:08:49:412 2296 fclose_ex: Trying to close file C:\Windows\system32\config\software

18:08:49:412 2296

18:08:49:412 2296 Scanning Kernel memory ...

18:08:49:412 2296 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

18:08:49:412 2296 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87AC2F38

18:08:49:412 2296 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects

18:08:49:412 2296

18:08:49:412 2296 DetectCureTDL3: DEVICE_OBJECT: 86C0B7B8

18:08:49:412 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86C0B7B8

18:08:49:412 2296 DetectCureTDL3: DEVICE_OBJECT: 86CA7520

18:08:49:412 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86CA7520

18:08:49:412 2296 DetectCureTDL3: DEVICE_OBJECT: 86CC9560

18:08:49:412 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86CC9560

18:08:49:412 2296 KLMD_ReadMem: Trying to ReadMemory 0x86CC9560[0x38]

18:08:49:412 2296 DetectCureTDL3: DRIVER_OBJECT: 86C66618

18:08:49:412 2296 KLMD_ReadMem: Trying to ReadMemory 0x86C66618[0xA8]

18:08:49:412 2296 KLMD_ReadMem: Trying to ReadMemory 0x86C54760[0x1E]

18:08:49:428 2296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_CREATE : ADE9DB40

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_CLOSE : ADE9DBB8

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_READ : ADE9DC30

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_WRITE : ADE9DC30

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_QUERY_EA : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SET_EA : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : ADE9D828

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : ADE924AA

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SHUTDOWN : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_CLEANUP : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SET_SECURITY : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_POWER : ADE9BF9A

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : ADE997A2

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 84477FDF

18:08:49:428 2296 DetectCureTDL3: IRP_MJ_SET_QUOTA : 84477FDF

18:08:49:428 2296 TDL3_FileDetect: Processing driver: USBSTOR

18:08:49:428 2296 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:08:49:428 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:08:49:459 2296 KLMD_ReadMem: Trying to ReadMemory 0xADE94A44[0x400]

18:08:49:459 2296 TDL3_StartIoHookDetect: CheckParameters: 4, ADE98000, 0

18:08:49:459 2296 TDL3_FileDetect: Processing driver: USBSTOR

18:08:49:459 2296 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:08:49:459 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:08:49:475 2296 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

18:08:49:475 2296

18:08:49:475 2296 DetectCureTDL3: DEVICE_OBJECT: 87FE4AC8

18:08:49:475 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87FE4AC8

18:08:49:475 2296 DetectCureTDL3: DEVICE_OBJECT: 87AC28A0

18:08:49:475 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87AC28A0

18:08:49:475 2296 DetectCureTDL3: DEVICE_OBJECT: 87008030

18:08:49:475 2296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87008030

18:08:49:475 2296 KLMD_ReadMem: Trying to ReadMemory 0x87008030[0x38]

18:08:49:475 2296 DetectCureTDL3: DRIVER_OBJECT: 86FFDC48

18:08:49:475 2296 KLMD_ReadMem: Trying to ReadMemory 0x86FFDC48[0xA8]

18:08:49:475 2296 KLMD_ReadMem: Trying to ReadMemory 0x86FF4388[0x1C]

18:08:49:475 2296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_CREATE : 84A42818

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_CLOSE : 84A42818

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_READ : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_WRITE : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_QUERY_EA : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SET_EA : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 84A40132

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 84A3D918

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SHUTDOWN : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_CLEANUP : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SET_SECURITY : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_POWER : 84A39AB4

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 84A3907C

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 84477FDF

18:08:49:475 2296 DetectCureTDL3: IRP_MJ_SET_QUOTA : 84477FDF

18:08:49:475 2296 TDL3_FileDetect: Processing driver: iaStor

18:08:49:475 2296 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys

18:08:49:475 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys

18:08:49:506 2296 TDL3_FileDetect: Processing driver: iaStor

18:08:49:506 2296 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys

18:08:49:506 2296 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys

18:08:49:522 2296 TDL3_FileDetect: C:\Windows\system32\drivers\iastor.sys - Verdict: Clean

18:08:49:522 2296

18:08:49:522 2296 Completed

18:08:49:522 2296

18:08:49:522 2296 Results:

18:08:49:522 2296 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

18:08:49:522 2296 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

18:08:49:522 2296 File objects infected / cured / cured on reboot: 0 / 0 / 0

18:08:49:522 2296

18:08:49:522 2296 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000

18:08:49:522 2296 UtilityDeinit: KLMD(ARK) unloaded successfully

And the Combo-Fix Log as requested...

ComboFix 10-02-19.04 - Krystal 2010-02-20 18:15:22.6.2 - x86

Running from: c:\users\Krystal\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger

c:\windows\system32\AutoRun.inf

c:\windows\system32\setting.ini

c:\windows\system32\setup.ini

c:\windows\system32\stacsv.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_STacSV

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))

.

2010-02-20 05:28 . 2010-02-20 05:31 -------- d-----w- c:\users\Krystal\AppData\Local\temp

2010-02-20 05:28 . 2010-02-20 05:28 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-02-20 05:28 . 2010-02-20 05:28 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-02-20 00:05 . 2009-07-28 02:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-20 00:05 . 2009-03-29 20:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-02-20 00:05 . 2010-02-20 00:05 -------- d-----w- c:\programdata\Avira

2010-02-20 00:04 . 2010-02-20 00:04 -------- d-----w- c:\program files\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 05:02 . 2009-03-04 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-20 05:01 . 2009-03-04 05:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-02-20 01:12 . 2008-12-16 02:02 -------- d-----w- c:\program files\WordPod

2010-02-20 01:12 . 2009-03-04 03:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-20 01:12 . 2009-02-25 07:44 -------- d-----w- c:\program files\Spyware Doctor

2010-02-20 01:12 . 2009-06-07 08:44 -------- d-----w- c:\program files\QuickTime

2010-02-20 01:12 . 2009-03-26 02:17 -------- d-----w- c:\program files\PC Connectivity Solution

2010-02-20 01:12 . 2009-04-01 21:40 -------- d-----w- c:\program files\Norton Security Scan

2010-02-20 01:12 . 2008-09-16 05:26 -------- d-----w- c:\program files\NetLogin

2010-02-20 01:12 . 2008-08-27 04:23 -------- d-----w- c:\program files\Microsoft Works

2010-02-20 01:12 . 2008-10-05 23:09 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-20 01:11 . 2009-08-07 23:07 -------- d-----w- c:\program files\iTunes

2010-02-20 01:11 . 2008-11-22 03:25 -------- d-----w- c:\program files\Handbrake

2010-02-20 01:11 . 2008-12-31 10:05 -------- d-----w- c:\program files\FrostWire

2010-02-20 01:11 . 2008-10-25 20:34 -------- d-----w- c:\program files\DivX

2010-02-20 01:11 . 2008-08-27 19:49 -------- d-----w- c:\program files\DellTPad

2010-02-20 01:11 . 2009-02-21 23:23 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2010-02-20 01:11 . 2009-03-03 10:19 -------- d-----w- c:\program files\CCleaner

2010-02-20 01:11 . 2009-05-13 10:12 -------- d-----w- c:\program files\AutoUnpack

2010-02-19 22:17 . 2010-02-19 22:17 52224 ----a-w- c:\users\Krystal\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-02-19 22:17 . 2009-04-17 23:52 117760 ----a-w- c:\users\Krystal\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-02-19 04:57 . 2009-03-04 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-19 04:54 . 2010-02-19 04:54 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-15 00:26 . 2008-08-27 19:49 371224 ----a-w- c:\windows\system32\hkcmd.exe

2010-02-12 01:39 . 2008-10-06 03:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-11 22:10 . 2008-12-31 10:06 -------- d-----w- c:\users\Krystal\AppData\Roaming\FrostWire

2010-02-06 04:55 . 2009-10-20 05:20 -------- d-----w- c:\programdata\AVG Security Toolbar

2010-01-21 23:21 . 2009-10-20 05:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-21 23:21 . 2009-10-20 05:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-21 23:21 . 2009-10-20 05:56 1152444 ----a-w- c:\windows\UDB.zip

2010-01-21 23:21 . 2009-10-20 05:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-01-21 23:21 . 2009-10-20 05:56 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-21 01:00 . 2009-04-27 12:12 -------- d-----w- c:\program files\Counter-Strike 1.6

2010-01-21 00:25 . 2009-05-07 07:43 -------- d-----w- c:\program files\Common Files\AVSMedia

2010-01-21 00:25 . 2009-05-07 07:43 -------- d-----w- c:\program files\AVS4YOU

2010-01-20 05:05 . 2009-04-18 06:11 -------- d-----w- c:\programdata\Google Updater

2010-01-19 20:57 . 2010-01-01 23:25 -------- d-----w- c:\users\Krystal\AppData\Roaming\support

2010-01-13 22:12 . 2009-10-07 02:10 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-12 20:47 . 2010-01-12 20:47 -------- d-----w- c:\program files\DVDVideoSoft

2010-01-07 03:07 . 2009-03-04 05:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 03:07 . 2009-03-04 05:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-07 03:00 . 2008-10-19 07:03 -------- d-----w- c:\program files\Windows Live

2009-11-25 00:02 . 2010-02-06 04:55 1234176 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll

2009-10-02 08:10 . 2009-10-02 08:10 12120 ----a-w- c:\program files\Common Files\romir.db

2008-08-27 04:10 . 2008-08-27 04:10 76 --sh--r- c:\windows\CT4CET.bin

2008-08-27 19:46 . 2008-08-27 19:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 00:02 1234176 ----a-w- c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-15 371224]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-02-19 174872]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-01 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-02-19 3883856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SpybotDeletingD2586"="del" [X]

"SpybotDeletingD2621"="del" [X]

"SpybotDeletingD7495"="del" [X]

"SpybotDeletingD4264"="del" [X]

"SpybotDeletingD4803"="del" [X]

"SpybotDeletingD3192"="del" [X]

"SpybotDeletingD5925"="del" [X]

"SpybotDeletingD1472"="del" [X]

"SpybotDeletingD55"="del" [X]

"SpybotDeletingD2721"="del" [X]

"SpybotDeletingD9515"="del" [X]

"SpybotDeletingD8489"="del" [X]

"SpybotDeletingD8591"="del" [X]

"SpybotDeletingD4809"="del" [X]

"SpybotDeletingD2662"="del" [X]

"SpybotDeletingD2481"="del" [X]

"SpybotDeletingD7151"="del" [X]

"SpybotDeletingD3152"="del" [X]

"SpybotDeletingD8804"="del" [X]

"SpybotDeletingD9190"="del" [X]

"SpybotDeletingD5663"="del" [X]

"SpybotDeletingD8396"="del" [X]

"SpybotDeletingD5188"="del" [X]

"SpybotDeletingD8507"="del" [X]

"SpybotDeletingD382"="del" [X]

"SpybotDeletingD7229"="del" [X]

"SpybotDeletingD8956"="del" [X]

"SpybotDeletingD6306"="del" [X]

"SpybotDeletingD2872"="del" [X]

"SpybotDeletingD5941"="del" [X]

"SpybotDeletingD4304"="del" [X]

"SpybotDeletingD4158"="del" [X]

"SpybotDeletingD5481"="del" [X]

"SpybotDeletingD9399"="del" [X]

"SpybotDeletingD996"="del" [X]

"SpybotDeletingD4662"="del" [X]

"SpybotDeletingD491"="del" [X]

"SpybotDeletingB80"="command.com" [2006-11-02 50648]

"SpybotDeletingB3406"="command.com" [2006-11-02 50648]

"SpybotDeletingB9790"="command.com" [2006-11-02 50648]

"SpybotDeletingB9342"="command.com" [2006-11-02 50648]

"SpybotDeletingB8562"="command.com" [2006-11-02 50648]

"SpybotDeletingB6736"="command.com" [2006-11-02 50648]

"SpybotDeletingB5928"="command.com" [2006-11-02 50648]

"SpybotDeletingB6286"="command.com" [2006-11-02 50648]

"SpybotDeletingB2925"="command.com" [2006-11-02 50648]

"SpybotDeletingB3366"="command.com" [2006-11-02 50648]

"SpybotDeletingB2958"="command.com" [2006-11-02 50648]

"SpybotDeletingB3835"="command.com" [2006-11-02 50648]

"SpybotDeletingB5344"="command.com" [2006-11-02 50648]

"SpybotDeletingB1292"="command.com" [2006-11-02 50648]

"SpybotDeletingB744"="command.com" [2006-11-02 50648]

"SpybotDeletingB2457"="command.com" [2006-11-02 50648]

"SpybotDeletingB9414"="command.com" [2006-11-02 50648]

"SpybotDeletingB4646"="command.com" [2006-11-02 50648]

"SpybotDeletingB6559"="command.com" [2006-11-02 50648]

"SpybotDeletingB4135"="command.com" [2006-11-02 50648]

"SpybotDeletingB3757"="command.com" [2006-11-02 50648]

"SpybotDeletingB3573"="command.com" [2006-11-02 50648]

"SpybotDeletingB8155"="command.com" [2006-11-02 50648]

"SpybotDeletingB7239"="command.com" [2006-11-02 50648]

"SpybotDeletingB1071"="command.com" [2006-11-02 50648]

"SpybotDeletingB9097"="command.com" [2006-11-02 50648]

"SpybotDeletingB9665"="command.com" [2006-11-02 50648]

"SpybotDeletingB5116"="command.com" [2006-11-02 50648]

"SpybotDeletingB5142"="command.com" [2006-11-02 50648]

"SpybotDeletingB2181"="command.com" [2006-11-02 50648]

"SpybotDeletingB3011"="command.com" [2006-11-02 50648]

"SpybotDeletingB9449"="command.com" [2006-11-02 50648]

"SpybotDeletingB5934"="command.com" [2006-11-02 50648]

"SpybotDeletingB502"="command.com" [2006-11-02 50648]

"SpybotDeletingB4604"="command.com" [2006-11-02 50648]

"SpybotDeletingB4144"="command.com" [2006-11-02 50648]

"SpybotDeletingB7343"="command.com" [2006-11-02 50648]

"SpybotDeletingB9843"="command.com" [2006-11-02 50648]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-27 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-11-04 10:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2010-01-19 06:06 120320 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2008-08-27 04:16 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-02-19 23:47 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

2008-03-04 05:05 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

R1 dqbisrtk;dqbisrtk;c:\windows\system32\drivers\dqbisrtk.sys [x]

R2 AeLookupSvcAESTFilters;Application Experience AeLookupSvcAESTFilters;c:\windows\TEMP\ujnfimmnch.exe service [x]

R2 gupdate1c9bfecbe49b96a;Google Update Service (gupdate1c9bfecbe49b96a);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 NetLogin Helper;NetLogin Helper;c:\program files\NetLogin\NetLoginService.exe [x]

R2 umlahatszli;umlahatszli;c:\windows\system32\drivers\yvvzueygg.sys [x]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-19 12872]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [x]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]

S1 AvgLdx86;AVG LinkScanner

[fenzodahl512]

1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
  

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
dqbisrtk
umlahatszli
NetLogin Helper
SVKP

Collect::
c:\windows\system32\drivers\yvvzueygg.sys
c:\windows\system32\drivers\dqbisrtk.sys
c:\windows\system32\SVKP.sys

Folder::
c:\program files\NetLogin

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD2586"=-
"SpybotDeletingD2621"=-
"SpybotDeletingD7495"=-
"SpybotDeletingD4264"=-
"SpybotDeletingD4803"=-
"SpybotDeletingD3192"=-
"SpybotDeletingD5925"=-
"SpybotDeletingD1472"=-
"SpybotDeletingD55"=-
"SpybotDeletingD2721"=-
"SpybotDeletingD9515"=-
"SpybotDeletingD8489"=-
"SpybotDeletingD8591"=-
"SpybotDeletingD4809"=-
"SpybotDeletingD2662"=-
"SpybotDeletingD2481"=-
"SpybotDeletingD7151"=-
"SpybotDeletingD3152"=-
"SpybotDeletingD8804"=-
"SpybotDeletingD9190"=-
"SpybotDeletingD5663"=-
"SpybotDeletingD8396"=-
"SpybotDeletingD5188"=-
"SpybotDeletingD8507"=-
"SpybotDeletingD382"=-
"SpybotDeletingD7229"=-
"SpybotDeletingD8956"=-
"SpybotDeletingD6306"=-
"SpybotDeletingD2872"=-
"SpybotDeletingD5941"=-
"SpybotDeletingD4304"=-
"SpybotDeletingD4158"=-
"SpybotDeletingD5481"=-
"SpybotDeletingD9399"=-
"SpybotDeletingD996"=-
"SpybotDeletingD4662"=-
"SpybotDeletingD491"=-
"SpybotDeletingB80"=-
"SpybotDeletingB3406"=-
"SpybotDeletingB9790"=-
"SpybotDeletingB9342"=-
"SpybotDeletingB8562"=-
"SpybotDeletingB6736"=-
"SpybotDeletingB5928"=-
"SpybotDeletingB6286"=-
"SpybotDeletingB2925"=-
"SpybotDeletingB3366"=-
"SpybotDeletingB2958"=-
"SpybotDeletingB3835"=-
"SpybotDeletingB5344"=-
"SpybotDeletingB1292"=-
"SpybotDeletingB744"=-
"SpybotDeletingB2457"=-
"SpybotDeletingB9414"=-
"SpybotDeletingB4646"=-
"SpybotDeletingB6559"=-
"SpybotDeletingB4135"=-
"SpybotDeletingB3757"=-
"SpybotDeletingB3573"=-
"SpybotDeletingB8155"=-
"SpybotDeletingB7239"=-
"SpybotDeletingB1071"=-
"SpybotDeletingB9097"=-
"SpybotDeletingB9665"=-
"SpybotDeletingB5116"=-
"SpybotDeletingB5142"=-
"SpybotDeletingB2181"=-
"SpybotDeletingB3011"=-
"SpybotDeletingB9449"=-
"SpybotDeletingB5934"=-
"SpybotDeletingB502"=-
"SpybotDeletingB4604"=-
"SpybotDeletingB4144"=-
"SpybotDeletingB7343"=-
"SpybotDeletingB9843"=-

FixCSet::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.
  

**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  
• Simply follow the instructions to copy/paste/send the requested file.
  

Note::

If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

[qrius]

Ok, apologies for the delay...I had some problems running Combo-fix in normal boot-up mode. It seemed to do nothing for hours after starting so I decided to run it in safe mode

Combofix managed to upload successfully and the log is below plus the Hijack this log

ComboFix 10-02-20.03 - SYSTEM 2010-02-21 11:49:30.7.2 - x86 NETWORK

Running from: c:\windows\system32\config\systemprofile\Desktop\Combo-Fix.exe

Command switches used :: c:\windows\system32\config\systemprofile\Desktop\CFScript.txt

file zipped: c:\windows\system32\SVKP.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\NetLogin

c:\program files\NetLogin\netlogin.dll

c:\windows\system32\SVKP.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SVKP

-------\Legacy_UMLAHATSZLI

-------\Service_dqbisrtk

-------\Service_NetLogin Helper

-------\Service_SVKP

-------\Service_umlahatszli

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))

.

2010-02-20 22:58 . 2010-02-20 23:01 -------- d-----w- c:\users\Krystal\AppData\Local\temp

2010-02-20 22:58 . 2010-02-20 22:58 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-02-20 22:58 . 2010-02-20 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-02-20 22:48 . 2010-02-20 22:48 -------- d-----w- C:\%APPDATA%

2010-02-20 22:48 . 2010-02-20 22:48 -------- d-----w- C:\32788R22FWJFW

2010-02-20 06:39 . 2010-02-20 06:39 -------- d-----w- c:\program files\Trend Micro

2010-02-20 00:05 . 2010-02-20 06:09 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-20 00:05 . 2009-03-29 20:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-02-20 00:05 . 2010-02-20 00:05 -------- d-----w- c:\programdata\Avira

2010-02-20 00:04 . 2010-02-20 00:04 -------- d-----w- c:\program files\Avira

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 05:02 . 2009-03-04 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-20 05:01 . 2009-03-04 05:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-02-20 01:12 . 2008-12-16 02:02 -------- d-----w- c:\program files\WordPod

2010-02-20 01:12 . 2009-03-04 03:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-20 01:12 . 2009-02-25 07:44 -------- d-----w- c:\program files\Spyware Doctor

2010-02-20 01:12 . 2009-06-07 08:44 -------- d-----w- c:\program files\QuickTime

2010-02-20 01:12 . 2009-03-26 02:17 -------- d-----w- c:\program files\PC Connectivity Solution

2010-02-20 01:12 . 2009-04-01 21:40 -------- d-----w- c:\program files\Norton Security Scan

2010-02-20 01:12 . 2008-08-27 04:23 -------- d-----w- c:\program files\Microsoft Works

2010-02-20 01:12 . 2008-10-05 23:09 -------- d-----w- c:\program files\Microsoft Silverlight

2010-02-20 01:11 . 2009-08-07 23:07 -------- d-----w- c:\program files\iTunes

2010-02-20 01:11 . 2008-11-22 03:25 -------- d-----w- c:\program files\Handbrake

2010-02-20 01:11 . 2008-12-31 10:05 -------- d-----w- c:\program files\FrostWire

2010-02-20 01:11 . 2008-10-25 20:34 -------- d-----w- c:\program files\DivX

2010-02-20 01:11 . 2008-08-27 19:49 -------- d-----w- c:\program files\DellTPad

2010-02-20 01:11 . 2009-02-21 23:23 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2010-02-20 01:11 . 2009-03-03 10:19 -------- d-----w- c:\program files\CCleaner

2010-02-20 01:11 . 2009-05-13 10:12 -------- d-----w- c:\program files\AutoUnpack

2010-02-19 22:17 . 2010-02-19 22:17 52224 ----a-w- c:\users\Krystal\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-02-19 22:17 . 2009-04-17 23:52 117760 ----a-w- c:\users\Krystal\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-02-19 04:57 . 2009-03-04 05:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-19 04:54 . 2010-02-19 04:54 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-02-15 00:26 . 2008-08-27 19:49 371224 ----a-w- c:\windows\system32\hkcmd.exe

2010-02-12 01:39 . 2008-10-06 03:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-11 22:10 . 2008-12-31 10:06 -------- d-----w- c:\users\Krystal\AppData\Roaming\FrostWire

2010-02-06 04:55 . 2009-10-20 05:20 -------- d-----w- c:\programdata\AVG Security Toolbar

2010-01-21 23:21 . 2009-10-20 05:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-01-21 23:21 . 2009-10-20 05:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-01-21 23:21 . 2009-10-20 05:56 1152444 ----a-w- c:\windows\UDB.zip

2010-01-21 23:21 . 2009-10-20 05:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-01-21 23:21 . 2009-10-20 05:56 767952 ----a-w- c:\windows\BDTSupport.dll

2010-01-21 01:00 . 2009-04-27 12:12 -------- d-----w- c:\program files\Counter-Strike 1.6

2010-01-21 00:25 . 2009-05-07 07:43 -------- d-----w- c:\program files\Common Files\AVSMedia

2010-01-21 00:25 . 2009-05-07 07:43 -------- d-----w- c:\program files\AVS4YOU

2010-01-20 05:05 . 2009-04-18 06:11 -------- d-----w- c:\programdata\Google Updater

2010-01-19 20:57 . 2010-01-01 23:25 -------- d-----w- c:\users\Krystal\AppData\Roaming\support

2010-01-13 22:12 . 2009-10-07 02:10 181120 ------w- c:\windows\system32\MpSigStub.exe

2010-01-12 20:47 . 2010-01-12 20:47 -------- d-----w- c:\program files\DVDVideoSoft

2010-01-07 03:07 . 2009-03-04 05:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 03:07 . 2009-03-04 05:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-07 03:00 . 2008-10-19 07:03 -------- d-----w- c:\program files\Windows Live

2009-11-25 00:02 . 2010-02-06 04:55 1234176 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll

2009-10-02 08:10 . 2009-10-02 08:10 12120 ----a-w- c:\program files\Common Files\romir.db

2008-08-27 04:10 . 2008-08-27 04:10 76 --sh--r- c:\windows\CT4CET.bin

2008-08-27 19:46 . 2008-08-27 19:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 00:02 1234176 ----a-w- c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS\Toolbar\IEToolbar.dll" [2009-11-25 1234176]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-15 371224]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2010-02-19 174872]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-01 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-02-19 3883856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-27 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-11-04 10:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2010-01-19 06:06 120320 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2008-08-27 04:16 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-02-19 23:47 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

2008-03-04 05:05 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

R2 AeLookupSvcAESTFilters;Application Experience AeLookupSvcAESTFilters;c:\windows\TEMP\ujnfimmnch.exe service [x]

R2 gupdate1c9bfecbe49b96a;Google Update Service (gupdate1c9bfecbe49b96a);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-19 12872]

R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [x]

S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]

S1 AvgLdx86;AVG LinkScanner

[fenzodahl512]

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

How's the computer now?

[qrius]

The laptop seems to be running better most of the problems have been resolved except for the persistence of Windows not being able to check for updates

As for the online scan - the initial attempt seemed to be going ok until the laptop shutdown on its own (battery ok) when it was about 49% done having found 1 threat - something called "INF/AutoRun.lj.7 INF virus" which was also quarantined by avira antivir personal guard running in the background

I ran the scan again after rebooting and no threats were found with a very short log produced:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

Is this normal? and any ideas about Windows update?

Thanks for the help so far

Q

[fenzodahl512]

Can you run GMER once more and post the report here?

[qrius]

Unfortunately, the GMER scan could not be completed. It starts to run, but windows stated that the program had stopped working and is searching for solutions (normal boot up mode). Any ideas? (Will try in safe mode...)

[qrius]

Ok, after a couple of attempts in safe mode and one blue screen, the scan finally worked and the log should be attached

ark.zip

[fenzodahl512]

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Download RootRepeal from one of the following locations and save it to your desktop:

Link 1
Link 2
Link 3

• Double click to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    
  • Shadow SSDT
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt

  [*]Attach the report in your next reply

[qrius]

Ok - the mbr and rootrepeal logs

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/02/24 13:09

Program Version: Version 1.3.5.0

Windows Version: Windows Vista SP1

==================================================

Drivers

-------------------

Name: dump_iaStor.sys

Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys

Address: 0x8E2DA000 Size: 815104 File Visible: No Signed: -

Status: -

Name: mbr.sys

Image Path: C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp\mbr.sys

Address: 0x8E3F8000 Size: 20864 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Address: 0x8DA70000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\System Volume Information\{2ee94e2e-1684-11df-b37e-00219bcd1fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{2ee94e3c-1684-11df-b37e-00219bcd1fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{3325ac14-19a1-11df-8629-00219bcd1fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{39a02236-1d13-11df-92e8-00219bcd1fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{563e5995-03fd-11df-b6f7-002268d3163e}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{78f286bb-1fe5-11df-9ceb-00219bcd1fe7}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{91868715-05bb-11df-8199-002268d3163e}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{d6ac9bb3-1da7-11df-86b7-002268d3163e}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd

a6db.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b

5d18a9128.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.

cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850

4d2.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5

6e60dc5df.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d

f268b7c6d9.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f2

1d3d46d84.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f

59bf601aa775.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_765

8964504b9f3b6.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e5070

87.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f3

9.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8

cc63a6e4c2a3.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d

131.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc

0ea08098.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_5169

53ad0f4d16c4.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c

0566bec5b24.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.

cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e

1.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c

at

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.c

at

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003

bc63e949f6.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c

e6.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588

43c41d2730d3f.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.c

at

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea

1.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0e

bd6590e0b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.

cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab

ac38a907ee8801.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddf

c6cd11929a02.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c

2866332652.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d

d7dea5d5a7a18a.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.c

at

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053

e8c6967ba9d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_d088a2ec442ef17

b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a

620671dde41.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16386_none_c52353cea8765257\$$DeleteMe.msasn1.dll.01ca528a859133de.0000

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6001.18096_none_67458179da6478e3\FRAMEW~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SECURI~4.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SEE61C~1.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SED8D0~1.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SEC3C2~1.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SED85F~1.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..onent-sku-homebasic_31bf3856ad364e35_6.0.6002.18005_none_6fb05fed465ff4c8\SEC362~1.XRM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\RULESS~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\WIRELE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\RULESS~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\WIRELE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\RULESS~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\WIRELE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\RULESS~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\WIRELE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.VBS

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.XSL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\REPORT~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\RULESS~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\WIRELE~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~2.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_b9851a92245b1b73\TRACKI~1.SQL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_b9c9d6ad3dacfd87\TRACKI~1.SQL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6001.18096_en-us_bb08077221cc7808\TRACKI~1.SQL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6001.22208_en-us_bbf4f6033a9f4c2e\TRACKI~1.SQL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_bd4ece0e1eaaafd1\TRACKI~1.SQL

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.16720_none_c2e2272db9e7b99c\INSTAL~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.20883_none_c32de54ed3334d11\INSTAL~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.18111_none_c4d43609b70547f3\INSTAL~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.22230_none_c54732b2d0340648\INSTAL~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.16720_none_f570e12815568682\MACHIN~1.COM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.0.6000.20883_none_dea8f7cc2ef8cb75\MACHIN~1.COM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6000.16720_none_32a2a55c0f70152b\VBCEXE~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6000.20883_none_1bdabc0029125a1e\VBCEXE~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_a05f40e791345747\WEB_HI~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8997578baad69c3a\WEB_HI~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_a03a259d918663e8\WEB_HI~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_896e9639ab2bdcfb\WEB_HI~1.CON

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.1638

6_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e\GLOBAL~1.COM

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.16708_none_1dbee32b03599791\PERFCO~1.H

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.20864_none_1e039f461cab79a5\PERFCO~1.H

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.18096_none_1f41d00b00caf426\PERFCO~1.H

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.22208_none_202ebe9c199dc84c\PERFCO~1.H

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6002.18005_none_218896a6fda92bef\PERFCO~1.H

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.16708_none_9e7d8c92dbaad42f\WORKFL~1.TAR

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.20864_none_9ec248adf4fcb643\WORKFL~1.TAR

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.18096_none_a0007972d91c30c4\WORKFL~1.TAR

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.22208_none_a0ed6803f1ef04ea\WORKFL~1.TAR

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.18096_none_73691799fb94ec42\PERFCO~2.INI

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.18096_none_73691799fb94ec42\PERFCO~1.INI

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\ASPX_F~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\DESELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\GRADIE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\GRADIE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\HEADER~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\REQUIR~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\SECURI~1.JPG

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\SELECT~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\SELECT~3.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\UNSELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.16720_none_aee54cea18c2ca82\UNSELE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\ASPX_F~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\DESELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\GRADIE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\GRADIE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\HEADER~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\REQUIR~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\SECURI~1.JPG

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\SELECT~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\SELECT~3.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\UNSELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6000.20883_none_981d638e32650f75\UNSELE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\ASPX_F~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\DESELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\GRADIE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\GRADIE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\HEADER~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\REQUIR~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\SECURI~1.JPG

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\SELECT~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\SELECT~3.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\UNSELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.18111_none_aec031a01914d723\UNSELE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\ASPX_F~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\DESELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\GRADIE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\GRADIE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\HEADER~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\REQUIR~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SECURI~1.JPG

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SELECT~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\SELECT~3.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\UNSELE~1.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.0.6001.22230_none_97f4a23c32ba5036\UNSELE~2.GIF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_locres_res_b03f5f7f11d50a3a_6.0.6000.16720_none_e101494a280d4e0b\NAVIGA~1.RES

Status:Processes

-------------------

Path: System

PID: 4 Status: Locked to the Windows API!

SSDT

-------------------

#: 072 Function Name: NtCreateProcess

Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x84b0dcdc

#: 073 Function Name: NtCreateProcessEx

Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x84b0dece

#: 334 Function Name: NtTerminateProcess

Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x84b0d982

#: 383 Function Name: NtCreateUserProcess

Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x84b0e0d6

==EOF==

Hopefully this is useful

[fenzodahl512]

Logs looks good to me.. Do you still got the browser redirect issues? About Windows Update, can you tell me what's the error.. Screenshot would be very nice

[qrius]

Thats good news Internet is up and running with no browser issues...Windows update screenshot is attached

Not sure if this is a malware problem more than some kind of system/software error, but I'm no expert. Tried googling the error code and there are all sorts of solutions which I'm not too convinced of at the moment

Any pointers would be helpful re: update, but otherwise thanks for all your help with malware removal!

Cheers

Q

[fenzodahl512]

I've Google the "80070490" error and got various answers.. Since I don't know the right answer for your current issue, and determine that your computer is now malware-free, I suggest you to post the Windows Update problem at our PC Help forum.. Link below.. Tell them I send you there

http://forums.malwarebytes.org/index.php?showforum=6

[qrius]

Thanks again, will do.

Q

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!