View Full Version : Win32.Agent.p3
Gratefulforhelp
2008-06-21, 00:56
Dear Spybot Forum,
My computer is infected with Win32.Agent.p3.
- I have completed the steps in http://forums.spybot.info/showthread.php?t=288
- Updated Spybot to the latest definitions
- Spybot (Windows in safe mode) could fix 8 of the 9 entries it found under Win32.Agent.p3
- The one it couldn't fix was SBI $B74832EE C:\windows\system32\wsnpoem
- Ran spybot again from safe mode again and same result
- Ran spybot a third time as previously described and same result
- No other 'red' items were found in the three scans - just the same recurring Win32.Agent.pz
- Here is my hijackthis log as required in the steps from http://forums.spybot.info/showthread.php?t=288
- I am running Windows XP SP2, Antivir, Zonealarm and Spybot.
I would really appreciate any help and guidance you could provide.
I thank you sincerely in advance.
Frank
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46:48, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\a-squared Free\a2service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hiller-hinken.de/startseite/index.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5038] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2428] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6553 bytes
Gratefulforhelp
2008-06-21, 01:02
The title of this thread should be it is Win32.Agent.pz.
My apologies
Hi Gratefulforhelp :)
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Gratefulforhelp
2008-06-22, 12:42
Hello Blade81,
Firstly my sincere thanks for your assistance and guidance. It is very much appreciated.
- I followed all your instructions in the last post
- ComboFix downloaded, ran without any problem and the results are below for you
- Ran a fresh HijackThis log after combofix finished as you requested and that is below as well
Unfortunately Combofix ran some parts in German, (seems it automatically recognised the language as there no option appeared at all to select a language or English) so if you need any help with translations from the combofix report please ask and I will translate everything you need.
I thank you again for all your kind assistance and eagerly await your next advice.
Thank again,
Gratefulforhelp
Combofixlog:
ComboFix 08-06-20.4 - Maze 2008-06-22 11:04:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.166 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maze\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.
2008-06-22 11:28 . 2008-06-22 11:30 <DIR> d--hs---- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 11:25 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 18:07 . 2008-06-12 12:47 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 17:29 . 2008-06-02 17:29 28,672 --------- C:\WINDOWS\system32\cryptonet.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 09:31 18,101,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:29 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-22 09:26 246,560 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 08:57 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 08:56 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"dasd"="regedit" []
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]
cryptonet.dll 2008-06-02 17:29 28672 C:\WINDOWS\system32\cryptonet.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 11:30:12
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem
Scan erfolgreich abgeschlossen
versteckte Dateien: 2
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cryptonet.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 11:34:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 09:33:40
9 Verzeichnis(se), 13,957,230,592 Bytes frei
11 Verzeichnis(se), 14,309,658,624 Bytes frei
157 --- E O F --- 2008-06-20 18:44:35
HijackThis Log: (Run after ComboFix had finished without any error messages)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:02, on 22.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programme\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Sun Clock.lnk = C:\Programme\Map Maker\Sun Clock\Version 6\SunClock6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6861 bytes
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\ntos.exe
Folder::
C:\WINDOWS\system32\wsnpoem
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"dasd"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
Gratefulforhelp
2008-06-22, 17:49
Hello Blade81,
Thanks again for your kind help. I followed all of your instructions and here are the results.
Thanks in advance and I look forward to your further expert advice. It is very much appreciated.
Frank
PS: Please note the Combofix is attached below and the Kaspersky report and latest hijack this in the next post as they wouldn't fit in this post.
Latest Combofix Log:
ComboFix 08-06-20.4 - Maze 2008-06-22 13:32:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.173 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maze\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Maze\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\ntos.exe
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.
2008-06-22 13:24 . 2008-06-22 13:24 34,728 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 13:38 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 17:29 . 2008-06-02 17:29 28,672 --------- C:\WINDOWS\system32\cryptonet.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 11:42 18,149,408 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 11:39 247,208 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:29 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-22 08:57 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 08:56 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( snapshot@2008-06-22_11.32.25.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 09:27:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 11:40:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-22 09:28:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-22 11:40:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 11:40:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 11:40:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 11:41:15 16,384 ----a-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-06-22 11:41:16 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 11:41:15 16,384 ----a-w C:\WINDOWS\Temp\Verlauf\History.IE5\index.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 13:42:25
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem
Scan erfolgreich abgeschlossen
versteckte Dateien: 2
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 13:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 11:45:45
ComboFix2.txt 2008-06-22 09:34:03
9 Verzeichnis(se), 14,325,972,992 Bytes frei
11 Verzeichnis(se), 14,299,652,096 Bytes frei
172 --- E O F --- 2008-06-20 18:44:35
Gratefulforhelp
2008-06-22, 17:51
Here is the Kaspersky Report (it needs to be split further into another post).
Frank
Kaspersky Report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 22, 2008 4:37:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/06/2008
Kaspersky Anti-Virus database records: 880097
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 68802
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:35:09
Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\00dfa7fdbd8523ed78fac5e1bc0a394b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\013c4109b1b24e54e77b436da79b0848_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\013f3ba4cb231207c4b8dbd2e77fa174_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\017df64a9bc5c2baff26ef29b6cb1c31_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\01a0ee3745c5f78174b860e3a8c29296_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\020833f6946212a181cf25296bf01bbf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\02242d4c30a345ad88ecb78c0f2bffa7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\02b6465162902aa0f8508cec78c62994_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03182842b7dcdef7d30e632a1ab9d229_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0350f1f87865ceaf9246bdbfb5cdb1ed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0359621cc697ce413628a9c1561ee8ee_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03ac3fb5cbe82c1fbcf484ea74d76d24_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03c88e25f54f634bd860c5c811e6c45c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\048591418bfe303381733ecce71504a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\04c7fe58133aae56c571d8a552a24d4d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05824fdf1fa6cd47087f384b13a2b256_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05a3f18a630cfed1706ed694dcc54f6d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05f440d343f25ad0be9dae41a8cddeda_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\07823e8c134dc3f55648aa8192f586dd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\087bc42c4f5a9f09e445893f7ca64c02_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\08a1d15322ae9bc1580d7b69ca1b1473_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\090478dd4e354d091946719f306bd220_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0971ab4cc9993982579232aecce92fb9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\09af57e398c2c89af7f017de93cdbe73_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0a2321ab5334609e855b88e3ba665e0a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0baff3e5d952ac42be67576be78536d8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0c22899977a1a7722b785b6c250e7464_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0d3147f186983dd8cdbeceb5b2801a1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0d93bbf8ec403a92b070d86ecb94f4b7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0dfb52b5e7f53111acc3522adc9abe9e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e0e1edd8eaac470ede6871e0e8cb1e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e217dd5b3a0be00a94e4aafd5f362e3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e8baf0f99cd4c8975aa777832e210e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0f2a9b25a79403609314bdf5eb983979_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0f87e254df059c06468aaeb46c876d97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\10b4cc61f6dd03643c98e7afd5e3a0cd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1157e2c94bc9880f0af4c6a35f751cb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\117a2707cb9e7a9b80264ca2e062b415_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1197958e863eec6c54e080f4cc944b4b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\11b4c6d79106eedca6c7b3f925591665_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\11f4cdee0441a71ca3b06ce2b08156c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\120566e14c63ee7293ac7aa9f159d3dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\124fcd8d4c673c327a81e237570bee30_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\130bb639b32bc37541bfdb510588f091_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\138de2c4aa07ff88785ffa9c8c1e4afd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\139405f0a541872329c18354b2797b47_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\13cbd8500bb7dff5d94b2ae1482113d2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\13e2a90e830b8a868a530a776c125c66_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\142d46e46c15de7ef4cafa4d618541a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14410af0065c4106ff4db7f2a50d4271_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\147795c041747bb9882036761be6d66e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14a9926aa13c92ed3b3ff178c8f422e1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14fea828ea2d8ac8efe570e4ab8eb79b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\152ed115753007193030d41fda8a107e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\168030ca9162a4d65ff0501b7560c1c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\16cc28c1829bc0c8265c241c711e7ce0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\18773f22a09ed9d1ba03fef14fdede18_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\18d4c854416d5aaae6225f990671a2d0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\190ee012c5e6a0f86b0db7561cf65f33_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19b7434b46e1448b999766fd270c2c19_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19d6351dbc230fdebe247a8f94d26d34_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19f4a87dfb360475fb2f717376cd09b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1a44545f96a817bab0a18da3b7919066_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1a7fa30df5c42e832eb36d1dfbc209c1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1ab39c702ccb10eb491f52552219954f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1b2797553ac0f0168f5acc9cdfe29d50_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1be58ebe8526444ff35727940bdd464c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1c2454d06cad571aaa5aefbbc6b26e83_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1e85a30c48bc615607d1da5e0d419f7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1e90639e8484df3364a99bfab8f553eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1f096f7e3ce0a34d425f6c55ff4e9ac7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1fcda605bf120b16cdaabee54cd142ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\21d8c08bdcb8f6378cd780102cdb4f1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\21fd4c6e5c45216d1fe1386fc0ec3383_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22bb0445ae13e12236900414e5056f90_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22d35f170a5f6c22ced960ab7998dcf9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22d3786359546d28400d5f74486a4fa0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2437ccd0149a6f4c2d8ed45cd9b147fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\24632bbcd1299bfdf86af7ab121fda7a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\25450a1fa75cc864ae5a3a5aa17b02f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\259a100d4e0e25a716093b3598245db1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\25beaa2f9cc0a74b9bd69b60f37915ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\262b82771b808bfea68fba847cee9ef1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26c5e98d0157daed8ec411c3159b8ff2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26cf4b335e52ea992fba7a52955186df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26e88987e3d8ff13b4eae054a5a914f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28272773f531576fc054fec500246a03_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28275c3e002badfe6f0a191acbc8432c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\283582c487f740865f1e248dec95bb10_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\289e69f1c7188178f1689874a33b2ea9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28af153f60178ba3151f9aa465c5aa32_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\29d6106503893c9000100e0a5501e4ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2a4d09faa346026f989b5e727716a495_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2a703c0d6c9d201537bba1524d8edf3d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2ae29cc84d7e774fe17cb9eed03d4431_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2bda7740fb8663c4dd8b0cf438fae51e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2c49ead2c2be0ddb544fdc08da5b7816_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2d2f5c8c0f9390dddb6b69935cee3077_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2dbbb72a9b724bb868b29481b3ac2db1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2df54722f2efbbe7f137565b8b1b1858_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2f2a4937427d71f5b922c9a8183930f2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3068472759586594167b8c0341736688_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\313683dc4cd85b73a753552f565674d6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\320762881885a743e6696e3324d6931f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3298d036b258e1dd4c9ceb349d02e215_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3313cc36f4ecd213b516da2060150aa6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3392a0cd8a792d6453a7b716f88392f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\33a706aafc659752e8aada57d588302e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\347714f24992eed3cd8547c608fd1992_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\355819e019afc8506d8d1e7e2374a748_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\355ef8ddddcb01e55d5f072e63087f45_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\36ced16757d2055aaadb3b8e7f9e8340_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\370fcedf353053166a9c1185bdeed0ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3877afc5f1c42566a24ba4c1b6c0302f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\396860394fcc29b03fe5c16eb3b49c00_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\39d7a8cda03b173970803c4ac5db91c9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3a68a7001968d686a2c984cf015ca98f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3a7e6bce10001cdaede95b131101dbb2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3c6e1d5792df57c5b7166c616b35beb8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3c73e1ec0093552b855cac37ae6e7750_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3cbadefad16a60e71056736e0367229b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3cd333b59c3fb90f37220ec90b17f5e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3dd8ebf1f9533b2f0cceafaa8fabcea7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3e4e30aa1194809a34ca67213fc906f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3e776279be7768e7d693cadd28646e8a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3ef45895bdcc2fd7ffb90d989200ab4c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\406e7a3fb936c56c8368b2efdbb95828_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4198992281102efa083fa76f010df553_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\421d2307697a7144f29e06344987d4fa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4259924d0923cd1258733c3d7cb92c64_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4436cd803e425bc90a590bbb47ccb951_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\44890c0655905dfd08458e7d3063b023_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4602d3a8f11500bffde672ce07e3629e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\477913fa72f9b2fff63a41fa2782aba5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\47db4202fcd7d568270b20fbd710112c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\47fce856f2f43a2d7f303ec077daef12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4843cbc44531c892087cebcdb59ec5b1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\48695bced41af1429057912aa959e42b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\48b23ae740a56b7800452c0ed8f813a8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\494dec5316dbd8bae5a7e3bb3b767906_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\49883c0245ab9aeb67f1329ee483e654_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\49affeff68824cab2a5f0a1b78b38f02_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4a20c62044392f1a85e3291426d3233c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4cd4b1af36e5bb690ddf4b97d85277f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d53af6c17a42d8fde30084165f8837c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d5edd8a835485455bb16c93ecc6c23e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d7165da785463a92eedc8214b99071b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d75093a43e6111d8416ae97c519fe72_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4e015d4fd9bbb455433d1c981707c8c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4f1b386d0220beef6cdd8baa8bea9cdb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4f3cc723627a62a3b52b9b5d51e93363_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4fffca46af04711b6d1a231f98713e7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\50490519bfe751586cc609e1444213d2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5099904e1e4c4a472ffd9bbfc8f3c5af_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\50ae69164d857cb0de84f2d57e32e6dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\523d29984c46d4de83c0185f849d0baa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\524f54bf5f53e081d605bac4cfd4fa0e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5280fe6655bb50434d2d511d01e679e7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\52c19671067c8a957fdafb2b242c0a15_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\52ec0c42c1e886dc7fe7b2c0e6f528eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\538d549bd915f031c0fab1c9e43f67d4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5405117b4164a36c3d01a92934cb583f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\54f3e963897dc3abee9f35d6c3d5c90c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5601b864fe5831b92024bbe9d0c650e9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5609d59b86755079cad1d39398f27209_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\562b05d50b8e493e3b21e93faa247d42_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\577e87cfd693ac221ce77adee368640b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5928da36014054ecef9b4f7bbf06c205_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5941ff2c290759bbdcc6c8fc3fcfa761_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5975ad5c341c7fbf2aa9b6bbc8d29d71_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5995e2cbde51c339fec95659ffa1b994_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5a70abe6b44c8c906370f9e9833227c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5a942888dffc27a5efc831c65630fa50_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5bb9c2adc098a2b480e7380749be5116_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5c933ee202ee94f655b2af673600064c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5cffe5b10dffeb1a97714489f1139e49_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d0440b6216a7e4d22b74d484cd2c4db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d71f4c8f80aa807030d2a04952fdbf9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d89ccf88c009fae99f31d0518279ae9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5dc20a674160516d83be6a84c51c6eb1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5e3f53336329983dd9f29645f3646317_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5ec8fe18fe7f8455ccf70c2ace1f0819_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5f3d9e8f16c8559ca796647fac581046_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\609461aef509663f918e2b3cac4d0960_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\60b07f9c716519dec9597678122a6679_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\60e6e86065292a6eabc64a022f15f2ac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\610d1d54565a70ec3c5a9452d9f204cd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\61a2bae001fb9d998369eb97e0f4d56f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\62564257614e74307b79a346770408d9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6315869e5248b943be345a5188449f7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6321bdc9597c0530a516c217694e90b8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63656ad97363357694e57469287c5402_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63bbac42c2f34f1296cdd34fb4342331_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63e6f19bbbd34dca08b192a92a1f731f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6492700dbd7229aa8e5f34beae0555be_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\64a6e6f0d2eb1044df1323650ee56e4c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6555955832a474c2f14706328b7d7554_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\659d701cd52ecd083e0d9312f5b303e1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\65f1e53cbcdacce145c109e53f8b3f35_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\66008adf98d249bda0a74820d7d900e5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6684ae3a4d592e9ab10ffa6f65890c67_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\669a936d907204532abeb9bff89fc1e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\66c86c4cae8af4011e97f161efacb930_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\673c521c1c35942f31c2f50696a8ac04_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68027070b23cbdaa958a29bd41a52323_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68962c5b11cac0985b5bbf34fe1d76d6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68cd4706cc5ca3c912b94b62fe260358_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\690b05dd26a5c31bdb84e65f6602bceb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\698d5df4137039cf2b679e92f629307e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\69cf49f2fc2da9158ef24516fd89274f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6a14fa892e3a9b4c6074420e6a84ab0e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6ad3b1b5eea98fef6a14e9d7f294e91d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6af4e99e5b45b042683b66ee5ba7716c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6b6dea1ff664f73420ba0ff940c4246b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c64d3b02b6dc204ec5f401da388af56_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c8a42a1d98490d378a5f671ffa0b061_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c92beade98656c040edec1b84d512ed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6cdc42f1792c5f8ce3d1cd51c6688a1e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6cde93ef8796ba4d84e9f2e94d126d70_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6d7ae32fa63d623339909745270c7735_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6dea5009193eaefb350b0a45390093db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6e9e0b3eb51b6acdacc0820ee42d0aac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6eb5d1d1859f99370bb589fe573cffdf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6ee53a91f7d97422ffbec21122da2901_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f1f08018895fc35522652206dbf9a58_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f7e171c4e1a45959ca2fb99959b4087_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f84dc2ae7b39d05d9930084aa5fc3ae_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7042174f1bb22c968176de9cc49d6042_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\70cde9f3918aea21781fca5955f47c29_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\71479766690e7b6d1f5280aad704cdb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7199fe1c763bbb7f5892541ad1e69386_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\719c8eb53d180eb664effc3de73ee23d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\71d883278bc4130d75b50e6bf1ba5e65_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\726f891e9969312de3eeb279f1d3a258_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\72c0424c00b069628d2dd56c83a07187_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7485f683a799cf8456496598334326c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\75b1ab5145a3c17f3ee22176b1e152cc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\75f8b675f23f5de802c6606fe47f3d2c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\764b64fec6c3755f465db699991e0d6f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76802dec656796e57ed3737104d6fe29_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76931f4b8a4ac2f90679c142ac6870a2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76c508885a7b8b1fd01855b0119563e4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\771dfed5c40beadeb4893fff8c2d7da5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\772d7fd68cea1fe8ab9f66868455e756_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\774d97be3b748761092c33173c7547ec_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\775407f2c76a7b94b773a673a7d31e7e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7794f406925ba331d8f82209ba80c90f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\77be160ac743ebfcee534a41e22099b7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\78e0547fc9fa428ee35971f834880568_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\795d5b94dad7b7d5810963d3687ce6e8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\799c2c3ddf93a25fde85aa1021209834_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7a089105a5efeb53b0d94824c3da9f3e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7a92a1f3204cf3a6489949dba2f5203a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7b95164578f04ee81aec228b94eb5488_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
Gratefulforhelp
2008-06-22, 17:53
Kaspersky report continued. Apologies for the subsequent posts.
Fresh Hijack this report run after combofix and kaspersky is in the final post.
Frank
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7bb0374501be0e90b3eb668159960b32_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7bc162130db7f1185c15055a8fd69b40_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7c3b857ebf6d0d97b75a0d369b83a307_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7c72121e3e56f9b8eda30fddc4b1ad22_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7cb3c09283b978c8731b15eda3978395_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d2cab62c2e20ad2ba7ec0fcb8551f2b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d4553768e1feb6c20c26ae2bfffe002_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d58b1638fca42e1cc35bf4405e65e80_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7e872d05a40057dd376fd315770b7ceb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7ea6b957d3ff790cd65444b33b568fdf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f305fd111d3f036ac230b9109b4dda5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f56f320f97968e0f64c10253a97f2ac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f9e144cd7d3f66ca39b02ddfe27fc55_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7fb2125fda292a12b9203ac00e130fed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8075a6df9ba2d2e875aa01561c4eabe3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\80c2cf42079c7786f1acd75c5d55d565_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\81a76111503f4dd9c261d2069103ada3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\826d56f426c703ab58b24a029bb5dba4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\829defd4a054e9f00654929de315028e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82d1a81fd86fbd33e7814ac8b193524e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82e37e251f24c776a45b87f627a131e4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82eb6e01283073a908610b399f978ff3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82f08e68f0dba84e63b2f80de095f966_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84539c22fe759b52899fc13b8b8faeec_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84785cb8bc95f5836a50b9e0e2960e13_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\848c56e9f846919cee25d68c4191ba9d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84acb6b650fbcb5efbd2a978c88db8eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84b3ecc04872f40d3f3da54a45fc4322_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\856637af25c57f0e0b339040ade7f85f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85c23f12e3fda99c02a79bc9781bab2f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85d92d691867e3362fbd60bfe1fd1ec8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85fb86530b83063a5ef383ae8fdd819f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\86dc6a2be4bd1d84c28bb9256235167c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\86e81a882d736e81abb73d5c968dced5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\87716d9c395821a52ae2227f581da1dd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\88ee47f1da3f68775bce563531d77935_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8a751e61b42a5ba40b73a1fe71decf9c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8a9ba8030282eb150f346d9e63e5db12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8b1f45a7d960146f397fca4fc49c5529_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8bba9b2f1576122b9f992510f3428d4e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8bdc3b4a4782fc8e487696a61ea35134_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8c1147fc948c550eec9032d2b079e644_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8c7b5da0a5098136ee9c289746c4e949_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8cc9697d2126d206b5d9c159ed431d38_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d2c6bc816ab97ccac218df7f52f61a8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d609d3a4d7d3bc76f88d37266d97fb8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d7882e9b36e6475bf766a0b3204727c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8dbd5dd9f4506c01c0ac3e5b800cb828_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8dd3d7ef65a57d173321a60628507d27_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8e31865d7d592c099581167acf55ec70_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8f4312c9674a62339a4eec1df883793b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9096e7ec87f4c169ddab306fa517c595_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\90d047cd12e433759e9a68a82cec976b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\91f4a215a7943a11ff82fae31ebec204_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\928cf26d1bf8b1f6d96336027dc2a4ff_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\92e4b04d28b44d935a3422862735c523_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\932003bf6dfe76ecc2015101705fa541_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9375c33d4f8b4c381c7a51aeb24ade6f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9421009e4557fc068f25763830406e35_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\94ea1db391199493f8cf37bff064b596_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\955f20957b5de290724ffd6891490ddf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\95aa71bce2ccecefa5bda50b5746d72d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\95e99b72f841182b3d53f93a0b220112_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9692cd8ec7b0de0fabe1572f9135fbbe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\96acc16a4acf176d2073d4686670c5f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\97d79164539e30cc4c34d4e4ce842f9c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\97ec749a14e2886e9a02120c6e8ecc97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\982f4384567a01b0db281ede4e2153db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9865df3151efa869d7a8493667db4d27_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\988b61916b268cb0ed449828e8aec90d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\98b4dd7e5fff208f8472296839deab73_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\98bd5240b4dd3175ec0db9160d891048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\999da3b9af2b80bd94af8f77120510de_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99af17660f9f17d85051bb3add293480_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99b6b86beff3d0aebacc7266d936c048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99d88ba33ea545085b51478b4677f9fd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a108a5d4fbd164bc53b74ba3e5a350e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a2009a1d9ba1558ef6a22620ceb6874_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a7880ea04072707302d87c8a4099626_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9bb56e331e5068c691b59425acece1aa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9befbd1ebf1d70ba6ee487c044be20f9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9bf21b2af032625d28bbe3d4325bff96_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9dd10f688fb9c8b2cc8d393ef6e5d888_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9e60a9b84d55f088d4ff7a71020b3ac4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9e738f0d0c76911ab1c2fb37c191aeb9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9f257bf7d26b3be0bb4c472eba99f6dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9f8b79aa05fdd9e3cbe46b4c851670df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9fd8f81d04aac148bae3a7f66a644619_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a01e481b5cef17621e2e1268db27917f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a04692615aa3dfddbddb452b6609fa75_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a1cc1feb97e4c00d59f51713e62aec68_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a2a7cf6f236225590d9017c36409a959_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a370c33f7a87636032174f98ad8d92f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a47d1b3d13078da174d9ee17eda52d6d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a4bf205964c5b3829624d94733a56391_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a559bc507dbf90f7653e27bf11ac0821_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a603782625305947529640bb1c56820d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a7998f90d439f2480f698112c7e1a3db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a7f66c304746c4ee1117e67a52e89985_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a85083abdac08d85ebf316b5a7e74b4d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a8880ddcdb1d6d99d507d0c3ccae0a20_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a981bd576ef89450a525ff4d12584136_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aa3d6fea6a6efde82dd593c796a58eab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aaf3f38fe941927ac9676be199a06081_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab5f85d845ee50c487574f44f9039f63_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab6b6eadec1f4fdf4b54facc9f005310_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab8760934b071d864b266c0c79c078eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ac10b72ab6ff02d642d7e95f8481ce19_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\adab9ab00e1e3c8f15a781bd3495e846_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ae50ab19d0b3f7b325760c0e1ede88c5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ae5ed71f5cadb8374ff280aa119ffaf1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aea5265ef8ab01a6e5675a40aa14ada9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\af00793bf58f8732aa1e90180a8dabb3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\af3f373ceb3fb46fb52a7f8c52c28a25_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b0613b2f667068826e5786c3fea4c3e3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b313aa9a0a831f7f2756267e49b06fe6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3ae3ba4873a912d08b8babed55259fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3c9e48d358a6271fd1438257449b435_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3fd57f2b383963bd1d74883aa9d0c41_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b4b1ce142a5207b9528ea374ee949335_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b6197bd6ac3ecb7cdb833b4dff85edee_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b66fd27caa152854e864200a79332e4a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b70a0f40c5972529b5c52ab017deb01c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b7340ddb3be3f23538b67f7b4c892db0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b76643bd8c950eb07522d6b92f64be41_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b8aea0f99947d4bf5ccb83b2c99751a3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b90c782a23c33f8002328ce63cf7129e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b9774706336e0222a8eaecce205892db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b9f080ec6486d9420a3edc650d1474fb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ba206c1aa1015a9fa2cd22c2d19b41db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bb1938b751693c3dcdd622a8ec1e69f2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bbe478b6a7151340a777046dacb0f855_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bbf0bbeb71ef4d1ba9168aca3752fb23_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bc6d442af83a1cf6a52ce377c69d2a99_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bd66e55d34a8162468a59691e1e9fb7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bd898a5182ed3a695870cee62491cdf6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bdd350f17d858737a9c40ca4dcbd342a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bded69baf242984888a06b0d20455e30_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bdefcc1148d349fc04306dd701b05787_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bf747c51461f49c5e9a6997bb2606d17_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bf81d07ed67cea7a1e98bea79e0807c2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c08995e2db2b4a250c3be27777d73899_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c1e1f2e007e8e3af4bda44004b56f9f8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c1e4aac00f089b4f8b7f09fb4dc5532f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c279f55556533806d99892d178c6db84_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c27cf839e5429e5ad4ed0d8299fbf3c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c2d4a6c577628328d2de4c8a44aabb97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c3363e7b0d0e90d87510bbcbc89deb39_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c3592015aeaa2b5997f6d1586b52d133_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c377cf1e2d66126176609d932297c617_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c638c4b347f005a88f7489f579fcbdd2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c69dba8401419893986aeb8bf799c1b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c6cfe978296a7f3f9f912b48e708f040_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c7794bde8eb2a52bf6d741263adcb9b0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c79e2a90210c61b1e8c8efd5200558ea_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c7a0858c4adbeff1e07158a5ea4f70a3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c859532ef98b18947c8c922b72798b8e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c87d4c8b331ed1756fd6b37f0e7c620e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c8914a073d7cc222603fb30f5acbf902_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c8c035adb79288e29719aada0402de22_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c97db7dd0564db4a5e08e6f24acc186a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ca5c41bc60c3c1cb26c94ff2c91fe426_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ca7614b55fe75840119a56f830e59c4a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cb5f55a2d4aadea2709be76678757229_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cbfa80435a748e4e46a1a5810c9a8009_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cc2123b0514d59f29f62c140f11526b4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ce9da1690b5e3e8949f11fc986cc5572_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ceb9a28a988626c40d6b69069e6ba800_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cecc9171f64dddad62ba74d113966442_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cef399d466d996dfe3b5025d251ad93d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cf258c21bbf0bf708e5290399c8ba764_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cf6aa18c504933bbbc720666b87b61a7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d10645a73db430351c77a3495c7ca334_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d11cebed4d511ea93524912147afc762_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d140fb92f5b80a331de816c0a2ae59d7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d15529d895aa6d9c8bccf6ddf9de25a1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d1cd2f9c13674428e0b29278571cccf8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d24ecc042d73243b60a77b32a1dcf24c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d33c016b282c2e33fd6a5f07c592fdb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d39c4f11fe2b11b260789a2f30b33614_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d3f88019a881da4892cc622e7271d2e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d41feb460a323e28e716f7aa41cd2ff5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d434b73e0ac742e6b30fc86b0e71d254_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d4be1ca91abbd513c71959ac12754272_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d52b412f56b52ce746710a881c2eb069_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d5c8429e09e1274abd7e1fbb40ce51f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d60096e810a197dfd96bcb905324be6a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d62203c084df62a12627abb727df3512_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6b0ebef78cbf523d5bad012a7110ff7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6b572ed0ba8dd7917563b12f3afb443_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6ea835f7824742bf20ccf22bd839b84_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d727e4819cb86dbd123a09f1589920ab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d754a4c425038fdb916e13820f430351_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d860f0681e0aceeb1a336a4934c4667c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d87181d2ea4c884bcc1e9e3afb1ebcc6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d9526ca8bb62a8bf6eec4121054c95dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\da8c045f6368968a7e1ab750098ce2eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd03daf70524500b85c4e5e7f7ca315a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd5a2bb2c3ff4d13919f59b07e9d27e2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd82cb5c9fb84366f280dd53fefb2b6b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\de1c0dfb15b7b84d7b03c8543ba61b28_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\de72033bce3a256b9b4c0ac32bce6daf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dee6986017410d5ceeaa7da3b57f55b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df223f27f55da00bc1e219c3016de906_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df410f49178e8597faa3e673e7aa086a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df5ae4eeedd340ad1f10f906cc258e12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df9b76b383ece8be379edf4c3d332bdc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e02a5aeaf669d3b081d84db1003797ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0419627af5da2b03af5e512175916db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e06074be2890b6c53b3975f0f2ce200e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0c51d32fa0cb26401152d9641588b6e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0dc1217b27ae631d1fdaf17a2be6805_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0f2c8ca7e732ff42568c7f120ae75e2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e171745ca58a05787a895133950e5380_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e226413c3cc98cfb55099e9e342159bb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e2a94dd1c8ecda2369859b6eab79dfa2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e2eabb312c725c8ce27cafc0111de74f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e323b24fa5f319854e89f95495f9f891_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e37752144fa2caa03d37a4bc0848fd61_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e4653cc8c53f8fe871c0c26405e781df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e4fc9113b7ae5555e78575bad249901d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e52a9cfa934ae8fe2c091864c3331f3b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e572b4c4d62184970289836a24120252_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e5962572936ab8bd19d965bdff8f306c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e62e69306d9bb68995c7193c3575636d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e731520a92eb5e335fb53ebb5b515704_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e7fc047423e9304d56999c0ae94cad96_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e94672fe1762a58317c50e863296c9bb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e9813b3d0f86b12c00a8d23ffe2fed20_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e98d781aa1f893220f98d1a5d6d0254a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ea266c11894ae50d190abf4b38e4e3dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eab51dcaba6592cde3e623649a8368a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb1cf364776ba8d8aff6a40e33a570f3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb4408b371c5033f42fd0d20f0d0bbc3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb8fc8a2a85b138cd434ce4b596f764e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ebaf22ae50fd535d170618c3db3d10fb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ec4861a33d0f8bcef6c7ef6a0c894113_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ec8ff240d1215c78358931d300911176_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ed70d2ff1fd5d5b02cc3d4088e136dab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\edd463c5261c1146f74f1fc6f5c553ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee0e548c7e391716196342e62373c650_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee6b7cfa1ff108a3f5a6e5e5d1fada48_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee8145967597008a572fc2672fcfc727_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee93156548a607f153475684984c8468_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eed88b2c78f50ecf3ec262bff438db1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ef7570206ecb7e71ee9cd334eda74c17_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f068718c5e6c27d20ce076273603f585_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f0c4d8a46e3c8d433abe2c14b9c98815_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f14fc226416579d7e8ef7fb6a36aea67_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f155c8e9786d1d6e6a97892a2d28ddde_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f1da54a0a5956a0ca89f337453ae041b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f1dc391fe90edee43842e53526d6a093_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f2571953b060bc10f6ac667318792f45_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f275c4bc451a1b38cfc6e87fd2c61f2f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f2efc88a12dc1655cf930c1cf37c321f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f30fd6d6cfbc47176cf7a38687bd4efa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f4ddb0abbad74427b41d2849c120822c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f553f701f558806b13a0df8ade4630af_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f57f48bc60e9700b9ee6f7b5cea3a511_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5a3b9294550fc1b9e27e6e14c0a33fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5c56d6cdf07173c275d8fc2a173e367_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5db317b1f0c63e624dc51cb40a38048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5f3209b8cafcd2c46fbd832cdfd1f7f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f607191016c322cdce53d51565db93b8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f6667e865b1639b2bb607b0580f2e208_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f71a601325c42d6e0cdbf95d575a972a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f73eb41be2f50815b28e9c52c0075747_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f89d5f442dd83893883e065548ea55b5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f8b327d1fef70098bf37a82699d8c57f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f8c463788827efc9ca629ac0ef7c7c55_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f95b0befe6df18236abd9d255c74756d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f96d065ce42ba10d2dfec502f97044b5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f996a0d6c4c9fed4d60439d3eed8d563_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fa2f8509d117d1892157fc9ae5986591_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fa30d68da8fbc179ba43eac63ffee54e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fab727dbc2d0515687001d6b6f7e1044_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fb0ca5dcd19e6d670994d7e1dba96efb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fc8bce69e3615fb309d78cce798e6f31_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fceb25e481ae6213611c3df6f4ab2136_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd7657ad338d88860f61e07b0aece046_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd81ad95eec347e4900c94a06ab656bd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd87df985159fb5f81d1925cafa2d32c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd93ff07ca871233036007fbb43d4b2c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff25cf77e9decb0470d42766b67e8de9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff442c6bee6722a56cdabb6bc725f4c2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff5551170939fc69c68546e0f51fe15c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Maze\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\P25115N1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B45F3266-986E-4498-A62F-FBF8B3662532}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\cryptonet.dll Infected: Trojan-Spy.Win32.Agent.crl skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\ntos.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wsnpoem\audio.dll Object is locked skipped
C:\WINDOWS\system32\wsnpoem\video.dll Object is locked skipped
C:\WINDOWS\Temp\ZLT05cd9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05cdc.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Gratefulforhelp
2008-06-22, 17:53
And finally the Hijackthis log.
Thanks again, it is very much appreciated.
Frank.
Latest Hijackthis Log run after ComboFix and Kaspersky:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:17, on 22.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6725 bytes
Hi
Let's do following in safe mode (http://www.computerhope.com/issues/chsafe.htm#02). I recommend to save these instructions since you can't access them from safe mode.
Start hjt, do a system scan, check (if found):
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\ntos.exe
Folder::
C:\WINDOWS\system32\wsnpoem
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log (hjt log taken in normal mode).
Gratefulforhelp
2008-06-22, 20:22
Dear Blade81,
Many thanks for the prompt reply and the ongoing assistance. It is much appreciated.
I followed your latest instructions in safe mode and here are the two logs you requested.
Please note: after combofix had finished in safe mode and when it rebooted, I let the computer boot into normal mode to finish the combofix report and process. If this was wrong, and I should have let the computer reboot into safe mode AGAIN after combofix had finished it's FIRST scan I apologise. Please let me know if I need to run the steps again and this time boot into safe mode AFTER the combofix tells me to reboot.
Many thanks and I look forward to your next instruction list.
Frank
Combofix log:
ComboFix 08-06-20.4 - Administrator 2008-06-22 19:04:47.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.373 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\WINDOWS\system32\cryptonet.dll
c:\WINDOWS\system32\ntos.exe
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
c:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\wsnpoem\audio.dll . . . . Nicht in der Lage zu löschen
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen
.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.
2008-06-22 19:10 . 2008-06-22 19:11 <DIR> d--hs---- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
2008-06-22 13:50 . 2008-06-22 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-22 13:50 . 2008-06-22 13:50 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-06-22 13:24 . 2008-06-22 13:24 34,728 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 19:08 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 17:12 18,626,080 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 17:12 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 16:57 253,544 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 16:53 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-22 16:29 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((( snapshot@2008-06-22_11.32.25.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 09:27:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 17:09:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-22 09:28:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-22 17:10:10 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 17:10:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 17:10:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 19:12:03
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem
Scan erfolgreich abgeschlossen
versteckte Dateien: 2
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 19:16:02 - machine was rebooted [Maze]
ComboFix-quarantined-files.txt 2008-06-22 17:15:45
ComboFix2.txt 2008-06-22 11:46:02
ComboFix3.txt 2008-06-22 09:34:03
9 Verzeichnis(se), 17,635,467,264 Bytes frei
11 Verzeichnis(se), 17,078,370,304 Bytes frei
172 --- E O F --- 2008-06-20 18:44:35
Hijack This log run after combofix reboot finished
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6774 bytes
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask. If you want to continue cleaning please follow instructions below.
Download
SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe)
and save it to your desktop. (If you can't download with this computer try to get it downloaded on some other one.)
Please then reboot your computer in Safe Mode by doing the
following :
Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press
Enter
.
Choose your usual account.
In Safe Mode, double click the SDFix.exe file. Click Install in appearing window,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Gratefulforhelp
2008-06-22, 21:19
Dear Blade81,
Thanks for the information, I would be grateful to take up your offer to continue cleaning my computer.
As requested I followed your latest instructions and attached the two logs you requested below.
I received no error messages from SDFix so I think it ran without any problem.
I look forward to your new instructions and I thank you sincerely again for the ongoing support and help.
Frank
SDFix log from Report.txt:
SDFix: Version 1.195
Run by Maze on 2008-06-22 at 19:56
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\ntos.exe - Deleted
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll - Deleted
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem\audio.dll - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 20:08:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 13 Nov 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\851ec77bad9deffe5a3e6f29ba9e9716\BIT2.tmp"
Tue 20 Jun 2006 27,136 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0148.tmp"
Fri 17 Mar 2006 19,968 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0788.tmp"
Sun 3 Jun 2007 47,616 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0810.tmp"
Tue 20 Jun 2006 29,184 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0837.tmp"
Sun 3 Jun 2007 43,520 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0961.tmp"
Tue 20 Jun 2006 22,528 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1171.tmp"
Tue 20 Jun 2006 21,504 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1373.tmp"
Sun 3 Jun 2007 46,080 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1750.tmp"
Tue 20 Jun 2006 27,648 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2276.tmp"
Fri 5 May 2006 23,040 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2389.tmp"
Tue 20 Jun 2006 19,456 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2583.tmp"
Tue 20 Jun 2006 33,792 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3144.tmp"
Tue 20 Jun 2006 26,112 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3209.tmp"
Tue 20 Jun 2006 30,208 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3234.tmp"
Finished!
Latest Hijackthis log run after SDFix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6486 bytes
Hi
The log looks ok now :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Gratefulforhelp
2008-06-22, 23:50
Dear Blade81,
Thanks for your constant support and the information.
I followed all of the steps until I got to the 'run spybot again' step. Spybot found the same red item Win32.Agent.pz with the following 7 entries:
SBI $689A946A Library – C:\WINDOWS\System32\wsnpoem\audio.dll FILE
SBI $D372DFBA Library - C:\WINDOWS\System32\wsnpoem\video.dll FILE
SBI $B74832EE Program Directory - C:\WINDOWS\System32\wsnpoem DIRECTORY
SBI $C8DD69EE Settings – HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $7EC6899E Settings – HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $8980C6CD Settings – HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $0F1C75F7 Settings – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
Please advise of the next appropriate steps to take. I shall follow your further instructions to the letter.
Please note: I carried out all the steps in the last post of yours up until the 'Run Spybot' step - so I don't know whether I need to re-download combofix or SD Fix or anything else again.
Attached also is a Hijackthis log after Spybot was run.
Yours sincerely,
Frank
Latest fresh hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6390 bytes
Gratefulforhelp
2008-06-22, 23:53
Quick amendment:
I just noticed that 'Run Adaware' was before 'Run Spybot' in your last post. I ran Spybot first and was going to run adaware after it.
But after Spybot found the same program again I stopped everything I was doing.
Apologies for any confusion and I will do whatever you tell me to do in your next set of instructions.
Thanks in advance again,
Frank
Hi
Run SDFix as you did before and then run GMER according to instructions below.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post GMER log, SDFix report & a fresh hjt log in your reply.
Gratefulforhelp
2008-06-23, 12:16
Dear Blade81,
I thank you again for the prompt reply and fantastic ongoing support.
I followed all of your instructions exactly and here are the three logs you requested.
Thanks again and I look forward to your next set of instructions.
Best wishes,
Frank
SDFix Log:
SDFix: Version 1.196
Run by Maze on 2008-06-23 at 10:44
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
Folder C:\WINDOWS\system32\wsnpoem - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 10:52:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 13 Nov 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\851ec77bad9deffe5a3e6f29ba9e9716\BIT2.tmp"
Tue 20 Jun 2006 27,136 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0148.tmp"
Fri 17 Mar 2006 19,968 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0788.tmp"
Sun 3 Jun 2007 47,616 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0810.tmp"
Tue 20 Jun 2006 29,184 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0837.tmp"
Sun 3 Jun 2007 43,520 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0961.tmp"
Tue 20 Jun 2006 22,528 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1171.tmp"
Tue 20 Jun 2006 21,504 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1373.tmp"
Sun 3 Jun 2007 46,080 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1750.tmp"
Tue 20 Jun 2006 27,648 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2276.tmp"
Fri 5 May 2006 23,040 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2389.tmp"
Tue 20 Jun 2006 19,456 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2583.tmp"
Tue 20 Jun 2006 33,792 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3144.tmp"
Tue 20 Jun 2006 26,112 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3209.tmp"
Tue 20 Jun 2006 30,208 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3234.tmp"
Finished!
GMER Log run after SDFix:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-23 11:08:10
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEF09CEB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEF099870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEF0A4700]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEF09D270]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEF0A3500]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEF0A3730]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEF0A7090]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEF09D350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEF099EF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xEF0A5720]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xEF0A5360]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEF0A3270]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEF0A5A60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEF099D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xEF0A2FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xEF0A2DE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xEF0A61D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEF0A5D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEF09CB50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEF0A6000]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEF09D060]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEF09A060]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xEF0A4ED7]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xEF0A3960]
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ 70, D2, 09, EF, 00, 35, 0A, ... ]
? srescan.sys Das System kann die angegebene Datei nicht finden. !
? C:\DOKUME~1\Maze\LOKALE~1\Temp\catchme.sys Das System kann die angegebene Datei nicht finden. !
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] 8235FD70
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] 8235F960
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8235FF40
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8235F770
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 82334660
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 82334660
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \FileSystem\Fastfat \Fat avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Threads - GMER 1.0.14 ----
Thread 4:116 823658E0
Thread 4:120 823658E0
Thread 4:124 8233E8D0
Thread 4:128 8233E8D0
Thread 4:132 8233E8D0
Thread 4:300 823658E0
Thread 4:324 823658E0
---- EOF - GMER 1.0.14 ----
Latest Fresh HijackThis Log run after SDFix and GMER (in that order):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12, on 2008-06-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6486 bytes
Hi
Looks ok now. :) Better monitor the situation for a few days (with Spybot for example) and see if the problem returns.
Gratefulforhelp
2008-06-23, 13:27
Hello Blade81,
Thanks for your time and assistance.
I just completed another scan with Spybot and it found the same 1 red item Win32.Agent.pz with 4 entries under it: (No other red items were found).
SBI $C8DD69EE Settings – HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $7EC6899E Settings – HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $8980C6CD Settings – HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $0F1C75F7 Settings – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
Does this mean it is still on my computer? What is your advice now? Should I click 'Fix Problems' in Spybot?
Should I run SDFix, GMER, Combofix, Kaspersky Online Scan, Spybot, Asquared, Adaware, Blacklight, AVG, Mcafee Stinger, Superantispyware, Malwarebytes Anti-Malware?
Thanks again for your kind assistance and time, I shall await your next instructions.
Frank
Yes, let Spybot fix those entries if it can. Keep me updated.
Gratefulforhelp
2008-06-24, 11:24
Hi Blade81,
Thanks again for the support and advice.
Spybot successfully fixed the four previous entries. I rebooted and ran spybot again and there were no red items found (ie. neither Win32.Agent.pz nor other nasties were found).
I shall run the other scans I mentioned when I get home from work today and let you know immediately of the results.
Thank you and I look forward to posting again soon.
Frank
Ok. Thanks for the heads up, Frank :)
Gratefulforhelp
2008-06-24, 20:35
Hi Blade81,
I have downloaded the following programs, updated them to the latest version and definition fules and then run a full system scan with each program and selected 'scan all files' and 'deep scan'.
Here are the results of the scans I have run and a fresh hijackthis log.
- Are the results from number 8. Malwarebytes Anti-Malware a concern?
- My Windows XP is at SP2 - is it ok to update to SP3 after this episode with Win32.Agent.pz?
I thank you in advance Blade81 and look forward to your next set of instructions.
Frank.
The results for number 8. Malwarebytes Anti-Malware found two directories of Win32.Agent.pz but the location was different from ususal. (The wsnpoem directory was always in c:\Windows\System32) Whereas Malwarebytes Anti-Malware found them in C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem). Don't know what to make of that.
1. A-squared:
Only 3 minor things found and successfully deleted:
- Detected: Trace.Registry.KaZaA in Key: HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\software\kazaa
- Detected: Riskware.FraudTool.Win32.MalwareProtector.b in C:\Programme\CCleaner\uninst.exe
- Detected Riskware.RiskTool.Win32.Processor.20 in C:\SDFix\apps\Process.exe AND C:\System Volume Information\_restore{992037BD-89F3-4AA5-8986-374239E70998}\RP3\A0000432.exe/Process.exe
2. Spybot: (Run again after the 4 entries successfully fixed from last post)
Congratulations!: No immediate threats were found.
3. Adaware 2008:
Nothing found.
4. Avira Antivir: No viruses or suspicious files found.
Der Suchlauf wurde vollständig durchgeführt.
7071 Verzeichnisse wurden überprüft
356401 Dateien wurden geprüft
0 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
5. Rootalyzer (http://forums.spybot.info/showthread.php?t=27368)
Nothing found.
6. Blacklight (http://www.f-secure.com/blacklight/)
Nothing found.
7. SUPERantispyware: Only 5 tracking cookies found and successfully deleted.
Scan type : Complete Scan
Total Scan Time : 00:36:28
Memory items scanned : 452
Memory threats detected : 0
Registry items scanned : 4707
Registry threats detected : 0
File items scanned : 68703
File threats detected : 0
Adware.Tracking Cookie
.mediaplex.com [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
as1.falkag.de [ D:\Backup\Dokumente und Einstellungen\Maze\Anwendungsdaten\Mozilla\Firefox\Profiles\igcyleka.default\cookies.txt ]
8. Malwarebytes Anti-Malware:
Malwarebytes' Anti-Malware 1.18
Database version: 883
21:45:56 2008-06-23
mbam-log-6-23-2008 (21-45-56).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 103277
Time elapsed: 21 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
9. Kaspersky Online Scan:
Scan Statistics:
Total number of scanned objects: 70262
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:26:15
10. AVG Anti-Spyware:
A V G A n t i - S p y w a r e - S c a n R e p o r t
+ S c a n r e s u l t :
N o t h i n g f o u n d .
: : R e p o r t e n d
11. McAfee Stinger:
Nothing Found
11. HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48, on 2008-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6087 bytes
- Are the results from number 8. Malwarebytes Anti-Malware a concern?No.
- My Windows XP is at SP2 - is it ok to update to SP3 after this episode with Win32.Agent.pz?Since your system appears to be clean I see no obstacles for that :)
Gratefulforhelp
2008-06-24, 22:34
Hi Blade81,
Thank you for the ongoing support and guidance.
I have now completed all of the steps in your post from 22/06/08 21:10pm as well as every single instruction in this whole thread which you advised me to do.
- Is my computer now safe to use for everything except for banking and financial transactions? (Per your information from 22/06/08 19:39pm)
- I have never conducted banking or financial transactions on my computer. Nor have I used it for anything with sensitive information.
- Do I need to change the passwords for my email account (I used Thunderbird) or for my ADSL cable internet provider (in the Router downstairs) or any other passwords for things I use which are not banking, financial transactions related or anything with sensitive information?
- Is there any danger of the passwords from my previous question above having already been stolen and which could be used? Or is there any danger that they could be stolen again (assuming no new infection occurs)?
Thank you again for your time and effort Blade, I really appreciate all your guidance and assistance.
Frank
PS: My computer setup is running:
Windows XP SP3
Firefox 3.0
Zonealarm 7.0.362.000 (I think this is the latest German version on offer)
Avira AntiVir 8
Spybot 1.5.2.20
- Do I need to change the passwords for my email account (I used Thunderbird) or for my ADSL cable internet provider (in the Router downstairs) or any other passwords for things I use which are not banking, financial transactions related or anything with sensitive information?Better safe than sorry :) I'd change the passwords.
- Is there any danger of the passwords from my previous question above having already been stolen and which could be used? Or is there any danger that they could be stolen again (assuming no new infection occurs)?If no new infections don't occur then changes for passwords to be stolen again are smaller. As I said above I'd probably change the passwords that I've used while system has been infected.
Gratefulforhelp
2008-06-26, 10:48
Dear Blade81,
This morning I turned on my computer and I received a warning message from my virus program Avira Antivir which stated the following:
In the file C:\WINDOWS\TEMP\2.tmp a virus or unwanted program 'TR/Dropper.Gen' Trojan was found.
I deleted the file as it appeared to be located in the temp directory which to the best of my knowledge only contains unimportant files (eg. web cache from IE).
Could you please kindly advise the best course of action?
Do I scan my computer with the 11 programs from my last post?
Is this a reinfection from the same trojan 'Win32.Agent.pz'?
Thank you again for your kind assistance and the expert advice.
Frank
Hi
I think it's enough to check with Malwarebytes Anti-Malware & Spybot for now.
Gratefulforhelp
2008-06-26, 11:06
Hi Blade81,
Thanks for the prompt reply!
I shall scan my computer with Spybot and Malwarebytes Anti-Malware when I return home from work.
I shall do this in safemode, then reboot and also post a fresh hijackthis log for your perusal.
Many thanks and I shall post back immediately today after the scans are complete.
Frank
Gratefulforhelp
2008-06-26, 21:09
Hi Blade81,
Here is the scan result from Spybot (Malware Bytes and a fresh Hijackthis log below).
Is this the same infection? I'm not sure how it managed to come back again after the relatively clean scan results from the 11 anti-spyware programs I ran after following all of your instructions.
I don't think either Spybot or Malwarebytes could remove them all. I clicked 'fix' and 'remove all' in Spybot and malwarebytes, however I don't think it got them all.
I look forward to your next set of instructions. Thanks again so much for your help and guidance.
Frank
--- Report generated: 2008-06-26 17:27 ---
Win32.Agent.pz: [SBI $B40811A5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\system32\ntos.exe,...
Win32.Agent.pz: [SBI $689A946A] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\audio.dll
Win32.Agent.pz: [SBI $B74832EE] Program directory (Directory, nothing done)
C:\WINDOWS\system32\wsnpoem\
Win32.Agent.pz: [SBI $D372DFBA] Library (File, nothing done)
C:\WINDOWS\system32\wsnpoem\video.dll
Win32.Agent.pz: [SBI $C8DD69EE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Win32.Agent.pz: [SBI $0F1C75F7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID
MS Office 9.0: Recently used files (142 files) (Directory, nothing done)
C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Office\Zuletzt verwendet\
Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt
Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\ahead\Nero - Burning Rom\General\OFDLastISODir
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Internet Explorer\TypedURLs
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
MS Office 9.0: [SBI $4F7FBCC4] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents
MS Office 9.0: [SBI $BCA8814E] Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation
MS Office 9.0: [SBI $DE9A4E33] Access recent file (5 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0: [SBI $DE9A4E33] Access recent file (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Access\Settings
MS Office 9.0 (Word): [SBI $D7B04EDB] Open file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Öffnen\File Name MRU\Value
MS Office 9.0 (Word): [SBI $5773E477] Save file history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Speichern unter\File Name MRU\Value
MS Office 9.0 (Word): [SBI $EC31BB71] Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Word\Data\Settings
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (Excel): [SBI $E49B52E1] Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\Excel\Recent Files
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (8 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 9.0 (PowerPoint): [SBI $43C6507A] Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\9.0\PowerPoint\Recent File List
MS Office 11.0 (Picture Manager): [SBI $2379928F] Last selected folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection
MS Frontpage: [SBI $852712DF] Recent web list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
MS Frontpage: [SBI $7E259C81] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
RealOne Player 2 (aka RealPlayer 6.0): [SBI $F369C542] Last login time (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\
Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Windows.OpenWith: [SBI $5738CAE7] Open with list - .000 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.000\OpenWithList
Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: [SBI $F34FE1D0] Open with list - .CUE extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUE\OpenWithList
Windows.OpenWith: [SBI $EE2B6116] Open with list - .CXT extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CXT\OpenWithList
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (34 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (172 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (22 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $AA0766B5] Stream history (72 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (11 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (13 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (17 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (202 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (466 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\PE_C_SUSANNE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: [SBI $85C2C910] Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinRAR: [SBI $0B56E92B] Recent file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\ArcHistory
WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1499398264-681764103-101265881-1006\Software\WinRAR\General\LastFolder
History: [SBI $49804B54] History (2) (History, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 DS.exe (1.0.0.5)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-18 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-24 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-25 Includes\Keyloggers.sbi (*)
2008-06-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-24 Includes\Malware.sbi (*)
2008-06-24 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-06-24 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-18 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-24 Includes\Trojans.sbi (*)
2008-06-25 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Here is the result from Malwarebytes:
Malwarebytes' Anti-Malware 1.18
Database version: 893
19:58:13 2008-06-26
mbam-log-6-26-2008 (19-58-13).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 111917
Time elapsed: 1 hour(s), 25 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
Here is a fresh hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03, on 2008-06-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6487 bytes
Hi
First of all we need to make sure you keep this system disconnected from network now until things are (hopefully) solved for sure. You'll need to use clean system for downloading necessary tools (use usb flash memory or other removable media to transfer files). Before disconnecting you can download (if don't have them already available) tools we will at least need:
-HijackThis
-SDFix
-ComboFix
First task is run SDFix as you did before and after that's ready run ComboFix. Post those two logs with a fresh hjt log.
Gratefulforhelp
2008-06-26, 22:50
Hi Blade81,
Firstly I'd like to sincerely thank-you for all your time and effort over the last week.
The assistance and guidance you have provided has been timely, expert and extremely useful.
I have re-considered your post concerning the recommended advice from secuity experts like yourself of reformatting and re-installing the software.
Given the reappearance of the Trojan, combined with your advice that 'once the system has been compromised you can never 100% trust it again' I have decided to reformat the computer and start from the beginning again by reinstalling everything.
I hope you are not annoyed at my decision, your wise words in the post I mentioned before have finally convinced me that a reinstall and reformat is the best solution.
I can't thank you enough for your time and effort. It's people like yourself who make a real difference in the world and I hope you are appropriately rewarded in life with success and achievement with your goals and dreams.
I won't take up any more of your valuable time as I am conscious of the fact that security experts like yourself are too few and the newbies like me are too many.
I wish you all the best for the future Blade81. Kiitos paljon, olet todella ystävällinen!
Minun suomenkielen taitoni on huono, täytyy harjoitella enemmän suomenkieltä!
Best wishes and onnea!
Frank
Hi Frank
No, I'm not annoyed at your decision. I think it was a wise choice :bigthumb:
Nice to see some written Finnish here too. :laugh:
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.