Win32.Agent.p3

G

Gratefulforhelp

New member
Dear Spybot Forum,

My computer is infected with Win32.Agent.p3.

- I have completed the steps in http://forums.spybot.info/showthread.php?t=288
- Updated Spybot to the latest definitions
- Spybot (Windows in safe mode) could fix 8 of the 9 entries it found under Win32.Agent.p3
- The one it couldn't fix was SBI $B74832EE C:\windows\system32\wsnpoem
- Ran spybot again from safe mode again and same result
- Ran spybot a third time as previously described and same result
- No other 'red' items were found in the three scans - just the same recurring Win32.Agent.pz
- Here is my hijackthis log as required in the steps from http://forums.spybot.info/showthread.php?t=288
- I am running Windows XP SP2, Antivir, Zonealarm and Spybot.

I would really appreciate any help and guidance you could provide.

I thank you sincerely in advance.

Frank

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46:48, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\a-squared Free\a2service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hiller-hinken.de/startseite/index.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5038] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2428] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6553 bytes
 
Hi Gratefulforhelp :)

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
 
Hello Blade81,

Firstly my sincere thanks for your assistance and guidance. It is very much appreciated.

- I followed all your instructions in the last post
- ComboFix downloaded, ran without any problem and the results are below for you
- Ran a fresh HijackThis log after combofix finished as you requested and that is below as well

Unfortunately Combofix ran some parts in German, (seems it automatically recognised the language as there no option appeared at all to select a language or English) so if you need any help with translations from the combofix report please ask and I will translate everything you need.

I thank you again for all your kind assistance and eagerly await your next advice.

Thank again,

Gratefulforhelp

Combofixlog:

ComboFix 08-06-20.4 - Maze 2008-06-22 11:04:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.166 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maze\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\audio.dll.cla
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.

2008-06-22 11:28 . 2008-06-22 11:30 <DIR> d--hs---- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 11:25 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 18:07 . 2008-06-12 12:47 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 17:29 . 2008-06-02 17:29 28,672 --------- C:\WINDOWS\system32\cryptonet.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 09:31 18,101,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:29 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-22 09:26 246,560 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 08:57 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 08:56 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"dasd"="regedit" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]
cryptonet.dll 2008-06-02 17:29 28672 C:\WINDOWS\system32\cryptonet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 11:30:12
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...


C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cryptonet.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 11:34:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 09:33:40

9 Verzeichnis(se), 13,957,230,592 Bytes frei
11 Verzeichnis(se), 14,309,658,624 Bytes frei

157 --- E O F --- 2008-06-20 18:44:35


HijackThis Log: (Run after ComboFix had finished without any error messages)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:02, on 22.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [dasd] regedit /s c:\programme\hhcomputer\back\hh-einrichtung.reg (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Programme\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Sun Clock.lnk = C:\Programme\Map Maker\Sun Clock\Version 6\SunClock6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cryptonet - C:\WINDOWS\SYSTEM32\cryptonet.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6861 bytes
 
Hi


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\ntos.exe

Folder::
C:\WINDOWS\system32\wsnpoem

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"dasd"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:​
  • Extended (If available, otherwise Standard)
Scan Options:​
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
 
Hello Blade81,

Thanks again for your kind help. I followed all of your instructions and here are the results.

Thanks in advance and I look forward to your further expert advice. It is very much appreciated.

Frank

PS: Please note the Combofix is attached below and the Kaspersky report and latest hijack this in the next post as they wouldn't fit in this post.

Latest Combofix Log:

ComboFix 08-06-20.4 - Maze 2008-06-22 13:32:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.173 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maze\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Maze\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\ntos.exe
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.

2008-06-22 13:24 . 2008-06-22 13:24 34,728 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 13:38 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 17:29 . 2008-06-02 17:29 28,672 --------- C:\WINDOWS\system32\cryptonet.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 11:42 18,149,408 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 11:39 247,208 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:29 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-22 08:57 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 08:56 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_11.32.25.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 09:27:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 11:40:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-22 09:28:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-22 11:40:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 11:40:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 11:40:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 11:41:15 16,384 ----a-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-06-22 11:41:16 32,768 ----a-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 11:41:15 16,384 ----a-w C:\WINDOWS\Temp\Verlauf\History.IE5\index.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 13:42:25
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...


C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 13:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 11:45:45
ComboFix2.txt 2008-06-22 09:34:03

9 Verzeichnis(se), 14,325,972,992 Bytes frei
11 Verzeichnis(se), 14,299,652,096 Bytes frei

172 --- E O F --- 2008-06-20 18:44:35
 
Here is the Kaspersky Report (it needs to be split further into another post).

Frank


Kaspersky Report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 22, 2008 4:37:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/06/2008
Kaspersky Anti-Virus database records: 880097
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 68802
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:35:09

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\00dfa7fdbd8523ed78fac5e1bc0a394b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\013c4109b1b24e54e77b436da79b0848_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\013f3ba4cb231207c4b8dbd2e77fa174_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\017df64a9bc5c2baff26ef29b6cb1c31_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\01a0ee3745c5f78174b860e3a8c29296_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\020833f6946212a181cf25296bf01bbf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\02242d4c30a345ad88ecb78c0f2bffa7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\02b6465162902aa0f8508cec78c62994_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03182842b7dcdef7d30e632a1ab9d229_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0350f1f87865ceaf9246bdbfb5cdb1ed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0359621cc697ce413628a9c1561ee8ee_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03ac3fb5cbe82c1fbcf484ea74d76d24_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\03c88e25f54f634bd860c5c811e6c45c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\048591418bfe303381733ecce71504a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\04c7fe58133aae56c571d8a552a24d4d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05824fdf1fa6cd47087f384b13a2b256_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05a3f18a630cfed1706ed694dcc54f6d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\05f440d343f25ad0be9dae41a8cddeda_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\07823e8c134dc3f55648aa8192f586dd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\087bc42c4f5a9f09e445893f7ca64c02_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\08a1d15322ae9bc1580d7b69ca1b1473_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\090478dd4e354d091946719f306bd220_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0971ab4cc9993982579232aecce92fb9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\09af57e398c2c89af7f017de93cdbe73_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0a2321ab5334609e855b88e3ba665e0a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0baff3e5d952ac42be67576be78536d8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0c22899977a1a7722b785b6c250e7464_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0d3147f186983dd8cdbeceb5b2801a1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0d93bbf8ec403a92b070d86ecb94f4b7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0dfb52b5e7f53111acc3522adc9abe9e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e0e1edd8eaac470ede6871e0e8cb1e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e217dd5b3a0be00a94e4aafd5f362e3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0e8baf0f99cd4c8975aa777832e210e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0f2a9b25a79403609314bdf5eb983979_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\0f87e254df059c06468aaeb46c876d97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\10b4cc61f6dd03643c98e7afd5e3a0cd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1157e2c94bc9880f0af4c6a35f751cb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\117a2707cb9e7a9b80264ca2e062b415_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1197958e863eec6c54e080f4cc944b4b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\11b4c6d79106eedca6c7b3f925591665_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\11f4cdee0441a71ca3b06ce2b08156c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\120566e14c63ee7293ac7aa9f159d3dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\124fcd8d4c673c327a81e237570bee30_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\130bb639b32bc37541bfdb510588f091_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\138de2c4aa07ff88785ffa9c8c1e4afd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\139405f0a541872329c18354b2797b47_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\13cbd8500bb7dff5d94b2ae1482113d2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\13e2a90e830b8a868a530a776c125c66_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\142d46e46c15de7ef4cafa4d618541a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14410af0065c4106ff4db7f2a50d4271_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\147795c041747bb9882036761be6d66e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14a9926aa13c92ed3b3ff178c8f422e1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\14fea828ea2d8ac8efe570e4ab8eb79b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\152ed115753007193030d41fda8a107e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\168030ca9162a4d65ff0501b7560c1c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\16cc28c1829bc0c8265c241c711e7ce0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\18773f22a09ed9d1ba03fef14fdede18_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\18d4c854416d5aaae6225f990671a2d0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\190ee012c5e6a0f86b0db7561cf65f33_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19b7434b46e1448b999766fd270c2c19_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19d6351dbc230fdebe247a8f94d26d34_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\19f4a87dfb360475fb2f717376cd09b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1a44545f96a817bab0a18da3b7919066_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1a7fa30df5c42e832eb36d1dfbc209c1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1ab39c702ccb10eb491f52552219954f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1b2797553ac0f0168f5acc9cdfe29d50_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1be58ebe8526444ff35727940bdd464c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1c2454d06cad571aaa5aefbbc6b26e83_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1e85a30c48bc615607d1da5e0d419f7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1e90639e8484df3364a99bfab8f553eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1f096f7e3ce0a34d425f6c55ff4e9ac7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\1fcda605bf120b16cdaabee54cd142ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\21d8c08bdcb8f6378cd780102cdb4f1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\21fd4c6e5c45216d1fe1386fc0ec3383_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22bb0445ae13e12236900414e5056f90_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22d35f170a5f6c22ced960ab7998dcf9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\22d3786359546d28400d5f74486a4fa0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2437ccd0149a6f4c2d8ed45cd9b147fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\24632bbcd1299bfdf86af7ab121fda7a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\25450a1fa75cc864ae5a3a5aa17b02f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\259a100d4e0e25a716093b3598245db1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\25beaa2f9cc0a74b9bd69b60f37915ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\262b82771b808bfea68fba847cee9ef1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26c5e98d0157daed8ec411c3159b8ff2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26cf4b335e52ea992fba7a52955186df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\26e88987e3d8ff13b4eae054a5a914f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28272773f531576fc054fec500246a03_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28275c3e002badfe6f0a191acbc8432c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\283582c487f740865f1e248dec95bb10_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\289e69f1c7188178f1689874a33b2ea9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\28af153f60178ba3151f9aa465c5aa32_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\29d6106503893c9000100e0a5501e4ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2a4d09faa346026f989b5e727716a495_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2a703c0d6c9d201537bba1524d8edf3d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2ae29cc84d7e774fe17cb9eed03d4431_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2bda7740fb8663c4dd8b0cf438fae51e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2c49ead2c2be0ddb544fdc08da5b7816_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2d2f5c8c0f9390dddb6b69935cee3077_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2dbbb72a9b724bb868b29481b3ac2db1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2df54722f2efbbe7f137565b8b1b1858_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\2f2a4937427d71f5b922c9a8183930f2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3068472759586594167b8c0341736688_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\313683dc4cd85b73a753552f565674d6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\320762881885a743e6696e3324d6931f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3298d036b258e1dd4c9ceb349d02e215_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3313cc36f4ecd213b516da2060150aa6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3392a0cd8a792d6453a7b716f88392f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\33a706aafc659752e8aada57d588302e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\347714f24992eed3cd8547c608fd1992_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\355819e019afc8506d8d1e7e2374a748_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\355ef8ddddcb01e55d5f072e63087f45_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\36ced16757d2055aaadb3b8e7f9e8340_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\370fcedf353053166a9c1185bdeed0ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3877afc5f1c42566a24ba4c1b6c0302f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\396860394fcc29b03fe5c16eb3b49c00_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\39d7a8cda03b173970803c4ac5db91c9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3a68a7001968d686a2c984cf015ca98f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3a7e6bce10001cdaede95b131101dbb2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3c6e1d5792df57c5b7166c616b35beb8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3c73e1ec0093552b855cac37ae6e7750_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3cbadefad16a60e71056736e0367229b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3cd333b59c3fb90f37220ec90b17f5e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3dd8ebf1f9533b2f0cceafaa8fabcea7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3e4e30aa1194809a34ca67213fc906f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3e776279be7768e7d693cadd28646e8a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\3ef45895bdcc2fd7ffb90d989200ab4c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\406e7a3fb936c56c8368b2efdbb95828_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4198992281102efa083fa76f010df553_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\421d2307697a7144f29e06344987d4fa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4259924d0923cd1258733c3d7cb92c64_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4436cd803e425bc90a590bbb47ccb951_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\44890c0655905dfd08458e7d3063b023_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4602d3a8f11500bffde672ce07e3629e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\477913fa72f9b2fff63a41fa2782aba5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\47db4202fcd7d568270b20fbd710112c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\47fce856f2f43a2d7f303ec077daef12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4843cbc44531c892087cebcdb59ec5b1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\48695bced41af1429057912aa959e42b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\48b23ae740a56b7800452c0ed8f813a8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\494dec5316dbd8bae5a7e3bb3b767906_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\49883c0245ab9aeb67f1329ee483e654_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\49affeff68824cab2a5f0a1b78b38f02_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4a20c62044392f1a85e3291426d3233c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4cd4b1af36e5bb690ddf4b97d85277f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d53af6c17a42d8fde30084165f8837c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d5edd8a835485455bb16c93ecc6c23e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d7165da785463a92eedc8214b99071b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4d75093a43e6111d8416ae97c519fe72_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4e015d4fd9bbb455433d1c981707c8c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4f1b386d0220beef6cdd8baa8bea9cdb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4f3cc723627a62a3b52b9b5d51e93363_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\4fffca46af04711b6d1a231f98713e7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\50490519bfe751586cc609e1444213d2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5099904e1e4c4a472ffd9bbfc8f3c5af_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\50ae69164d857cb0de84f2d57e32e6dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\523d29984c46d4de83c0185f849d0baa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\524f54bf5f53e081d605bac4cfd4fa0e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5280fe6655bb50434d2d511d01e679e7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\52c19671067c8a957fdafb2b242c0a15_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\52ec0c42c1e886dc7fe7b2c0e6f528eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\538d549bd915f031c0fab1c9e43f67d4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5405117b4164a36c3d01a92934cb583f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\54f3e963897dc3abee9f35d6c3d5c90c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5601b864fe5831b92024bbe9d0c650e9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5609d59b86755079cad1d39398f27209_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\562b05d50b8e493e3b21e93faa247d42_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\577e87cfd693ac221ce77adee368640b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5928da36014054ecef9b4f7bbf06c205_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5941ff2c290759bbdcc6c8fc3fcfa761_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5975ad5c341c7fbf2aa9b6bbc8d29d71_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5995e2cbde51c339fec95659ffa1b994_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5a70abe6b44c8c906370f9e9833227c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5a942888dffc27a5efc831c65630fa50_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5bb9c2adc098a2b480e7380749be5116_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5c933ee202ee94f655b2af673600064c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5cffe5b10dffeb1a97714489f1139e49_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d0440b6216a7e4d22b74d484cd2c4db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d71f4c8f80aa807030d2a04952fdbf9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5d89ccf88c009fae99f31d0518279ae9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5dc20a674160516d83be6a84c51c6eb1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5e3f53336329983dd9f29645f3646317_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5ec8fe18fe7f8455ccf70c2ace1f0819_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\5f3d9e8f16c8559ca796647fac581046_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\609461aef509663f918e2b3cac4d0960_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\60b07f9c716519dec9597678122a6679_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\60e6e86065292a6eabc64a022f15f2ac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\610d1d54565a70ec3c5a9452d9f204cd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\61a2bae001fb9d998369eb97e0f4d56f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\62564257614e74307b79a346770408d9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6315869e5248b943be345a5188449f7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6321bdc9597c0530a516c217694e90b8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63656ad97363357694e57469287c5402_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63bbac42c2f34f1296cdd34fb4342331_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\63e6f19bbbd34dca08b192a92a1f731f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6492700dbd7229aa8e5f34beae0555be_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\64a6e6f0d2eb1044df1323650ee56e4c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6555955832a474c2f14706328b7d7554_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\659d701cd52ecd083e0d9312f5b303e1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\65f1e53cbcdacce145c109e53f8b3f35_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\66008adf98d249bda0a74820d7d900e5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6684ae3a4d592e9ab10ffa6f65890c67_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\669a936d907204532abeb9bff89fc1e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\66c86c4cae8af4011e97f161efacb930_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\673c521c1c35942f31c2f50696a8ac04_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68027070b23cbdaa958a29bd41a52323_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68962c5b11cac0985b5bbf34fe1d76d6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\68cd4706cc5ca3c912b94b62fe260358_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\690b05dd26a5c31bdb84e65f6602bceb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\698d5df4137039cf2b679e92f629307e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\69cf49f2fc2da9158ef24516fd89274f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6a14fa892e3a9b4c6074420e6a84ab0e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6ad3b1b5eea98fef6a14e9d7f294e91d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6af4e99e5b45b042683b66ee5ba7716c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6b6dea1ff664f73420ba0ff940c4246b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c64d3b02b6dc204ec5f401da388af56_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c8a42a1d98490d378a5f671ffa0b061_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6c92beade98656c040edec1b84d512ed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6cdc42f1792c5f8ce3d1cd51c6688a1e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6cde93ef8796ba4d84e9f2e94d126d70_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6d7ae32fa63d623339909745270c7735_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6dea5009193eaefb350b0a45390093db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6e9e0b3eb51b6acdacc0820ee42d0aac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6eb5d1d1859f99370bb589fe573cffdf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6ee53a91f7d97422ffbec21122da2901_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f1f08018895fc35522652206dbf9a58_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f7e171c4e1a45959ca2fb99959b4087_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\6f84dc2ae7b39d05d9930084aa5fc3ae_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7042174f1bb22c968176de9cc49d6042_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\70cde9f3918aea21781fca5955f47c29_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\71479766690e7b6d1f5280aad704cdb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7199fe1c763bbb7f5892541ad1e69386_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\719c8eb53d180eb664effc3de73ee23d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\71d883278bc4130d75b50e6bf1ba5e65_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\726f891e9969312de3eeb279f1d3a258_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\72c0424c00b069628d2dd56c83a07187_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7485f683a799cf8456496598334326c8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\75b1ab5145a3c17f3ee22176b1e152cc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\75f8b675f23f5de802c6606fe47f3d2c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\764b64fec6c3755f465db699991e0d6f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76802dec656796e57ed3737104d6fe29_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76931f4b8a4ac2f90679c142ac6870a2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\76c508885a7b8b1fd01855b0119563e4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\771dfed5c40beadeb4893fff8c2d7da5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\772d7fd68cea1fe8ab9f66868455e756_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\774d97be3b748761092c33173c7547ec_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\775407f2c76a7b94b773a673a7d31e7e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7794f406925ba331d8f82209ba80c90f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\77be160ac743ebfcee534a41e22099b7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\78e0547fc9fa428ee35971f834880568_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\795d5b94dad7b7d5810963d3687ce6e8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\799c2c3ddf93a25fde85aa1021209834_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7a089105a5efeb53b0d94824c3da9f3e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7a92a1f3204cf3a6489949dba2f5203a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7b95164578f04ee81aec228b94eb5488_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
 
Kaspersky report continued. Apologies for the subsequent posts.

Fresh Hijack this report run after combofix and kaspersky is in the final post.

Frank

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7bb0374501be0e90b3eb668159960b32_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7bc162130db7f1185c15055a8fd69b40_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7c3b857ebf6d0d97b75a0d369b83a307_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7c72121e3e56f9b8eda30fddc4b1ad22_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7cb3c09283b978c8731b15eda3978395_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d2cab62c2e20ad2ba7ec0fcb8551f2b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d4553768e1feb6c20c26ae2bfffe002_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7d58b1638fca42e1cc35bf4405e65e80_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7e872d05a40057dd376fd315770b7ceb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7ea6b957d3ff790cd65444b33b568fdf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f305fd111d3f036ac230b9109b4dda5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f56f320f97968e0f64c10253a97f2ac_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7f9e144cd7d3f66ca39b02ddfe27fc55_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\7fb2125fda292a12b9203ac00e130fed_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8075a6df9ba2d2e875aa01561c4eabe3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\80c2cf42079c7786f1acd75c5d55d565_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\81a76111503f4dd9c261d2069103ada3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\826d56f426c703ab58b24a029bb5dba4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\829defd4a054e9f00654929de315028e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82d1a81fd86fbd33e7814ac8b193524e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82e37e251f24c776a45b87f627a131e4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82eb6e01283073a908610b399f978ff3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\82f08e68f0dba84e63b2f80de095f966_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84539c22fe759b52899fc13b8b8faeec_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84785cb8bc95f5836a50b9e0e2960e13_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\848c56e9f846919cee25d68c4191ba9d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84acb6b650fbcb5efbd2a978c88db8eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\84b3ecc04872f40d3f3da54a45fc4322_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\856637af25c57f0e0b339040ade7f85f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85c23f12e3fda99c02a79bc9781bab2f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85d92d691867e3362fbd60bfe1fd1ec8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\85fb86530b83063a5ef383ae8fdd819f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\86dc6a2be4bd1d84c28bb9256235167c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\86e81a882d736e81abb73d5c968dced5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\87716d9c395821a52ae2227f581da1dd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\88ee47f1da3f68775bce563531d77935_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8a751e61b42a5ba40b73a1fe71decf9c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8a9ba8030282eb150f346d9e63e5db12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8b1f45a7d960146f397fca4fc49c5529_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8bba9b2f1576122b9f992510f3428d4e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8bdc3b4a4782fc8e487696a61ea35134_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8c1147fc948c550eec9032d2b079e644_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8c7b5da0a5098136ee9c289746c4e949_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8cc9697d2126d206b5d9c159ed431d38_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d2c6bc816ab97ccac218df7f52f61a8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d609d3a4d7d3bc76f88d37266d97fb8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8d7882e9b36e6475bf766a0b3204727c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8dbd5dd9f4506c01c0ac3e5b800cb828_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8dd3d7ef65a57d173321a60628507d27_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8e31865d7d592c099581167acf55ec70_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\8f4312c9674a62339a4eec1df883793b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9096e7ec87f4c169ddab306fa517c595_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\90d047cd12e433759e9a68a82cec976b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\91f4a215a7943a11ff82fae31ebec204_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\928cf26d1bf8b1f6d96336027dc2a4ff_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\92e4b04d28b44d935a3422862735c523_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\932003bf6dfe76ecc2015101705fa541_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9375c33d4f8b4c381c7a51aeb24ade6f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9421009e4557fc068f25763830406e35_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\94ea1db391199493f8cf37bff064b596_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\955f20957b5de290724ffd6891490ddf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\95aa71bce2ccecefa5bda50b5746d72d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\95e99b72f841182b3d53f93a0b220112_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9692cd8ec7b0de0fabe1572f9135fbbe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\96acc16a4acf176d2073d4686670c5f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\97d79164539e30cc4c34d4e4ce842f9c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\97ec749a14e2886e9a02120c6e8ecc97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\982f4384567a01b0db281ede4e2153db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9865df3151efa869d7a8493667db4d27_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\988b61916b268cb0ed449828e8aec90d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\98b4dd7e5fff208f8472296839deab73_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\98bd5240b4dd3175ec0db9160d891048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\999da3b9af2b80bd94af8f77120510de_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99af17660f9f17d85051bb3add293480_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99b6b86beff3d0aebacc7266d936c048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\99d88ba33ea545085b51478b4677f9fd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a108a5d4fbd164bc53b74ba3e5a350e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a2009a1d9ba1558ef6a22620ceb6874_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9a7880ea04072707302d87c8a4099626_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9bb56e331e5068c691b59425acece1aa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9befbd1ebf1d70ba6ee487c044be20f9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9bf21b2af032625d28bbe3d4325bff96_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9dd10f688fb9c8b2cc8d393ef6e5d888_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9e60a9b84d55f088d4ff7a71020b3ac4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9e738f0d0c76911ab1c2fb37c191aeb9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9f257bf7d26b3be0bb4c472eba99f6dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9f8b79aa05fdd9e3cbe46b4c851670df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\9fd8f81d04aac148bae3a7f66a644619_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a01e481b5cef17621e2e1268db27917f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a04692615aa3dfddbddb452b6609fa75_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a1cc1feb97e4c00d59f51713e62aec68_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a2a7cf6f236225590d9017c36409a959_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a370c33f7a87636032174f98ad8d92f6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a47d1b3d13078da174d9ee17eda52d6d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a4bf205964c5b3829624d94733a56391_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a559bc507dbf90f7653e27bf11ac0821_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a603782625305947529640bb1c56820d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a7998f90d439f2480f698112c7e1a3db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a7f66c304746c4ee1117e67a52e89985_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a85083abdac08d85ebf316b5a7e74b4d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a8880ddcdb1d6d99d507d0c3ccae0a20_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\a981bd576ef89450a525ff4d12584136_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aa3d6fea6a6efde82dd593c796a58eab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aaf3f38fe941927ac9676be199a06081_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab5f85d845ee50c487574f44f9039f63_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab6b6eadec1f4fdf4b54facc9f005310_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ab8760934b071d864b266c0c79c078eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ac10b72ab6ff02d642d7e95f8481ce19_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\adab9ab00e1e3c8f15a781bd3495e846_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ae50ab19d0b3f7b325760c0e1ede88c5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ae5ed71f5cadb8374ff280aa119ffaf1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\aea5265ef8ab01a6e5675a40aa14ada9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\af00793bf58f8732aa1e90180a8dabb3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\af3f373ceb3fb46fb52a7f8c52c28a25_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b0613b2f667068826e5786c3fea4c3e3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b313aa9a0a831f7f2756267e49b06fe6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3ae3ba4873a912d08b8babed55259fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3c9e48d358a6271fd1438257449b435_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b3fd57f2b383963bd1d74883aa9d0c41_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b4b1ce142a5207b9528ea374ee949335_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b6197bd6ac3ecb7cdb833b4dff85edee_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b66fd27caa152854e864200a79332e4a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b70a0f40c5972529b5c52ab017deb01c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b7340ddb3be3f23538b67f7b4c892db0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b76643bd8c950eb07522d6b92f64be41_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b8aea0f99947d4bf5ccb83b2c99751a3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b90c782a23c33f8002328ce63cf7129e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b9774706336e0222a8eaecce205892db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\b9f080ec6486d9420a3edc650d1474fb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ba206c1aa1015a9fa2cd22c2d19b41db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bb1938b751693c3dcdd622a8ec1e69f2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bbe478b6a7151340a777046dacb0f855_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bbf0bbeb71ef4d1ba9168aca3752fb23_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bc6d442af83a1cf6a52ce377c69d2a99_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bd66e55d34a8162468a59691e1e9fb7c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bd898a5182ed3a695870cee62491cdf6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bdd350f17d858737a9c40ca4dcbd342a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bded69baf242984888a06b0d20455e30_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bdefcc1148d349fc04306dd701b05787_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bf747c51461f49c5e9a6997bb2606d17_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\bf81d07ed67cea7a1e98bea79e0807c2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c08995e2db2b4a250c3be27777d73899_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c1e1f2e007e8e3af4bda44004b56f9f8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c1e4aac00f089b4f8b7f09fb4dc5532f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c279f55556533806d99892d178c6db84_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c27cf839e5429e5ad4ed0d8299fbf3c4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c2d4a6c577628328d2de4c8a44aabb97_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c3363e7b0d0e90d87510bbcbc89deb39_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c3592015aeaa2b5997f6d1586b52d133_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c377cf1e2d66126176609d932297c617_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c638c4b347f005a88f7489f579fcbdd2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c69dba8401419893986aeb8bf799c1b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c6cfe978296a7f3f9f912b48e708f040_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c7794bde8eb2a52bf6d741263adcb9b0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c79e2a90210c61b1e8c8efd5200558ea_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c7a0858c4adbeff1e07158a5ea4f70a3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c859532ef98b18947c8c922b72798b8e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c87d4c8b331ed1756fd6b37f0e7c620e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c8914a073d7cc222603fb30f5acbf902_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c8c035adb79288e29719aada0402de22_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\c97db7dd0564db4a5e08e6f24acc186a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ca5c41bc60c3c1cb26c94ff2c91fe426_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ca7614b55fe75840119a56f830e59c4a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cb5f55a2d4aadea2709be76678757229_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cbfa80435a748e4e46a1a5810c9a8009_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cc2123b0514d59f29f62c140f11526b4_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ce9da1690b5e3e8949f11fc986cc5572_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ceb9a28a988626c40d6b69069e6ba800_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cecc9171f64dddad62ba74d113966442_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cef399d466d996dfe3b5025d251ad93d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cf258c21bbf0bf708e5290399c8ba764_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\cf6aa18c504933bbbc720666b87b61a7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d10645a73db430351c77a3495c7ca334_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d11cebed4d511ea93524912147afc762_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d140fb92f5b80a331de816c0a2ae59d7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d15529d895aa6d9c8bccf6ddf9de25a1_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d1cd2f9c13674428e0b29278571cccf8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d24ecc042d73243b60a77b32a1dcf24c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d33c016b282c2e33fd6a5f07c592fdb6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d39c4f11fe2b11b260789a2f30b33614_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d3f88019a881da4892cc622e7271d2e0_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d41feb460a323e28e716f7aa41cd2ff5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d434b73e0ac742e6b30fc86b0e71d254_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d4be1ca91abbd513c71959ac12754272_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d52b412f56b52ce746710a881c2eb069_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d5c8429e09e1274abd7e1fbb40ce51f7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d60096e810a197dfd96bcb905324be6a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d62203c084df62a12627abb727df3512_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6b0ebef78cbf523d5bad012a7110ff7_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6b572ed0ba8dd7917563b12f3afb443_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d6ea835f7824742bf20ccf22bd839b84_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d727e4819cb86dbd123a09f1589920ab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d754a4c425038fdb916e13820f430351_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d860f0681e0aceeb1a336a4934c4667c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d87181d2ea4c884bcc1e9e3afb1ebcc6_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\d9526ca8bb62a8bf6eec4121054c95dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\da8c045f6368968a7e1ab750098ce2eb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd03daf70524500b85c4e5e7f7ca315a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd5a2bb2c3ff4d13919f59b07e9d27e2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dd82cb5c9fb84366f280dd53fefb2b6b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\de1c0dfb15b7b84d7b03c8543ba61b28_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\de72033bce3a256b9b4c0ac32bce6daf_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\dee6986017410d5ceeaa7da3b57f55b9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df223f27f55da00bc1e219c3016de906_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df410f49178e8597faa3e673e7aa086a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df5ae4eeedd340ad1f10f906cc258e12_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\df9b76b383ece8be379edf4c3d332bdc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e02a5aeaf669d3b081d84db1003797ef_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0419627af5da2b03af5e512175916db_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e06074be2890b6c53b3975f0f2ce200e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0c51d32fa0cb26401152d9641588b6e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0dc1217b27ae631d1fdaf17a2be6805_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e0f2c8ca7e732ff42568c7f120ae75e2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e171745ca58a05787a895133950e5380_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e226413c3cc98cfb55099e9e342159bb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e2a94dd1c8ecda2369859b6eab79dfa2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e2eabb312c725c8ce27cafc0111de74f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e323b24fa5f319854e89f95495f9f891_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e37752144fa2caa03d37a4bc0848fd61_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e4653cc8c53f8fe871c0c26405e781df_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e4fc9113b7ae5555e78575bad249901d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e52a9cfa934ae8fe2c091864c3331f3b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e572b4c4d62184970289836a24120252_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e5962572936ab8bd19d965bdff8f306c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e62e69306d9bb68995c7193c3575636d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e731520a92eb5e335fb53ebb5b515704_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e7fc047423e9304d56999c0ae94cad96_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e94672fe1762a58317c50e863296c9bb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e9813b3d0f86b12c00a8d23ffe2fed20_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\e98d781aa1f893220f98d1a5d6d0254a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ea266c11894ae50d190abf4b38e4e3dc_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eab51dcaba6592cde3e623649a8368a9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb1cf364776ba8d8aff6a40e33a570f3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb4408b371c5033f42fd0d20f0d0bbc3_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eb8fc8a2a85b138cd434ce4b596f764e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ebaf22ae50fd535d170618c3db3d10fb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ec4861a33d0f8bcef6c7ef6a0c894113_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ec8ff240d1215c78358931d300911176_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ed70d2ff1fd5d5b02cc3d4088e136dab_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\edd463c5261c1146f74f1fc6f5c553ad_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee0e548c7e391716196342e62373c650_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee6b7cfa1ff108a3f5a6e5e5d1fada48_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee8145967597008a572fc2672fcfc727_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ee93156548a607f153475684984c8468_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\eed88b2c78f50ecf3ec262bff438db1c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ef7570206ecb7e71ee9cd334eda74c17_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f068718c5e6c27d20ce076273603f585_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f0c4d8a46e3c8d433abe2c14b9c98815_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f14fc226416579d7e8ef7fb6a36aea67_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f155c8e9786d1d6e6a97892a2d28ddde_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f1da54a0a5956a0ca89f337453ae041b_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f1dc391fe90edee43842e53526d6a093_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f2571953b060bc10f6ac667318792f45_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f275c4bc451a1b38cfc6e87fd2c61f2f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f2efc88a12dc1655cf930c1cf37c321f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f30fd6d6cfbc47176cf7a38687bd4efa_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f4ddb0abbad74427b41d2849c120822c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f553f701f558806b13a0df8ade4630af_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f57f48bc60e9700b9ee6f7b5cea3a511_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5a3b9294550fc1b9e27e6e14c0a33fe_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5c56d6cdf07173c275d8fc2a173e367_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5db317b1f0c63e624dc51cb40a38048_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f5f3209b8cafcd2c46fbd832cdfd1f7f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f607191016c322cdce53d51565db93b8_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f6667e865b1639b2bb607b0580f2e208_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f71a601325c42d6e0cdbf95d575a972a_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f73eb41be2f50815b28e9c52c0075747_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f89d5f442dd83893883e065548ea55b5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f8b327d1fef70098bf37a82699d8c57f_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f8c463788827efc9ca629ac0ef7c7c55_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f95b0befe6df18236abd9d255c74756d_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f96d065ce42ba10d2dfec502f97044b5_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\f996a0d6c4c9fed4d60439d3eed8d563_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fa2f8509d117d1892157fc9ae5986591_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fa30d68da8fbc179ba43eac63ffee54e_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fab727dbc2d0515687001d6b6f7e1044_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fb0ca5dcd19e6d670994d7e1dba96efb_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fc8bce69e3615fb309d78cce798e6f31_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fceb25e481ae6213611c3df6f4ab2136_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd7657ad338d88860f61e07b0aece046_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd81ad95eec347e4900c94a06ab656bd_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd87df985159fb5f81d1925cafa2d32c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\fd93ff07ca871233036007fbb43d4b2c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff25cf77e9decb0470d42766b67e8de9_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff442c6bee6722a56cdabb6bc725f4c2_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys\ff5551170939fc69c68546e0f51fe15c_69a54d7b-efef-4a7d-b726-31a8b050faea Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temp\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\Maze\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\Maze\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\P25115N1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B45F3266-986E-4498-A62F-FBF8B3662532}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\cryptonet.dll Infected: Trojan-Spy.Win32.Agent.crl skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\ntos.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wsnpoem\audio.dll Object is locked skipped
C:\WINDOWS\system32\wsnpoem\video.dll Object is locked skipped
C:\WINDOWS\Temp\ZLT05cd9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05cdc.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
And finally the Hijackthis log.

Thanks again, it is very much appreciated.

Frank.

Latest Hijackthis Log run after ComboFix and Kaspersky:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:17, on 22.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6725 bytes
 
Hi

Let's do following in safe mode. I recommend to save these instructions since you can't access them from safe mode.




Start hjt, do a system scan, check (if found):
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\ntos.exe

Folder::
C:\WINDOWS\system32\wsnpoem


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log (hjt log taken in normal mode).
 
Dear Blade81,

Many thanks for the prompt reply and the ongoing assistance. It is much appreciated.

I followed your latest instructions in safe mode and here are the two logs you requested.

Please note: after combofix had finished in safe mode and when it rebooted, I let the computer boot into normal mode to finish the combofix report and process. If this was wrong, and I should have let the computer reboot into safe mode AGAIN after combofix had finished it's FIRST scan I apologise. Please let me know if I need to run the steps again and this time boot into safe mode AFTER the combofix tells me to reboot.

Many thanks and I look forward to your next instruction list.

Frank

Combofix log:

ComboFix 08-06-20.4 - Administrator 2008-06-22 19:04:47.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.373 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\WINDOWS\system32\cryptonet.dll
c:\WINDOWS\system32\ntos.exe
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll
c:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\wsnpoem\audio.dll . . . . Nicht in der Lage zu löschen
C:\WINDOWS\system32\wsnpoem\video.dll . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-22 bis 2008-06-22 ))))))))))))))))))))))))))))))
.

2008-06-22 19:10 . 2008-06-22 19:11 <DIR> d--hs---- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
2008-06-22 13:50 . 2008-06-22 13:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-22 13:50 . 2008-06-22 13:50 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-06-22 13:24 . 2008-06-22 13:24 34,728 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-20 20:46 . 2005-11-25 11:48 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Vorlagen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Startmen
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Netzwerkumgebung
2008-06-20 20:46 . 2008-06-22 19:08 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Favoriten
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr------- C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-06-20 20:46 . 2005-11-25 11:42 <DIR> d--h----- C:\Dokumente und Einstellungen\Administrator\Druckumgebung
2008-06-20 20:46 . 2005-11-25 11:58 <DIR> dr-h----- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten
2008-06-20 20:46 . 2008-06-20 20:46 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-18 18:40 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-18 18:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-18 18:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 18:37 . 2008-06-18 18:37 <DIR> d-------- C:\Programme\Lavasoft
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-06-18 18:33 . 2008-06-18 18:33 <DIR> d-------- C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\SUPERAntiSpyware.com
2008-06-18 18:31 . 2008-06-18 18:32 <DIR> d-------- C:\Programme\a-squared Free
2008-06-18 18:25 . 2008-06-18 18:25 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-06-18 18:24 . 2008-06-18 18:24 <DIR> d-------- C:\Programme\CCleaner
2008-06-11 16:35 . 2008-06-14 19:57 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 16:35 . 2008-06-14 19:57 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 17:12 18,626,080 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-22 17:12 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Skype
2008-06-22 16:57 253,544 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-22 16:53 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\skypePM
2008-06-22 16:29 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-06-22 09:30 --------- d-----w C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\OpenOffice.org2
2008-06-22 09:27 2,804,569 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-18 16:37 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-06-18 16:37 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-18 16:30 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-26 17:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\CanonIJPLM
2008-05-24 15:29 17,058,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_24_15_03_32_full.dmp.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 07:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-21 06:56 672,256 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-01-02 13:43 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2003-01-13 09:59 278,528 ------w C:\Programme\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ------w C:\Programme\internet explorer\plugins\UPjpeg.dll
2007-12-25 16:18 146,976 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_11.32.25.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-22 09:27:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-22 17:09:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-22 09:28:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-22 17:10:10 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-22 17:10:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-22 09:28:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2008-06-22 17:10:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"update"="c:\HH\update.cmd" [ ]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 14396416 C:\WINDOWS\RTHDCPL.EXE]
"EPSON Stylus CX3600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [ ]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 13:25 262401]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"CanonMyPrinter"="C:\Programme\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 03:50 1603152]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 22:54 919016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2008-01-02 14:29 185896]
"Ulead AutoDetector v2"="C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 12:43 90112]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 13:25]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 13:25]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Programme\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 18:20]
S3 dtwmnic5;DeTeWe OpenCom 40 dsl;C:\WINDOWS\system32\DRIVERS\dtwmnic5.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 19:12:03
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...


C:\WINDOWS\system32\ntos.exe 477184 bytes executable
C:\WINDOWS\system32\wsnpoem

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-22 19:16:02 - machine was rebooted [Maze]
ComboFix-quarantined-files.txt 2008-06-22 17:15:45
ComboFix2.txt 2008-06-22 11:46:02
ComboFix3.txt 2008-06-22 09:34:03

9 Verzeichnis(se), 17,635,467,264 Bytes frei
11 Verzeichnis(se), 17,078,370,304 Bytes frei

172 --- E O F --- 2008-06-20 18:44:35



Hijack This log run after combofix reboot finished



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [update] c:\HH\update.cmd
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6774 bytes
 
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask. If you want to continue cleaning please follow instructions below.


Download
SDFix
and save it to your desktop. (If you can't download with this computer try to get it downloaded on some other one.)

Please then reboot your computer in Safe Mode by doing the
following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press
    Enter
    .
  • Choose your usual account.
  • In Safe Mode, double click the SDFix.exe file. Click Install in appearing window,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
 
Dear Blade81,

Thanks for the information, I would be grateful to take up your offer to continue cleaning my computer.

As requested I followed your latest instructions and attached the two logs you requested below.

I received no error messages from SDFix so I think it ran without any problem.

I look forward to your new instructions and I thank you sincerely again for the ongoing support and help.

Frank

SDFix log from Report.txt:


SDFix: Version 1.195
Run by Maze on 2008-06-22 at 19:56

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ntos.exe - Deleted
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll - Deleted
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem\audio.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 20:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 13 Nov 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\851ec77bad9deffe5a3e6f29ba9e9716\BIT2.tmp"
Tue 20 Jun 2006 27,136 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0148.tmp"
Fri 17 Mar 2006 19,968 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0788.tmp"
Sun 3 Jun 2007 47,616 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0810.tmp"
Tue 20 Jun 2006 29,184 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0837.tmp"
Sun 3 Jun 2007 43,520 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0961.tmp"
Tue 20 Jun 2006 22,528 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1171.tmp"
Tue 20 Jun 2006 21,504 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1373.tmp"
Sun 3 Jun 2007 46,080 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1750.tmp"
Tue 20 Jun 2006 27,648 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2276.tmp"
Fri 5 May 2006 23,040 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2389.tmp"
Tue 20 Jun 2006 19,456 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2583.tmp"
Tue 20 Jun 2006 33,792 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3144.tmp"
Tue 20 Jun 2006 26,112 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3209.tmp"
Tue 20 Jun 2006 30,208 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3234.tmp"

Finished!


Latest Hijackthis log run after SDFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6486 bytes
 
Hi

The log looks ok now :)


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTMoveIt2 and save it to desktop.
  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download Spybot
    Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
    Spybot can be downloaded at this location
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    SpywareBlaster tutorial
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Dear Blade81,

Thanks for your constant support and the information.

I followed all of the steps until I got to the 'run spybot again' step. Spybot found the same red item Win32.Agent.pz with the following 7 entries:

SBI $689A946A Library – C:\WINDOWS\System32\wsnpoem\audio.dll FILE
SBI $D372DFBA Library - C:\WINDOWS\System32\wsnpoem\video.dll FILE
SBI $B74832EE Program Directory - C:\WINDOWS\System32\wsnpoem DIRECTORY
SBI $C8DD69EE Settings – HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $7EC6899E Settings – HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $8980C6CD Settings – HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $0F1C75F7 Settings – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE

Please advise of the next appropriate steps to take. I shall follow your further instructions to the letter.

Please note: I carried out all the steps in the last post of yours up until the 'Run Spybot' step - so I don't know whether I need to re-download combofix or SD Fix or anything else again.

Attached also is a Hijackthis log after Spybot was run.

Yours sincerely,

Frank

Latest fresh hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6390 bytes
 
Quick amendment:

I just noticed that 'Run Adaware' was before 'Run Spybot' in your last post. I ran Spybot first and was going to run adaware after it.

But after Spybot found the same program again I stopped everything I was doing.

Apologies for any confusion and I will do whatever you tell me to do in your next set of instructions.

Thanks in advance again,

Frank
 
Hi

Run SDFix as you did before and then run GMER according to instructions below.

Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post GMER log, SDFix report & a fresh hjt log in your reply.
 
Dear Blade81,

I thank you again for the prompt reply and fantastic ongoing support.

I followed all of your instructions exactly and here are the three logs you requested.

Thanks again and I look forward to your next set of instructions.

Best wishes,

Frank

SDFix Log:

SDFix: Version 1.196
Run by Maze on 2008-06-23 at 10:44

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 10:52:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 13 Nov 2007 6,219,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\851ec77bad9deffe5a3e6f29ba9e9716\BIT2.tmp"
Tue 20 Jun 2006 27,136 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0148.tmp"
Fri 17 Mar 2006 19,968 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0788.tmp"
Sun 3 Jun 2007 47,616 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0810.tmp"
Tue 20 Jun 2006 29,184 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0837.tmp"
Sun 3 Jun 2007 43,520 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL0961.tmp"
Tue 20 Jun 2006 22,528 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1171.tmp"
Tue 20 Jun 2006 21,504 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1373.tmp"
Sun 3 Jun 2007 46,080 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL1750.tmp"
Tue 20 Jun 2006 27,648 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2276.tmp"
Fri 5 May 2006 23,040 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2389.tmp"
Tue 20 Jun 2006 19,456 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL2583.tmp"
Tue 20 Jun 2006 33,792 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3144.tmp"
Tue 20 Jun 2006 26,112 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3209.tmp"
Tue 20 Jun 2006 30,208 ...H. --- "C:\Dokumente und Einstellungen\Maze\Anwendungsdaten\Microsoft\Word\~WRL3234.tmp"

Finished!

GMER Log run after SDFix:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-23 11:08:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEF09CEB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEF099870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEF0A4700]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEF09D270]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEF0A3500]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEF0A3730]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEF0A7090]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xEF09D350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEF099EF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xEF0A5720]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xEF0A5360]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEF0A3270]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEF0A5A60]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEF099D40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xEF0A2FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xEF0A2DE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xEF0A61D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEF0A5D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xEF09CB50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEF0A6000]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEF09D060]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEF09A060]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xEF0A4ED7]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xEF0A3960]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805012B4 12 Bytes [ 70, D2, 09, EF, 00, 35, 0A, ... ]
? srescan.sys Das System kann die angegebene Datei nicht finden. !
? C:\DOKUME~1\Maze\LOKALE~1\Temp\catchme.sys Das System kann die angegebene Datei nicht finden. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] 8235FD70
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] 8235F960
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8235FF40
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8235F770
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 82334660
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 82334660
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EF0A19D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EF0A1B40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EF0A2050] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EF0A1EF0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:116 823658E0
Thread 4:120 823658E0
Thread 4:124 8233E8D0
Thread 4:128 8233E8D0
Thread 4:132 8233E8D0
Thread 4:300 823658E0
Thread 4:324 823658E0

---- EOF - GMER 1.0.14 ----

Latest Fresh HijackThis Log run after SDFix and GMER (in that order):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12, on 2008-06-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Dokumente und Einstellungen\Maze\Desktop\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hiller-hinken.de/startseite/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=www.hiller-hinken.de/startseite/index.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132919914417
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6486 bytes
 
Hi

Looks ok now. :) Better monitor the situation for a few days (with Spybot for example) and see if the problem returns.
 
Hello Blade81,

Thanks for your time and assistance.

I just completed another scan with Spybot and it found the same 1 red item Win32.Agent.pz with 4 entries under it: (No other red items were found).

SBI $C8DD69EE Settings – HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $7EC6899E Settings – HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $8980C6CD Settings – HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE
SBI $0F1C75F7 Settings – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Network\UID REGISTRY VALUE

Does this mean it is still on my computer? What is your advice now? Should I click 'Fix Problems' in Spybot?

Should I run SDFix, GMER, Combofix, Kaspersky Online Scan, Spybot, Asquared, Adaware, Blacklight, AVG, Mcafee Stinger, Superantispyware, Malwarebytes Anti-Malware?

Thanks again for your kind assistance and time, I shall await your next instructions.

Frank
 
You must log in or register to reply here.
Back
Top