Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help kahdah [RESOLVED]

Started by wataka , Apr 03 2008 11:12 AM

  • This topic is locked This topic is locked

#1
wataka
Posted 03 April 2008 - 11:12 AM

wataka

    Member

  • Member
  • PipPip
  • 10 posts
hello kahdah
i read your help with a couple of members regarding the infamouse trojan horse psw onlinegames. etal
and from reading the threads i assumed that each method is diffrent from the other and u need the following

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:03 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SoundMan.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Hasson\Local Settings\Temporary Internet Files\Content.IE5\1B7GLZTH\HiJackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.jword....g={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.jword....g={SUB_RFC1766}
R3 - URLSearchHook: MyUrlSrcHook Class - {D2A5245A-B682-4C26-A507-173A774B2E70} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D29DCEE0-457B-45A2-A92D-741B95B7723B} - C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exE
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [PTSShell] C:\WINDOWS\PTSShell.exe
O4 - HKLM\..\Run: [mfchlp32] C:\WINDOWS\mfchlp32.exe
O4 - HKLM\..\Run: [WINSvr32] C:\WINDOWS\WINSvr32.exE
O4 - HKLM\..\Run: [LotusHlp] C:\WINDOWS\LotusHlp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Visit &japanese keywords - res://C:\WINDOWS\DOWNLO~1\CnsMin.dll/203
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,msosmhfp00.dll,msosdohs00.dll,msoscqit00.dll,msosmnsf00.dll,ms
osping00.dll,msosjtio00.dll,msosdrop00.dll,msosfmsq00.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6384 bytes


i have the latest of avg and a squared which absolutly didn't help
please help i need my WoW fix and i hate to have my pass stolen.
thanx

i just scaned in safe mode got 40 results deleted and another alert after rebooting
i also did the dss scan, waiting for any instruction from kahdah or any1 of the staff
thank u

Edited by wataka, 03 April 2008 - 01:28 PM.

  • 0

Advertisements

#2
wataka
Posted 04 April 2008 - 08:39 AM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
day 2
can't kill it.......can't kill it........good god i can't kill it
safe mode......full mode.....can't kill it
adaware........avg........a squared.......can't kill it

please help
my warlock oh my poor warlock
this trojan is like an uppity 2 year old, ithink i sent him to the vault for the final time, and it pops its freckled face everytime i contiplate heading into WoW.
i'm at the end of my perpetual rope

please help
anyone :) :)
  • 0

#3
BHowett
Posted 07 April 2008 - 07:18 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.


Sorry for the delay, as you can tell we are very busy here. So lets get started :)


ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
===============================================
  • 0

#4
wataka
Posted 07 April 2008 - 09:18 AM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear bhowett
believe it or not your reply constituted the only b-day gift i got this year, so thanx
here is what u wanted
ComboFix 08-04-06.1 - Hasson 2008-04-07 10:09:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.720 [GMT -5:00]
Running from: C:\Documents and Settings\Hasson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Hasson\Application Data\macromedia\Flash Player\#SharedObjects\AH8ZMS4R\www.inter-focus.cn
C:\Documents and Settings\Hasson\Application Data\macromedia\Flash Player\#SharedObjects\AH8ZMS4R\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Hasson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Hasson\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Program Files\Internet Explorer\PLUGINS\Nv_Win3s.Jmp
C:\WINDOWS\avpsrv.exe
C:\WINDOWS\LotusHlp.exe
C:\WINDOWS\PTSShell.exe
C:\WINDOWS\system32\fptbtn.dll
C:\WINDOWS\system32\msosdrop.dat
C:\WINDOWS\system32\WINSvr32.dll
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\WINSvr32.exE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DROP
-------\Legacy_FPIDS32
-------\Service_drop
-------\Service_fpids32


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-03 19:04 . 2008-04-03 19:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-03 19:04 . 2008-04-03 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 19:03 . 2008-04-03 19:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 13:09 . 2008-04-03 13:09 <DIR> d-------- C:\Deckard
2008-04-03 11:47 . 2008-04-03 11:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 05:45 . 2008-04-03 05:47 3,200 --ahs---- C:\WINDOWS\system32\drivers\msosfpids32.sys
2008-04-02 21:01 . 2008-04-02 21:43 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-02 13:56 . 2008-04-02 13:56 144 ---hs---- C:\WINDOWS\system32\mgmgmm.cfg
2008-04-02 11:51 . 2008-04-02 20:17 1,640 ---hs---- C:\WINDOWS\system32\fjyjy.cfg
2008-04-02 11:51 . 2008-04-02 11:51 256 --a------ C:\WINDOWS\system32\msosfmsq.dat
2008-04-02 11:49 . 2008-04-02 11:49 256 --a------ C:\WINDOWS\system32\msosjtio.dat
2008-04-02 11:49 . 2008-04-02 11:49 128 --a------ C:\WINDOWS\system32\msosping.dat
2008-04-02 11:49 . 2008-04-02 11:49 3 --a------ C:\WINDOWS\system32\ttjj3.ini
2008-04-02 11:48 . 2008-04-03 05:49 2,456 ---hs---- C:\WINDOWS\system32\jwlah.cfg
2008-04-02 11:48 . 2008-04-03 05:49 1,232 ---hs---- C:\WINDOWS\system32\jzijj.cfg
2008-04-02 11:47 . 2008-04-03 05:47 2,456 ---hs---- C:\WINDOWS\system32\sehhter.cfg
2008-04-02 11:47 . 2008-04-03 05:47 256 --a------ C:\WINDOWS\system32\msosmnsf.dat
2008-04-02 11:43 . 2008-04-03 05:46 1,232 ---hs---- C:\WINDOWS\system32\xgnfn.cfg
2008-04-02 11:42 . 2008-04-03 05:46 384 --a------ C:\WINDOWS\system32\msoscqit.dat
2008-04-02 11:41 . 2008-04-03 05:46 2,304 --a------ C:\WINDOWS\system32\msosdohs.dat
2008-04-02 11:41 . 2008-04-02 11:41 256 --a------ C:\WINDOWS\system32\msosmhfp.dat
2008-04-02 09:55 . 2008-04-02 09:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-31 09:11 . 2008-03-31 09:11 <DIR> d-------- C:\Program Files\VALKYRIA
2008-03-25 12:38 . 2008-03-25 12:38 <DIR> d-------- C:\Logs
2008-03-25 03:52 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-25 03:52 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-25 03:52 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-24 21:27 . 2008-04-02 09:54 <DIR> d-------- C:\Program Files\isoHunt
2008-03-24 21:27 . 2008-04-02 09:54 <DIR> d-------- C:\Program Files\Conduit
2008-03-24 13:28 . 2008-03-24 13:28 268 --ah----- C:\sqmdata00.sqm
2008-03-24 13:28 . 2008-03-24 13:28 244 --ah----- C:\sqmnoopt00.sqm
2008-03-24 13:09 . 2008-03-24 13:09 <DIR> d-------- C:\Documents and Settings\Hasson\Contacts
2008-03-24 13:03 . 2008-03-24 13:14 <DIR> d-------- C:\Program Files\Windows Live
2008-03-24 13:03 . 2008-03-24 13:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 13:02 . 2008-03-24 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-18 11:33 . 2008-03-18 12:17 24 --a------ C:\WINDOWS\winamp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 14:54 --------- d-----w C:\Documents and Settings\Hasson\Application Data\uTorrent
2008-04-07 13:00 --------- d-----w C:\Documents and Settings\Hasson\Application Data\AVG7
2008-04-04 14:05 --------- d-----w C:\Program Files\Postal2STP
2008-03-19 23:36 --------- d-----w C:\Documents and Settings\Hasson\Application Data\Ahead
2008-02-27 15:34 356 ----a-w C:\drmHeader.bin
2008-02-15 13:36 --------- d-----w C:\Program Files\DivX
2008-02-13 20:48 --------- d-----w C:\Documents and Settings\Hasson\Application Data\Apple Computer
2008-02-13 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-13 20:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-13 20:43 --------- d-----w C:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D29DCEE0-457B-45A2-A92D-741B95B7723B}]
C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 01:51 7323648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-27 09:34 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D29DCEE0-457B-45A2-A92D-741B95B7723B}"= C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys [ ]
"{50632D5C-B71B-4ba0-B012-3DC6F15C011B}"= C:\WINDOWS\system32\msosiocp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"VIDC.wmv3"= wmv9vcm.dll
"MSVideo8"= VfWWDM32.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]
Debugger=SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-23 10:19 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 17:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-07 10:35 157696 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mfchlp32]
C:\WINDOWS\mfchlp32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-14 01:51 7323648 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-12-14 01:51 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-14 01:51 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
---hs---- 2006-10-18 22:47 81920 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2006-01-02 21:58 208896 C:\WINDOWS\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2006-01-02 21:59 69632 C:\WINDOWS\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 21:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Hasson\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

S2 cqit;cqit;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1F9.tmp []
S2 dohs;dohs;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1B7.tmp []
S2 jtio;jtio;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1E0.tmp []
S2 mnsf;mnsf;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1CC.tmp []
S2 ping;ping;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp2F.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71b1b41-f1a2-11db-8c20-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 10:12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cqit]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1F9.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\dohs]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1B7.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jtio]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1E0.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mnsf]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1CC.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ping]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp2F.tmp"
.
Completion time: 2008-04-07 10:13:04
ComboFix-quarantined-files.txt 2008-04-07 15:12:44
Pre-Run: 3,575,095,296 bytes free
Post-Run: 3,566,166,016 bytes free
.
2008-03-26 08:01:01 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:24 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SoundMan.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: MyUrlSrcHook Class - {D2A5245A-B682-4C26-A507-173A774B2E70} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {D29DCEE0-457B-45A2-A92D-741B95B7723B} - C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Visit &japanese keywords - res://C:\WINDOWS\DOWNLO~1\CnsMin.dll/203
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5255 bytes
  • 0

#5
BHowett
Posted 07 April 2008 - 03:17 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi wataka,

First off let me say happy birthday…. Hope you are enjoying it. Ok lets see what else we can do here……


ATF Cleaner


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===================================================================

Fix with HJT


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: MyUrlSrcHook Class - {D2A5245A-B682-4C26-A507-173A774B2E70} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL (file missing)
O2 - BHO: (no name) - {D29DCEE0-457B-45A2-A92D-741B95B7723B} - C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys (file missing)
O8 - Extra context menu item: Visit &japanese keywords - res://C:\WINDOWS\DOWNLO~1\CnsMin.dll/203
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===================================================================



Combofix script

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\WINDOWS\system32\mgmgmm.cfg
C:\WINDOWS\system32\fjyjy.cfg
C:\WINDOWS\system32\msosfmsq.dat
C:\WINDOWS\system32\msosjtio.dat
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\ttjj3.ini
C:\WINDOWS\system32\jwlah.cfg
C:\WINDOWS\system32\jzijj.cfg
C:\WINDOWS\system32\sehhter.cfg
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\xgnfn.cfg
C:\WINDOWS\system32\msoscqit.dat
C:\WINDOWS\system32\msosdohs.dat
C:\WINDOWS\system32\msosmhfp.dat
C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys
C:\WINDOWS\mfchlp32.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D29DCEE0-457B-45A2-A92D-741B95B7723B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mfchlp32]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D29DCEE0-457B-45A2-A92D-741B95B7723B}"=-
"{50632D5C-B71B-4ba0-B012-3DC6F15C011B}"=-



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#6
wataka
Posted 07 April 2008 - 03:35 PM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear bhowett
thank u for your detailed response
the steps where easy to take and her is the results u asked for


ComboFix 08-04-06.1 - Hasson 2008-04-07 16:30:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.661 [GMT -5:00]
Running from: C:\Documents and Settings\Hasson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hasson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Internet Explorer\PLUGINS\NewSys55.Sys
C:\WINDOWS\mfchlp32.exe
C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\WINDOWS\system32\fjyjy.cfg
C:\WINDOWS\system32\jwlah.cfg
C:\WINDOWS\system32\jzijj.cfg
C:\WINDOWS\system32\mgmgmm.cfg
C:\WINDOWS\system32\msoscqit.dat
C:\WINDOWS\system32\msosdohs.dat
C:\WINDOWS\system32\msosfmsq.dat
C:\WINDOWS\system32\msosjtio.dat
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\sehhter.cfg
C:\WINDOWS\system32\ttjj3.ini
C:\WINDOWS\system32\xgnfn.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\WINDOWS\system32\fjyjy.cfg
C:\WINDOWS\system32\jwlah.cfg
C:\WINDOWS\system32\jzijj.cfg
C:\WINDOWS\system32\mgmgmm.cfg
C:\WINDOWS\system32\msoscqit.dat
C:\WINDOWS\system32\msosdohs.dat
C:\WINDOWS\system32\msosfmsq.dat
C:\WINDOWS\system32\msosjtio.dat
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\msosmnsf.dat
C:\WINDOWS\system32\msosping.dat
C:\WINDOWS\system32\sehhter.cfg
C:\WINDOWS\system32\ttjj3.ini
C:\WINDOWS\system32\xgnfn.cfg

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-03 19:04 . 2008-04-03 19:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-03 19:04 . 2008-04-03 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 19:03 . 2008-04-03 19:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 13:09 . 2008-04-03 13:09 <DIR> d-------- C:\Deckard
2008-04-03 11:47 . 2008-04-03 11:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 21:01 . 2008-04-02 21:43 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-02 09:55 . 2008-04-02 09:55 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-31 09:11 . 2008-03-31 09:11 <DIR> d-------- C:\Program Files\VALKYRIA
2008-03-25 12:38 . 2008-03-25 12:38 <DIR> d-------- C:\Logs
2008-03-25 03:52 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-25 03:52 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-25 03:52 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-24 21:27 . 2008-04-02 09:54 <DIR> d-------- C:\Program Files\isoHunt
2008-03-24 21:27 . 2008-04-02 09:54 <DIR> d-------- C:\Program Files\Conduit
2008-03-24 13:28 . 2008-03-24 13:28 268 --ah----- C:\sqmdata00.sqm
2008-03-24 13:28 . 2008-03-24 13:28 244 --ah----- C:\sqmnoopt00.sqm
2008-03-24 13:09 . 2008-03-24 13:09 <DIR> d-------- C:\Documents and Settings\Hasson\Contacts
2008-03-24 13:03 . 2008-03-24 13:14 <DIR> d-------- C:\Program Files\Windows Live
2008-03-24 13:03 . 2008-03-24 13:05 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 13:02 . 2008-03-24 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-18 11:33 . 2008-03-18 12:17 24 --a------ C:\WINDOWS\winamp.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 20:23 --------- d-----w C:\Documents and Settings\Hasson\Application Data\AVG7
2008-04-07 14:54 --------- d-----w C:\Documents and Settings\Hasson\Application Data\uTorrent
2008-04-04 14:05 --------- d-----w C:\Program Files\Postal2STP
2008-03-19 23:36 --------- d-----w C:\Documents and Settings\Hasson\Application Data\Ahead
2008-02-27 15:34 356 ----a-w C:\drmHeader.bin
2008-02-15 13:36 --------- d-----w C:\Program Files\DivX
2008-02-13 20:48 --------- d-----w C:\Documents and Settings\Hasson\Application Data\Apple Computer
2008-02-13 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-13 20:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-13 20:43 --------- d-----w C:\Program Files\QuickTime
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 21:38 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-14 01:51 7323648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-27 09:34 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm
"VIDC.wmv3"= wmv9vcm.dll
"MSVideo8"= VfWWDM32.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]
Debugger=SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-23 10:19 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 17:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-07 10:35 157696 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-14 01:51 7323648 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-12-14 01:51 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-14 01:51 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
---hs---- 2006-10-18 22:47 81920 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2006-01-02 21:58 208896 C:\WINDOWS\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2006-01-02 21:59 69632 C:\WINDOWS\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-27 21:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Hasson\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

S2 cqit;cqit;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1F9.tmp []
S2 dohs;dohs;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1B7.tmp []
S2 jtio;jtio;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1E0.tmp []
S2 mnsf;mnsf;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1CC.tmp []
S2 ping;ping;C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp2F.tmp []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71b1b41-f1a2-11db-8c20-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 16:31:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cqit]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1F9.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\dohs]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1B7.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jtio]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1E0.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mnsf]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1CC.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ping]
"ImagePath"="\??\C:\DOCUME~1\Hasson\LOCALS~1\Temp\tmp2F.tmp"
.
Completion time: 2008-04-07 16:32:14
ComboFix-quarantined-files.txt 2008-04-07 21:31:47
ComboFix2.txt 2008-04-07 15:13:05
Pre-Run: 3,880,783,872 bytes free
Post-Run: 3,872,133,120 bytes free
.
2008-03-26 08:01:01 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:33 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SoundMan.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4908 bytes


again thank u for your help
  • 0

#7
BHowett
Posted 07 April 2008 - 05:03 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi wataka,

Things are looking much better… just a few more things to do, so hang in there :)


Delete an NT Service

  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: helpsvc
  • Click "ok", then reboot

===================================================================

Fix with HJT

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\interne.exe


After that, Reboot.


===================================================================

Kaspersky Online Scanner


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

===================================================================


In your next reply please post the Kaspersky Online Scanner results, a fresh HijackThis log, and let me know how your system is running :)
  • 0

#8
wataka
Posted 07 April 2008 - 10:38 PM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear howett
thank u for the 2nd instructios
the helpsvc service needed to be disabled before deleting so i went ahead with checking 023 and fix it
theinterne.exe file did not exist
and the virus scanner just done here you go with the results, hope i didn't mess up


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 11:23:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 689092
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 66558
Number of viruses found: 12
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 03:34:30

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080403131310\backup\DOCUME~1\Hasson\LOCALS~1\Temp\tmp17.tmp Infected: Trojan-PSW.Win32.OnLineGames.yzs skipped
C:\Deckard\System Scanner\20080403131310\backup\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1C.tmp Infected: Trojan-PSW.Win32.OnLineGames.zcv skipped
C:\Deckard\System Scanner\20080403131310\backup\DOCUME~1\Hasson\LOCALS~1\Temp\tmp1F.tmp Infected: Trojan-PSW.Win32.OnLineGames.zco skipped
C:\Deckard\System Scanner\20080403131310\backup\DOCUME~1\Hasson\LOCALS~1\Temp\tmp3D.tmp Infected: Trojan-PSW.Win32.OnLineGames.yuy skipped
C:\Deckard\System Scanner\20080403131310\backup\DOCUME~1\Hasson\LOCALS~1\Temp\tmp58.tmp Infected: Trojan-PSW.Win32.OnLineGames.yzs skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Hasson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Temp\~DF52E7.tmp Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Temp\~DF5327.tmp Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Hasson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hasson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hasson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\AVPSrv.exE.vir Infected: Trojan-PSW.Win32.OnLineGames.yzu skipped
C:\QooBox\Quarantine\C\WINDOWS\LotusHlp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yvw skipped
C:\QooBox\Quarantine\C\WINDOWS\PTSShell.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yvi skipped
C:\QooBox\Quarantine\C\WINDOWS\WINSvr32.exE.vir Infected: Trojan-PSW.Win32.OnLineGames.yxj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP402\A0059173.exE Infected: Trojan-PSW.Win32.OnLineGames.yzu skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP402\A0059174.exe Infected: Trojan-PSW.Win32.OnLineGames.yvw skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP402\A0059175.exe Infected: Trojan-PSW.Win32.OnLineGames.yvi skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP402\A0059177.exE Infected: Trojan-PSW.Win32.OnLineGames.yxj skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP403\A0059274.sys Object is locked skipped
C:\System Volume Information\_restore{5401D4AC-7954-42D3-A5E0-7A5A3C97C8DB}\RP403\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\011edf32ed1ccd2fdbc866890c4dcca1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0198611941452c1519e5929ab8d157a6_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\01e669399a422f38722f9d15b7b595a7_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\01e8bdb6d873fbdf0fee5a9a329c9c40_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02188a83db2f2fce6e805dabb941ddf2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\021b1a20bedf0ba9575c78be33444628_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\027b0dfb9ee58dd711d40764aae581b7_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\029b4c6e28af147877b310b21379d06f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\02cfc2c68579374590a58d86182ca6d3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\048d4526c94ef13ccc1b5011b3849796_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04f645012ba104a7982511a2e841388f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0575aec46bf8e09f770d264dec49e477_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\057cdd824cc88361fa830858b3e18741_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\064082ec8e4e087adcc7fa0fbd1b922f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06cd8c400dab7779b2769a174c0cbdfe_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07279b9e2bf184330859f8dd3eb55214_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07d48d68164e8874843a241bc784bb26_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07e1325b0ef2984a5153e4ab87628ac7_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\081ac5ccf09016b47bbb556a81ff188c_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\084ca89618ca94f766e5053a7982aa59_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08ce24b4400afa5e879483221a774a84_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\090b2fa9f2ff229a50f1ce1582103757_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\090b5c38bd4a927b4e919e7b981b1df5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09484e3cf1885b46027ac871409b3d2f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\094f1c2deedd1b5a6ff8b043e03bf2bb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\097c94da165be87ff0c1a42c6b07846a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09c715797e250e68ec100ea7beeead04_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09fe081fe39f567f5cc07e7d9f07b9be_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a68a64d7ae42520d9ec2cd643828fc5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a9b25b350f11908550a2b5e6a7290d3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0ab6021d96b048b38ab786aa49f99023_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0ad9a3de6cf89f40b9369d82f541082a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b50ffe3c3b72739c44aace9cac992bb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0bb1170cab1ea446c5d87bb64433e392_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c10d1fc3671ca34d068f875c3fd6369_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c309ce00bb1771c372e955b61674bba_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c6533f06b88d6b5453eaf93e7efb067_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0cf0cd9ac1ea1d38c7ddf424ea5ca898_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d276821c459175f5a13aee8e5b48bd2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d47752ac7187a134249afdb2d050156_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e05ee3bae781d55ca954db51f285fe4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e7d8445c34b96ab5f994b6f72a358ea_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0ea2a4cf7beb700968a14ad613cfaf56_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0eea7f95f311da468527e27359b76c42_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f91a99b863b24a22c4dceef23a01680_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1082cbfc8a52fb00026db95ea73d46cf_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10ea64deb410d286780f284be841262d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10fb5445c0e101c9c30aa958b4dc8ea3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\115c4b9bc29489d920be419d39b22d66_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\127ed2be40489e9a17ef346fab038122_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12a799c77ba5afac8cf421c980c7f5fc_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12f664f703ab61bee084e8b632e8650b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\133cacc591959c50ace05f83cfe99912_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\134ea1b974b2cc7e7646e929491e5df9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1388e7e3bf0c2a88080d574997abdf48_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13efb45967eebb19999dc70c0c34e3da_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13fa0c2ac7ba6d3a3fb27c28aa489b66_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\141f3f82b0dd3647f1896e2d9c1783f8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1493fc427541fadd488971d76e186908_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e8f17c478f0c21dffa9c6c49ae071d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\17f4a4c6913cc8d4d32b531a85a4c93c_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\180d5bc730d103af650bae2800fb07b5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\18228015fde79e1ef69ce8ff4b34838d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\18c8660841a6b47723c6dabb6426eef5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1a1ace75f44627a596cd91b324f39cff_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ad5fd44bbf82c0e2e98767f254d53f9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b3d7528aa0e4a440f495543f9233de4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b5de410ca338769db47da40853a9d55_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1cb8e95cb78f34167b0b00050262862e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1d3d87f01e3575bbaa2e0075d91af276_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1d71f9814cfd9397d5c26d1a1191407e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1da45252f13ff76bdf56257419cdd4e1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1de238b3f00de3e3ae583e30035d253b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1df7c9eaa8c24ec7e2791602175ca540_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e13a5a326b37dec5763b84aefe6b682_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1efcd8719c66a39e7732e97dc1e49769_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f5385c00b9e8557509c434a795afe17_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1f997268130203a4a13598e3394f9c01_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\20d190602360f294bbb31af4c7e786bb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\226b50a1de1c9dd3a54e4389075b27f4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22c4ea04c51972a5348d1c0f83e57cb9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22d5cb8d6ab194e5c9e1a13d9a45a593_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\23c0dde217291d97285b6b7d0b9d7874_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\23f0b640e6b3a6aadf6712da0afa35f5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\247fe60effa0b8a6e2d207ebd612a6a0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\24bda517422d05b0c59fb63d76d3eeb8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\252cc66ab4c985ceb73b5bc5862772eb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2554b0a15413411f21c1e63e12bcba0f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\264cccbe8594220b762531683d91c0d4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\276784011f41392859b7929c195e2546_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\276b90f843571a6b0b2c7c42aedb7c12_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\278798192a9437d22fade7c034853b7d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\28ca521372e5c7281a69fddc2e04e317_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b3e4706788e00a5d69efc4903f42ffe_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2dd2a77922710bbf58d1f34ff5be1e8e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2dec8e709b44b82630d4b9d3b7a30beb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\301da16ddcc581f8bdf07af4247f90db_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\312066efacbdd16191e9e43830bb3d75_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3187b52237cc5e44383f6f2b082d3d80_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31c2e4b8f54f65ad5e7726ead8ab1659_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3243552d39bff99291d59403bb868772_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\32e71f3e34a47f906435cecef3a7d696_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3329fcd0ef3c99462e1993d69f66a026_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34c5851e48c16328bac4d18fd2744306_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\357642b04212a07b48ffca98d6a01e87_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3680e1359cb7a42c767ef96414119218_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3786f525a72388b2eddb6eb39dd74c5a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\380c2010fb4dc78173ee1d6a45dc7b59_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38acf078af3b4a6c5edf2cbfe5fe4674_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3928a7da3d5d8363beb5f2dee8f11d98_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\395ed8348d6d6b7905a202984d55921f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\396478e0a44d3a1d1f03b48939c56983_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\396ca57c8446209105d6f57b97a4fd3a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\39dc8a248f18c70719437e7b908f599b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a20661f98b0f1424d9d6be44b6dafb3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a8645d21d4f6d424e0c632e4a4d7c1f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3aeb284dd967fce8dc9c6f4aadb73a62_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ba6592245ee5e5f9fecb507edfe387b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c1468103bcf7dd37d13a831c3cfae36_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3cdd2a3a4f0c2a847dc61eaa9c32f9c2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d59e10907afd3d158ef1c66605fb9c3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d5ff08ff91baa402233f55a1053897e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d80ad239a08af8a64450762eb0322f6_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e16bdc7feb55ebddeef23f4ea68b5b0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e583af27726e855db8360623fb2e285_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e603f630791d02b6f99cb9f235601ad_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ed79ecf991181a5490e08edaabedc25_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3fc7565d1bb89603e63b182e1a00f648_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4085d3ba28ac4672693758d837920ab7_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\408baffa206fec4c699b7c719263130f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40978dc040218e1f371aa5b5500e7e2d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40c71a2ad3ba3a5376cf90713a347447_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\41bd542c00256e7090b103202219d3b9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42910b7d016c8792b7df6420d30e5ca5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42fb4f6bc10b6a8d4eb025621029a00a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4378c117e7cf5c93531b3b275f1a19b6_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\43d2f5b8d055edc3d2633ff38e4e7499_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\440ba3f1d0dc41895b091a7df99e3f44_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\445c4dfb50520d74519b7840d68219c0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\44961005e3822f1a87a4fb61c221bfb3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\44bb21baf6dbda7e4242a241ea91b46a_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\450105b48af9774fe9cf77d9b32b42f1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45661c67a4a89de9478e8777a737b063_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45aa61dcff73f31f8e531e953bb8f479_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45f7c372d53a895c97bba74def497954_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4638c69f1349102f4f4f8fc0173c82e2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\46686ba44ee07aa195b1b06600c57f8b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\472703a81eb158f9a1ea0b70d41206ab_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\477a68b8f59d60815818e2714d14c1d2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\484941ec06020dfe4a32c59adde02084_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\485c826bd5384512a9d9213083fcb65d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48f2bfbbe7a5b5f9f4f2237c8a68f71d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\490937106a18eea214f80e2b32c6da22_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\491443e19b6b4eb1ffc72440893ab0b8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49ab45a4ae73ecea50db48213b4081c1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49d10c53e62e12837788f8d4ec4f9213_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a27fcbdd4bffcc397a1cc40259f8a22_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a3dfe215c4d2b2cc2d8e505f37583c3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4aa294e6450e99e089cf21228e39019b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4b30d454da7c0acf25f15c535c1775a9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4b63571ee0051b53b2c74767dbe9295e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4bcf8742158a8053cd99b0fdff7523af_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4bed6eea7df0f38ba754dcb67c1c8080_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c3d6a3ae389be1f89c4f44623ed23f0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c791df6d551260472b12ed5b7413e6f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4d86c7412235eb6811050a5b41dcfd48_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4e4c974b01c6cfe140d590f6cb133787_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4eedeb551b5ab809128f9a16937d97ba_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\505fb57dc0e363e67c9725d1f7f3ccdc_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\50ebd6d1243ae825b38dbe1647a3ed65_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\50f6663c073d468ae81a11c20282f2ba_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51c4fcfaf1b3d952771b5376fb6d9e58_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52199722f4ba348e0571377b2104bbc4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5237977a872f7a066cb1541e3eaa28bb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52b45d267f474643c70cf41041e0df74_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52e95c92e3589b3237445668be24737b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5396cfd7d4c7e63033d2f9d51dbd6e71_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\53cb52f3b8e4fc124a45aac78593ce40_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5421396c885211ae09cc8595f7aadfd0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55234033b4ac308c202ee3b3c65e5545_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\555a67d00044536dd7d84247119d86a1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\558b7c0e1376a3446ba6d66331ceaa4d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c99fbbec71841293055bfb1b9e7e1f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\560c414e8ff28666b03b7df36814ce8f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\56ad2817e79f765fdaece45ccfeb66d9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\56c7eeb6d0ab7ab7ca9933ece632299e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\56f5d3d89b928dc8f941ee183a63b5bc_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\577e8053c1f7588b425b3f4523eeeb4b_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57a62e63745ffed32bbdb346f74959b8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\57d74245aa59c0e29553ffc847d7cf54_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\584dd6820067092fc42b46feb5ade060_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\598bd7cafd3e554f963341aa0d66415d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59d6e995fd939f6ccf8503387f9a2db4_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ad7f36c13fce5cf22a3110857b46038_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b184dd512733fc64b3536a1ef785526_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b2c2938c258b441ee3aff91065bb0ec_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b638e7a3e61f17eae964a5358e0c723_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5bd685a9390356a0d93534a9cc3bbbd9_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c09e05ce7897816d20179081173d94c_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c61d4f86dc2e5942d6c472e64803a82_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ca50c9895280d5f1777b2b88a247329_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d1b73e377ce1d13dc7d561cefba8638_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e1ab5fb673d06a8993b82ff40354358_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e26eeda800d710276ac1a8d8d6a2700_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e40b67a56c0f0fab1d7d778703c3572_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e4332ed05a7078b6a82acac638a8a51_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e6a662aaf717f634e70d65898ee0c68_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5eb83895cd4a9031d46b3d1976c05033_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ee7a57711e6e64b0aad07c4a7d5b679_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f0e0d234165452d9745d224b4cfe197_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1c47ac3fe424b4ea95acc2ffcd72ce_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6066acb56f12d930967122dc67656840_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60a559a9dbdcfdde2bd0b03bcb126bd2_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60d5ff25b0d9debc69f1c02bb3795086_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60f1c11e8d66746ca4184f752ced4376_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61b205728721d1f4c29702cf4795755f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\620b71c2098ad4be2d22a0bf7988aeb5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\629d321b8da2f65da1fca6c650d2b1e6_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63a3d211e693217220876e39a1eb7624_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63d750032056bf124cb0f56aecfe54ed_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64569d40bb065f6c9b238aa3af099cdd_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\646caac39b1c88e621b9a7e639bdcdce_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\652861d198f9678d257b957859fe189c_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\654ff2c66be48b55aca3c3a476d94716_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\659297a0ead280dc52e631b9eaa4e1cb_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\65cd71e25cca4feb8fe704f4e24f806d_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\660b41b3f86341fb81272f71a641ace0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\663a780d3f3552d55cbd7bcd163af9d8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6650f7219d709e5ecff1af7741aec117_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\66a3bf6bca88c429fd28c86f099e31b3_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\674753339e1688bf57b2fd68cce52634_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\67d7130a4859128f45c0bd914781bf44_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6886baaedf6c7f30295cda79d7a4a8c8_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\690bb14559f875d034b98a36e3738bef_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\69ed74248e20e87f773e3bb6ba29f045_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a24f50304c99f2973fe2118037d1bfa_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a2ed981c04eb491f8cb408e61beaf2f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a79eb89307fe5ada22fd403db1e6031_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a81b7661ec4f36308e8a029d8fba9f1_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b1a88998d13c5c589c29c7b2850e1fe_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6c2e8302b811bea8986784307ac05f7f_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6c9cf0b77e1a40fa968b17b30f96bfa0_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cafad4a2a11236fa27b65124b9e3934_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6dd1d0d301290de747eaf3e98ac5b5e5_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e6ee74fa0a13034a2dd1af43efa4c5e_a18a9597-5b51-41d4-8387-31ad888312c3 Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\
  • 0

#9
BHowett
Posted 08 April 2008 - 10:35 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello again,

Looking good, everything found seems to be in Quarantine or system restore points and we will clear all that out shortly.

Please post a fresh HijackThis log, and let me know how your system is running :)
  • 0

#10
wataka
Posted 08 April 2008 - 11:47 AM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
good day bhowett
today my avg is telling me that there is no viruses in my computer, although there was an aleert when i ran adaware
none the less my computer seems to have forgoten the words psw onlinegames :)
here is the fresh log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:43 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SoundMan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5112 by
  • 0

Advertisements

#11
BHowett
Posted 08 April 2008 - 01:04 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi wataka,

Delete services

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as All Files and name it "FixServices.bat" (including quotation marks). Please save it on your desktop.

@echo off
sc stop helpsvc
sc config helpsvc start= disabled
sc delete helpsvc
exit

Double click FixServices.bat. A window will open and close. This is normal. Then reboot your computer.

===================================================================


Fix with HJT


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\system32\interne.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


===================================================================


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

===================================================================


Please post one more fresh HijackThis log. :)
  • 0

#12
wataka
Posted 08 April 2008 - 01:28 PM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear bhowett
first step went through no hitch yay
after scaning with hjthis for the second step i noticed that the line 023 hel and services doesn't exist
attached is the log
un-installed combofix, do i keep the new batch file?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:13 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4978 bytes
  • 0

#13
BHowett
Posted 08 April 2008 - 02:07 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi wataka,

Nice work your system is clean and your logs are looking good, lets clean out your restore points and were done!!

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

==============================================


This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any questions or problems you still have.

I know you already have some of the programs like Antivirus, or 3rd party firewall, but I still like to share the information incase you ever need it, or want to change them.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.


Thanks for letting us help you!

Edited by BHowett, 08 April 2008 - 02:10 PM.

  • 0

#14
wataka
Posted 08 April 2008 - 02:35 PM

wataka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
dear bhowett
sir you have saved me
i thank u and my warlock thanx u
it has been trying this past few days but you guided me well through it, again i thank you
the only question i have is this: with all the protection that i have on my computer wouldn't adding more programs create conflict?
i do trust avg virus cleaner to do the job although in this case i guess it was caught with its pants downi'm still running it along side adaware, should i also uninstall/delete the following hjthislog dss atf-cleaner?
i know that i'm probably dancing on your last nerve sorry
but your help was tromendous to say the least
  • 0

#15
BHowett
Posted 08 April 2008 - 02:54 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts

the only question i have is this: with all the protection that i have on my computer wouldn't adding more programs create conflict?

all of the programs/files in my closing speech down to number 8 can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However for numbers 9 & 10 in my closing speech we don't recommend installing more than one anti-virus program or firewall program. They will conflict, and provide less protection. I just give them to you in my closing speech incase you ever need them.



should i also uninstall/delete the following hjthislog dss atf-cleaner?

Yes you can uninstall all of them, however I would recommend keeping ATF Cleaner, it is a handy tool to have so you can clean out all your junk temp files, cookies, etc.. every so often. I use it on my system about every three days to clear up the junk.



i know that i'm probably dancing on your last nerve sorry

Not at all…. That’s what I’m here for :)



Have a great day and happy surfing
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP