Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hard drive is a mess

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hard drive is a mess

Unread postby Ineedhelp » November 25th, 2007, 4:08 pm

First off, I just want to thank you for making your services available to the public. It is just SO frustrating having computer predators out there messing with innocent systems, so thanks for any help you can provide. Anyway, I have downloaded and run multiple free/trial anti-virus programs including ad-aware, Trojan Hunter, McAfee and Symantec's trial versions and my HD still seems to be plagued. Here is my Hijackthis log. I hope you can find the problems as my hard drive is dangerously close to useless after extended internet sessions (even with using Firefox). Thanks again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:14 PM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Updater.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F} - C:\WINDOWS\System32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {4305A801-B909-4ECD-9F3D-893E0C2392A5} - C:\Program Files\Outlook Express\sadegok4444.dll (file missing)
O2 - BHO: (no name) - {745DD318-EB77-4518-8147-5722207B1950} - C:\Program Files\Outlook Express\sadegok83122.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {d767b7ea-79e9-41a2-ba8d-774ed0da7961} - C:\WINDOWS\System32\sqhvlyt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7298287859
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\baxynyfsyb.html

--
End of file - 11264 bytes
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm
Advertisement
Register to Remove

Re: Hard drive is a mess

Unread postby Katana » November 27th, 2007, 4:35 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D


I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a Password Stealer See HERE for more details

It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine,

If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :(



Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 27th, 2007, 7:47 pm

wow. Thank you for your response. I will take all of your recommended actions immediately, however I have one important question. While I have never had (or never noticed) any major problems like this, I have always maintained a secondary bootable hard drive on this machine just in case of this kind of thing and I have been booting from this second hard drive ever since I have noticed the current problem/virus. I have not seen any symptoms of problems when i boot from the secondary HD.

My primary question is, can/will this virus migrate to my secondary HD, or alternatively, is the virus active when i boot from this second HD and use the original as a slave HD to retrieve data, but not run any applications. I.e., if i log into banking/financial websites while booted from this second HD, will I still have virus problems? I can post another HijackThis log of the secondary (current) HD if you think this will be helpful.

Second, while I will definitely run your recommended fixes, would i be better off just scrapping the entire HD once I have transferred all data files, or will the original be workable after the fixes. Thanks again for your time and your warnings.
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 27th, 2007, 8:07 pm

Which drive did you boot from to produce the HJT log ?
The infection showing at the moment shouldn't affect a second boot drive, but it depends what else is there.
If you are suggesting changing your passwords using this second boot, then I would say don't
Use an entirely different computer.

At the moment it looks like a simple removal will sort the problem, however I can't guarantee that something else won't show up in the rest of the scans we do.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 27th, 2007, 8:40 pm

Thank you for your prompt response.

The HJT log I posted originally came from the original (infected) Hard Drive - I booted from that drive and ran the HJT scan on the same drive. I will take your advice and change PWs using another machine entirely and I will clear my PW file from both drives - at least as they exist on Firefox. Here is the combofix log you suggested - also run from the infected drive (Downloaded from your posted link on the 2nd drive and copied to the infected drive. It re-booted the computer once during its scanning, but then produced the following log):

ComboFix 07-11-19.4 - Steven Lever 2007-11-27 19:07:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.673 [GMT -5:00]
Running from: C:\Documents and Settings\Steven Lever\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ComPlus Applications\baxynyfsyb.html
C:\Program Files\network monitor
C:\Program Files\web buying
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-25 14:39 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\TrojanHunter
2007-11-25 12:42 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-25 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-05 19:09 170 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-04 16:59 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\SiteAdvisor
2007-11-04 13:29 6,569 ---hs---- C:\WINDOWS\system32\ehhkj.ini2
2007-11-04 13:29 6,505 --ahs---- C:\WINDOWS\system32\ehhkj.ini
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 13:24 11,198 ---hs---- C:\WINDOWS\system32\ehhkj.tmp
2007-11-04 13:22 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-11-04 13:20 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-04 13:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-04 13:20 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-04 13:20 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-04 13:20 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-04 13:20 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee
2007-11-04 13:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-04 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-04 13:09 22,016 --a------ C:\wndckxg.exe
2007-11-04 13:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-04 12:31 6,505 ---hs---- C:\WINDOWS\system32\ehhkj.bak1
2007-11-03 17:47 <DIR> d--hs---- C:\WINDOWS\U3RldmVuIExldmVy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 21:53 --------- d-----w C:\Program Files\Absolute Poker
2007-11-04 17:48 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-11-04 17:46 --------- d-----w C:\Documents and Settings\Steven Lever\Application Data\OpenOffice.org2
2007-10-15 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-11 03:42 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-06 19:36 --------- d-----w C:\Program Files\Yahoo!
2002-10-16 04:23 982,080 ----a-w C:\Program Files\pal_install.exe
2002-10-10 05:27 3,401,216 ----a-w C:\Program Files\ut2003-demo-patch-1.exe
2002-10-10 05:24 102,461,952 ----a-w C:\Program Files\UT2003-Demo.exe
2002-10-09 04:42 6,945,768 -c--a-w C:\Program Files\act26.exe
2002-10-04 17:37 1,216,000 ----a-w C:\Program Files\mirc603.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F}]
C:\WINDOWS\System32\jkhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4305A801-B909-4ECD-9F3D-893E0C2392A5}]
C:\Program Files\Outlook Express\sadegok4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{745DD318-EB77-4518-8147-5722207B1950}]
C:\Program Files\Outlook Express\sadegok83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d767b7ea-79e9-41a2-ba8d-774ed0da7961}]
C:\WINDOWS\System32\sqhvlyt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2002-05-02 11:57]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2004-12-07 16:44]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:30]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"Microsft Windows Adapter 5.1.3013"="C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2002-12-09 22:36]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-11-11 13:47 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 22:44]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-06-16 15:14]
"NvMediaCenter"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\system32\CTHELPER.EXE]
"ISLP2STA.EXE"="ISLP2STA.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-27 18:43]
"iRiver Updater"="\Updater.exe" [2004-07-01 16:20]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-27]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-27]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-07-12 23:16:29]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 TeksKernel;TeksKernel;C:\WINDOWS\System32\Drivers\TeksKernel.sys
R2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\islp2nds.sys
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\System32\DRIVERS\C-itnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 18:19:55 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-04 18:19:54 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 19:12:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 19:13:57 - machine was rebooted
.
--- E O F ---
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 27th, 2007, 9:16 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\spupdsvc.inf
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\wndckxg.exe
C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
C:\Program Files\Outlook Express\sadegok83122.dll
C:\Program Files\Outlook Express\sadegok4444.dll

If Virustotal is too busy please try Jotti



Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=25602&p=241267#p241267
    Comment:: Katana MRU
    
    Suspect::[4]
    C:\wndckxg.exe
    C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
    C:\Program Files\Outlook Express\sadegok83122.dll
    C:\Program Files\Outlook Express\sadegok4444.dll
    
    DirLook::
    C:\WINDOWS\U3RldmVuIExldmVy
    
    File::
    C:\WINDOWS\System32\sqhvlyt.dll
    C:\WINDOWS\System32\jkhhe.dll
    C:\WINDOWS\system32\ehhkj.ini2
    C:\WINDOWS\system32\ehhkj.ini
    C:\WINDOWS\system32\ehhkj.tmp
    C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
    C:\WINDOWS\system32\ehhkj.bak1
    C:\Program Files\Outlook Express\sadegok83122.dll
    C:\Program Files\Outlook Express\sadegok4444.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4305A801-B909-4ECD-9F3D-893E0C2392A5}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{745DD318-EB77-4518-8147-5722207B1950}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d767b7ea-79e9-41a2-ba8d-774ed0da7961}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsft Windows Adapter 5.1.3013"=-
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 27th, 2007, 9:38 pm

I assume each of the instructions you gave me assume I am booting from the infected drive? Given the problems and dangers, I have been responding to this thread booting from the safer, secondary drive and copying log (.txt) files to a folder on this drive. Is it ok to run the proposed VirusTotal scans using the same paths, but instead of C:, using F: (the 'other' drive). I have done this with the first file you requested and have posted the results below. I will follow your instructions re: Java after running those scans, unless you suggest otherwise. If the scans will work using F:, i will post the rest of the results upon hearing your reply. THANK YOU!!!!!!!!!!!!!!

File spupdsvc.inf received on 11.28.2007 02:27:18 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.28.0 2007.11.27 -
AntiVir 7.6.0.34 2007.11.27 -
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.27 -
AVG 7.5.0.503 2007.11.27 -
BitDefender 7.2 2007.11.28 -
CAT-QuickHeal 9.00 2007.11.27 -
ClamAV 0.91.2 2007.11.28 -
DrWeb 4.44.0.09170 2007.11.27 -
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5332 2007.11.27 -
Ewido 4.0 2007.11.27 -
FileAdvisor 1 2007.11.28 -
Fortinet 3.14.0.0 2007.11.27 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.28 -
Ikarus T3.1.1.12 2007.11.28 -
Kaspersky 7.0.0.125 2007.11.28 -
McAfee 5172 2007.11.27 -
Microsoft 1.3007 2007.11.28 -
NOD32v2 2689 2007.11.28 -
Norman 5.80.02 2007.11.27 -
Panda 9.0.0.4 2007.11.26 -
Prevx1 V2 2007.11.28 -
Rising 20.20.12.00 2007.11.27 -
Sophos 4.23.0 2007.11.28 -
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.28 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.27 -
VirusBuster 4.3.26:9 2007.11.27 -
Webwasher-Gateway 6.6.2 2007.11.28 -
Additional information
File size: 170 bytes
MD5: ef244fba809b9fa60b655b229fd8f4e2
SHA1: 27a3a854d78f497ae58d2edfdf8e86d0fafb044b
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 27th, 2007, 10:10 pm

You can use the second drive to access the internet, ie doing the online scan is OK but you need to boot to the infected drive to run any tools.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 27th, 2007, 11:01 pm

Here are the additional scans you asked for (Virustotal and the custom Combofix logs):

for the file: C:\wndckxg.exe virustotal Log:

File wndckxg.exe received on 11.28.2007 03:34:22 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.11.28.0 2007.11.27 -
AntiVir 7.6.0.34 2007.11.27 DR/Delphi.Gen
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.27 -
AVG 7.5.0.503 2007.11.27 SHeur.ZAK
BitDefender 7.2 2007.11.28 Trojan.PWS.LDPinch.TDD
CAT-QuickHeal 9.00 2007.11.27 -
ClamAV 0.91.2 2007.11.28 -
DrWeb 4.44.0.09170 2007.11.27 Trojan.Packed.194
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5332 2007.11.27 -
Ewido 4.0 2007.11.27 -
FileAdvisor 1 2007.11.28 -
Fortinet 3.14.0.0 2007.11.27 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.28 W32/Zapchast.AXA
Ikarus T3.1.1.12 2007.11.28 Virus.Win32.Zapchast.DA
Kaspersky 7.0.0.125 2007.11.28 -
McAfee 5172 2007.11.27 -
Microsoft 1.3007 2007.11.28 -
NOD32v2 2689 2007.11.28 -
Norman 5.80.02 2007.11.27 W32/Zapchast.AXA
Panda 9.0.0.4 2007.11.26 Adware/SecurityError
Prevx1 V2 2007.11.28 SHeur.ZAK
Rising 20.20.12.00 2007.11.27 Trojan.DL.Win32.Agent.bxw
Sophos 4.23.0 2007.11.28 Mal/Dropper-T
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.28 Trojan.Secup
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.27 -
VirusBuster 4.3.26:9 2007.11.27 -
Webwasher-Gateway 6.6.2 2007.11.28 Trojan.Dropper.Delphi.Gen

Additional information
File size: 22016 bytes
MD5: 7b09c042d27bfa365fff51337f085404
SHA1: 1c8b152a40e88767b1376cfde0d36d7a6fa0f6b1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00E737663A

For the other 3 files,
C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
C:\Program Files\Outlook Express\sadegok83122.dll
C:\Program Files\Outlook Express\sadegok4444.dll

I received errors from VirusTotal: "0 bytes size received / Se ha recibido un archivo vacio"

I also ran that custom script for ComboFix which produced the following log, but when I clicked OK to submit the file for further analysis, I received an error that a certain file was not found. That scan did produce a log (below) and 2 files on my desktop - a zip file and an html file, "CF-Submit.Htm":

ComboFix 07-11-19.4 - Steven Lever 2007-11-27 21:47:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.667 [GMT -5:00]
Running from: C:\Documents and Settings\Steven Lever\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven Lever\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe
C:\Program Files\Outlook Express\sadegok4444.dll
C:\Program Files\Outlook Express\sadegok83122.dll
C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.tmp
C:\WINDOWS\System32\jkhhe.dll
C:\WINDOWS\System32\sqhvlyt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ehhkj.bak1
C:\WINDOWS\system32\ehhkj.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\ehhkj.tmp

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-25 14:39 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\TrojanHunter
2007-11-25 12:42 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-25 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 19:10 <DIR> d-------- C:\VundoFix Backups
2007-11-05 19:09 170 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-04 16:59 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\SiteAdvisor
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 13:22 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-11-04 13:20 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-04 13:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-04 13:20 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-04 13:20 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-04 13:20 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-04 13:20 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee
2007-11-04 13:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-04 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-04 13:09 22,016 --a------ C:\wndckxg.exe
2007-11-04 13:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-03 17:47 <DIR> d--hs---- C:\WINDOWS\U3RldmVuIExldmVy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 21:53 --------- d-----w C:\Program Files\Absolute Poker
2007-11-04 17:48 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-11-04 17:46 --------- d-----w C:\Documents and Settings\Steven Lever\Application Data\OpenOffice.org2
2007-10-15 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-11 03:42 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-06 19:36 --------- d-----w C:\Program Files\Yahoo!
2002-10-16 04:23 982,080 ----a-w C:\Program Files\pal_install.exe
2002-10-10 05:27 3,401,216 ----a-w C:\Program Files\ut2003-demo-patch-1.exe
2002-10-10 05:24 102,461,952 ----a-w C:\Program Files\UT2003-Demo.exe
2002-10-09 04:42 6,945,768 -c--a-w C:\Program Files\act26.exe
2002-10-04 17:37 1,216,000 ----a-w C:\Program Files\mirc603.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\U3RldmVuIExldmVy ----



((((((((((((((((((((((((((((( snapshot@2007-11-27_19.13.27.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-28 00:16:48 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 00:16:48 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 00:16:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-29 14:34:03 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-28 00:13:17 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2006-10-29 14:34:03 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-28 00:13:17 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F}]
C:\WINDOWS\System32\jkhhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4305A801-B909-4ECD-9F3D-893E0C2392A5}]
C:\Program Files\Outlook Express\sadegok4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{745DD318-EB77-4518-8147-5722207B1950}]
C:\Program Files\Outlook Express\sadegok83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d767b7ea-79e9-41a2-ba8d-774ed0da7961}]
C:\WINDOWS\System32\sqhvlyt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2002-05-02 11:57]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2004-12-07 16:44]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:30]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"Microsft Windows Adapter 5.1.3013"="C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2002-12-09 22:36]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-11-11 13:47 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 22:44]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-06-16 15:14]
"NvMediaCenter"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\system32\CTHELPER.EXE]
"ISLP2STA.EXE"="ISLP2STA.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-27 18:43]
"iRiver Updater"="\Updater.exe" [2004-07-01 16:20]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-27]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-27]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-07-12 23:16:29]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 TeksKernel;TeksKernel;C:\WINDOWS\System32\Drivers\TeksKernel.sys
R2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\islp2nds.sys
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\System32\DRIVERS\C-itnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 18:19:55 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-04 18:19:54 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:49:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 21:50:28
C:\ComboFix2.txt ... 2007-11-27 19:13
.
--- E O F ---
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Ineedhelp » November 27th, 2007, 11:26 pm

P.S. On the infected Hard Drive (I am on it currently as I ran those previous scans/tools), Firefox no longer opens. I uninstalled it, DL'd the latest version and reinstalled it only to find the same error when opening Firefox:

"Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system."

I have restarted (twice) and have looked at my task manager and there is no firefox process listed.

This is a secondary problem to the primary virus we have been working on, but I wanted to inform you. Thanks!
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 28th, 2007, 5:33 am

We need to sort a couple of things before we get any deeper, as they will leave you open to reinfection.
I will sort out the file submission and look at FireFox later :)

Uninstall MS-JVM

1. Click on Start then Run. Copy/paste the following into the Run: text box:

RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall

2. Click the OK button. You will see a confirmation prompt like the one below:
Image

3. Click the Yes button to start the uninstall process of the MS-JVM.

Windows will uninstall the files and then give you a prompt asking whether or not you want to restart the computer. You should press the Yes button to allow it to do so.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\wndckxg.exe
    c:\windows\inf\java.pnf
    
    Folder::
    c:\windows\java
    C:\WINDOWS\U3RldmVuIExldmVy
    
    Registry::
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Java VM]
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4305A801-B909-4ECD-9F3D-893E0C2392A5}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{745DD318-EB77-4518-8147-5722207B1950}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d767b7ea-79e9-41a2-ba8d-774ed0da7961}]
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsft Windows Adapter 5.1.3013"=-
    
    File::
    C:\WINDOWS\System32\msjava.dll
    c:\windows\system32\wjview.exec:\windows\system32\jview.exe

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines ( If Still Present )
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0784777B-E812-4EFE-BEDF-7F6ECDA9FA8F} - C:\WINDOWS\System32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll (file missing)
O2 - BHO: (no name) - {4305A801-B909-4ECD-9F3D-893E0C2392A5} - C:\Program Files\Outlook Express\sadegok4444.dll (file missing)
O2 - BHO: (no name) - {745DD318-EB77-4518-8147-5722207B1950} - C:\Program Files\Outlook Express\sadegok83122.dll (file missing)
O2 - BHO: (no name) - {d767b7ea-79e9-41a2-ba8d-774ed0da7961} - C:\WINDOWS\System32\sqhvlyt.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll (file missing)

O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Steven Lever\Application Data\ykoazdrrjrt.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe (file missing)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.0.8.cab

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
If you don't know what the following is, then remove this as well
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\baxynyfsyb.html

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Please post the Combofix log and a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 28th, 2007, 10:47 am

You are a lifesaver - I am already noticing improvements using IE (Which I haven't used unless necessary for nearly 2 years due to problems). Anyway - here are the new logs after the fixes:

The custom combofix log:

ComboFix 07-11-19.4 - Steven Lever 2007-11-28 8:51:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.665 [GMT -5:00]
Running from: C:\Documents and Settings\Steven Lever\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven Lever\Desktop\CFScript.txt
* Created a new restore point

FILE
c:\windows\inf\java.pnf
C:\WINDOWS\System32\msjava.dll
c:\windows\system32\wjview.exec:\windows\system32\jview.exe
C:\wndckxg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\inf\java.pnf
c:\windows\java
c:\windows\java\classes\osp.cer
C:\WINDOWS\U3RldmVuIExldmVy
C:\wndckxg.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 22:19 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-27 22:18 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-25 14:39 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\TrojanHunter
2007-11-25 12:42 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-25 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 19:09 170 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-04 16:59 <DIR> d-------- C:\Documents and Settings\Steven Lever\Application Data\SiteAdvisor
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-04 13:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-04 13:22 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-11-04 13:20 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-04 13:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-04 13:20 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-04 13:20 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-04 13:20 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-04 13:20 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee.com
2007-11-04 13:19 <DIR> d-------- C:\Program Files\McAfee
2007-11-04 13:19 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-11-04 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 03:19 --------- d-----w C:\Program Files\Java
2007-11-04 21:53 --------- d-----w C:\Program Files\Absolute Poker
2007-11-04 17:48 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-11-04 17:46 --------- d-----w C:\Documents and Settings\Steven Lever\Application Data\OpenOffice.org2
2007-10-15 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-11 03:42 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-07 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-07 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-06 19:36 --------- d-----w C:\Program Files\Yahoo!
2002-10-16 04:23 982,080 ----a-w C:\Program Files\pal_install.exe
2002-10-10 05:27 3,401,216 ----a-w C:\Program Files\ut2003-demo-patch-1.exe
2002-10-10 05:24 102,461,952 ----a-w C:\Program Files\UT2003-Demo.exe
2002-10-09 04:42 6,945,768 -c--a-w C:\Program Files\act26.exe
2002-10-04 17:37 1,216,000 ----a-w C:\Program Files\mirc603.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_19.13.27.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-28 13:41:37 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 13:41:37 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-26 00:28:05 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 13:41:37 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2004-02-23 02:52:42 24,681 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-02-23 02:52:44 28,779 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2006-10-29 14:34:03 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-28 00:13:17 40,664 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2006-10-29 14:34:03 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-28 00:13:17 312,946 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2002-05-02 11:57]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2004-12-07 16:44]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:30]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2002-12-09 22:36]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-11-11 13:47 C:\WINDOWS\system32\nwiz.exe]
"PRONoMgrWired"="c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-06-16 15:14]
"NvMediaCenter"="RUNDLL32.exe" [2001-08-18 07:00 C:\WINDOWS\system32\rundll32.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\system32\CTHELPER.EXE]
"ISLP2STA.EXE"="ISLP2STA.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-27 18:43]
"iRiver Updater"="\Updater.exe" [2004-07-01 16:20]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Microsoft Office Fast Start.lnk - C:\MSOffice\Office\FASTBOOT.EXE [1995-09-27]
Microsoft Office Find Fast Indexer.lnk - C:\MSOffice\Office\FINDFAST.EXE [1995-09-27]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2004-07-12 23:16:29]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 TeksKernel;TeksKernel;C:\WINDOWS\System32\Drivers\TeksKernel.sys
R2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\islp2nds.sys
S3 XIRLINK;IBM PC Camera;C:\WINDOWS\System32\DRIVERS\C-itnt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 18:19:55 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-04 18:19:54 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 08:52:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 8:53:44
C:\ComboFix2.txt ... 2007-11-27 21:50
C:\ComboFix3.txt ... 2007-11-27 19:13
.
--- E O F ---


And here is a new HJT log after i ran the fixes you suggested (only about half of the files you ID'd were present):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:10 AM, on 11/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Updater.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7298287859
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe (file missing)

--
End of file - 9000 bytes


Still have the Firefox issue, but as you said - first things first! In terms of priority, I will not be able to perform any new scans/checks until about 6pm EST today, but I will check the board for your response. Thanks!
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 28th, 2007, 1:19 pm

Ok that is looking a lot better :)

Clean Temporary Internet files
You need to clean out your temporary internet files
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
You need to do this for each user account you have setup.

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner ( please use IE. and allow active X)

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hard drive is a mess

Unread postby Ineedhelp » November 28th, 2007, 10:58 pm

wow - shoulda told me to use a bigger kettle! Here is the Kaspersky log. I want to note that McAfee was running during the scan and, as has been the case throughout this "problem" I received multiple notices from McAfee re: "unwanted program" being started (aka virus). The two i noted had the following titles: Adware-Isearch and Adware-WebBuying and both had the following locations:

C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE838B7}\RP772\A0101889.dll and [same]\A0101888.dll

I continue to click remove this program on the McAfee menu, but now I am just leaving it up with no action and it seems to not do anything. Anyway - here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 28, 2007 9:52:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 467928
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 113015
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:38:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{1D95C2BC-E1A2-4DA5-82B6-CFF8FC096D39}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steven Lever\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Temp\Perflib_Perfdata_93c.dat Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Temp\sqlite_120t4OkJJgTd6u4 Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Temp\sqlite_97Rb5isDuCKBggG Object is locked skipped
C:\Documents and Settings\Steven Lever\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steven Lever\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steven Lever\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\ComPlus Applications\baxynyfsyb.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0BBBDD85-4B31-40DF-BFA6-7649C26AE942}\RP43\A0006196.DLL Infected: not-a-virus:AdWare.Win32.MyWay.a skipped
C:\System Volume Information\_restore{0BBBDD85-4B31-40DF-BFA6-7649C26AE942}\RP43\A0006440.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP772\A0101888.dll Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP772\A0101889.dll Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP772\A0101890.exe Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP772\A0101891.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP773\A0103956.dll Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP773\A0103964.vbs Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP773\A0103965.exe Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP773\A0103966.vbs Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP773\A0103967.exe Object is locked skipped
C:\System Volume Information\_restore{E97378F4-90FF-4A18-B065-209578AE83B7}\RP811\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\mcmsc_5MYMppaur2FZHJ2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_aHfgpEZo8GPIrIo Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Db5ItXwkqhxlXRh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_pg9yMESuUANXyar Object is locked skipped
C:\WINDOWS\Temp\sqlite_wRD82XbnkGzKplp Object is locked skipped
C:\WINDOWS\Temp\sqlite_x9tGVygfNQdNq01 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-0000000A-00001102-00000004-00511102}.CDF Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\01ed8d3dad3b56b3672f79217394b40e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\047d6f6b104359b07abb79ac6f83da60_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\063ceec6de61e93bb699d7ddca848aff_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08602dae57dceca81a181f2b19fc6215_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0902cc910a600108a6679e3c1b57084d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0a5d1186e066bdef9e3a7cbfbd2a4bd8_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0bb766b70b343eb9332159012912315c_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f1239591b43df5fb3e781465373bb2b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125d8e95f3c18a772296a6e54902a7da_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12a7aa48a5c7f20d05f5d864897f04f6_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12fe8d15a96bd40497dd464d32f45b05_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\14e1d7154a51d5cea01eecb531309ad7_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\15c41b386da6f346f4f373a0baa3376e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\15c5aa7488facc36ed6f54f2518da8ec_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1601b6459c09eaffb69d97a26392ae66_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\206d330d6b235292366fc75857f97a86_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\21377bc865f9b8f76697319f7e6bb320_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22d8bb34c756a3b02c51a178670f6af0_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25da9d769d2f5479bd48ec3ed579b1e3_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\264564d202d52d8eb02c7383e4859f1d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27434cca6d0f6ed8023ebdf79cab7ef2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a43d496cb516aed7d9ca1e4b2a47fcb_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2af64933daf825bf8794ec54ca9f3157_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2eb5b49603762dbfd0bec8169ce1c6a4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f38c4f067a15c6ed10672a6f1f0b6be_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\323e3b2ea8bbed7621143879f72fa475_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\32ca0c86dc4923537cdeb1a8141abc9f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34b3dc67885380c20e39f34e9126062d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35eba8795654786ae36fb3c54e6efbb4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42a061044bcad7e2cfa21c6aaafdafc4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47106a8771992315160c3081d51f2098_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\476e7b9b04933a457701eb3f01cf3ad6_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48289be80972b215cd445bbf8113afd2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49222141e4a29e8da6130a0225bfd84f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49e8017b8f678cf7f38854cc16913477_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4adc042d69f31cbb97933bec8e829acb_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c01c7d0ace5c96bff84c032fdae0493_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51beb771cb32af10a344f51adc0e4510_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\526fb46f5963869382884ec189615399_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52c61deca3e84db00d14b4a0a4a4fde2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5496acfe2b26fa50f69691a772a71af5_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\557269afd2ca2d11fb36ebd38d1379eb_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5bcc0c3224f542ee54772367492aeaaf_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d226afa34fa56e241234949e850e69b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5fdcf267e7670c83079e5b7933120cd3_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\606e4dfd117fa2889c8bed46ebb0ccbc_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60d1814ff69b7e2c6d8f14404b8e904f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61469f04099aee96fddd0ffbaafd571f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62eba7537f80bb6aa9a13d339e6a0f03_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\662e519a820ec27346c655e0c46e2e52_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68132345660e4477a2b4deee4c8b04f4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\691c1d3381f303d03a90de14ba3bcac0_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\69f27e6b2005ed9a392f26b7ca9059e4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6a0c45b95eff10706fc644d1817c43d3_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b7a8c2288459196aeb4a25b9c8e7e8b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d0cf3153d303c9fcf53097660dd7660_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d4dc88c55125f185a751dc0c2e1a2d0_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71295f2437c301751ec32adb613f2088_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7193ff50f4d376fc1ce5dc6c17cf960d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71ac4a084da6aec7fe9438d4fb2cce3a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7354bb82c203b098bd07d7f81ee241a4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\739b140c27ba3b98d1696b14c9f37945_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75540157b97a8f7199bd3474c914ad32_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\793f13353390a8ed242b8c6c9964ba15_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a04ec9fd033ddc122cfc754441525fc_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a7b9a75b6787943303be3129648c737_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a9e450d0e3c2696d5f97b885e3d0836_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7bb2cc03458d8adb88f9f5995d5cb0db_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7caa8ea04417a3355dbb91c407c0b26b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cd688cb8b2e82c0670f7472ae6984e4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cdaf36307f46bfe4968c9eca1fff1a7_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7edb3d879d0cbf805e84480b3b3b4e4b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\809d2db5f8bde139dbbdb87c0d96fca4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\825d01ae0a5bd60bd58a13192fc5b8a2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\840dcb88a7ca6a7e9ec8ccc9f4f7b076_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\843c02b1e83131bc987122b740ac63f3_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\862f2bb5b559c8c6ada8cb73a5651faa_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\86796b14bd3adf3b0f9030d490a7027e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8836b6c9470005984f6a24a885c4983b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8af38c544b3a51aa4be4b38dcf355288_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c376d98e62cca0f43f58241ab4de127_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c3a8b89a6521f689a807bb11e4dcc9e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d423741c91d5691384ef1abf8b3d8b5_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8ddd1af3591c60b7c41c32cfe412e834_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\90127aaaf3d7fba3dd41bb2d380661fd_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91c2a11a098a433b2362aa8887417550_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\92ceff80a103d9815138d632c06f95f2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\949e94ab2a83fafb8076bf4b5d023e61_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9638a4583a39e3201e28f2b0b1c4f07d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\98e6fe5893248c1a76941fbd5430a171_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9b2880fe9329a081a717768babeb3eb7_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9da58c9e7dae3c6e1fce7e9c507500bf_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9dd513b20e0639e307174621460b1624_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9f77d19aa4729e282e79c41d5d3a23f0_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9ff7f755453ef1c1dfaa0dd4388f63ec_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1b54fdc7037ca6c6a20511432b8b4b5_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1e23856b818f6798ee3b62c31c75b41_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a46f4385f1d1be66737dd240dee10c0f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a92e3619bd14572b664ae70ecd0f5c66_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a934ba7a3c5f80122cf50e7adbd1e815_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a9ab3bbdf5a08c775cb544be9faaaa0a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaccc09e181b3ec61f33bac6bf41baf3_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ab6df9ce58165cb100cdbba7b2531617_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\abbf3e0e360d6b36877ea78c553b0d9e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac500b557d145fa54c310828acfa6be8_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\af2796d97c8b85222e7fc3cfa6276c43_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\af846695ed9c414f7683bfcd8a635d8e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b0043dd7fad240685448eb0f9a5b383c_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b0343efb44530c89c641964fb212e393_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2f22ce8d7efae5abac419b4b6fc8e7a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b38863897ccda22dd939d2f18564af62_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b3f6d23bbe02196186cadca550340f52_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b813326e84d21177057b2c241e1bd20d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb296bfe0806829d1c557da1d1ece0a1_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb4f6539ecea9c236a98057041b1a8aa_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bb9289f3e2f27f78179867a31d8974e0_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bcd2cb5bca4afbfef76671a1ad0e3e75_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bd46338484c906b0e1a8216f2f8bf19f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0d7e8101ce9862645dd2a49c714e549_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c1079a7ad7be65ad808a9604c1003bdf_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c3f0a4105797f9f240f91d4d5e2fbb38_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c7d8b7458b1e54c459c76be9b2b719e7_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb59b7c4b2bdce9990ccb3dfbf67fbda_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ccf82f21df6c630de39a3eedb1e2e8a4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cd1ecf3230eacb005fc8412facf50369_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ce03966bc12ea6fb2fd99289ddae3ebd_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cfdd0bad855d8d72c98933b71db66003_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1fecc6e7d8b7c40052c7889d1d42f5a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1ffeb8697aaea5488e1dd46c786b31a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d224fd093267471c7fbe008a67bebb60_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d24336129e6f5dc82ac7fe8e863152a1_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2cda6359fa6db56cc2d3e7c5a2ce263_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d39982ff2f22bdafca27b12393be6aa4_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4d4e459f07d2c1a2735c4e40260036e_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52751973aecf5a4467399bbf4042001_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d5454a1d85f00fa4ad95a6790324adba_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d893230ad9fcde288b9becd4cbd28a52_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d8d4d14732587b0c09341544f49e97f2_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db1b8acf8403b6cd5883180b03aadb5b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dbfcadc7c84c970c292f4728fe5f8c89_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dc198cd8b45b7abb502a14e011e8bb7a_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dc9c7276c1589416c6f3b3148b76a7a6_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e112e8f55e883ffc960ef64c62aefe99_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e3931774fc28a0c230ad980e63e61275_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e59a4db51307d222a61d74fd5b75ad2b_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e726932484388260f6d47274c6125d56_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8633f011c1e4794f270822229425f79_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea9979c92303c65879c721b1c6a737dc_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edbb808000e22f0c8a449ed7c0f83cba_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\edbb8b2e4a300ebb2ae8426362d443b1_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\efa7f86b7a5d3cacdafa00e71f0d150f_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\efd1aeeb780868699013da0680233324_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8023b149bfaa927ecd531f3628310d9_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fabe58a2c840a5e986884e48ebd4e2ac_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\facb30a2fb06be2e68e81661f688b502_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fb5177adbda4384c6e8fab2a9a5e0938_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd31005cd37b5d803f55fa033181adbf_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fef0ab04ccc663c4b33e15db51e5315d_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fef3c7d3df20e5410359bcbdd76acbbd_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fef8506015d545edae3b2dbdc7b1bea9_0b55d991-df96-4a54-b45b-045ddd9b6acb Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
F:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

Scan process completed.


Next? Thanks!!
Ineedhelp
Active Member
 
Posts: 14
Joined: November 25th, 2007, 3:59 pm

Re: Hard drive is a mess

Unread postby Katana » November 28th, 2007, 11:19 pm

Well, that looks fine :D

Please can you post a last HJT log, and details of any problems you still have
ie. is firefox still acting up ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 311 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware