Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

9129837.exe?


  • This topic is locked This topic is locked
32 replies to this topic

#1 Please Help Us

Please Help Us

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 23 July 2009 - 07:36 AM

Well ironically I was scanning my computer, looking at the filenames going by, and a file with the name of the topic ran by. Out of curiousity of never seeing the file before in my life, I decided to check it out. Turns out its related to this "Troj/DwnLdr-FSA " trojan. Hopefully this shouldn't be that big of a deal, but after running both Malware Antibytes and Symantec's (How I hate that name)End Point Protection scanners at their most recent updated definitions it seems its still around. So obviously I wanna get rid of it, the computer I'm using runs Vista, and it has been updated to the latest service packs that I know of. I would like to thank anyone in advance for their time and effort.

:thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 23 July 2009 - 08:09 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 23 July 2009 - 10:04 AM

Alright sir, as you wish.

Malwarebytes' Anti-Malware 1.39
Database version: 2486
Windows 6.0.6002 Service Pack 2

7/23/2009 4:37:46 AM
mbam-log-2009-07-23 (04-37-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 279905
Time elapsed: 32 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 23 July 2009 - 10:20 AM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 July 2009 - 09:30 AM

Aright sir.....I know something has to be up now.

I ran the ATF Cleaner and DrWebCureIt, and they did their jobs (the latter showing that there weren't any infections at all?!). Then I tried to run rooter and windows said that it couldn't run it saying that Malware Finder couldn't run. Internet Explorer is now super slow as well, and I fear things have only gotten worse. I await for your hopefully quick answer.

Also sir I followed your instructions to the letter, and DrWebCureIt wouldn't let me save a log file even after a complete scan...
Anyway, do you think the virus might be hiding itself somehow, I did see something related to it that when I looked it up it said that it was suppose to hide the file, but shouldn't booting in safe mood get rid of it as well.
What do I know though, right now I'm just trying to getting things up again.
I hope you have a trick up your sleeve sir.

Edited by Please Help Us, 24 July 2009 - 09:33 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 24 July 2009 - 04:09 PM

Please perform a scan with F-Secure Online Scanner
  • Click on the "Start scanning" button under Start your scan.
  • You will be prompted to accept the certificate and the license terms to install the tool.
  • Read the license agreement and click "Accept".
  • You may receive an alert on the address bar at this point to install the ActiveX control.
  • Click on that alert and then click "Insall ActiveX component".
  • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
  • When the scan completes, select "Disinfect" and click "Next".
  • When done click "Show report" and copy/paste its contents into your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 24 July 2009 - 04:39 PM

Sir should I install this add-on for internet explorer, I don't think it'll let me scan unless I'm blind and missed something. Sorry in return if its the latter.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 25 July 2009 - 07:21 AM

You need to allow install of the ActiveX component in order to do a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 July 2009 - 09:47 AM

You need to allow install of the ActiveX component in order to do a scan.


Doh!
Sorry I even see it in your instructions now. Excuse my incompetence, I've been a wee bit off as of late. I'm on my way sir.

#10 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 July 2009 - 10:26 AM

Alright sir, I got done with scanning and it found seven files, none of them the ones that the name of the topic applies too. Also the scan seems to have updated from the way you posted it, however, I do think I got the scan statistics you were asking for...and damn do they not scan alot. I assume its the stuff hiding the files from the scanner, I'll let you make heads or tails of it though since I'm not expert. Also yes I did do a full scan, and I did follow your options the best I could sir.

Scanned:
Files: 119694
System: 5047
Not scanned: 81
Actions:
Disinfected: 7
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\JIM\APPDATA\ROAMING\SKYPE\MASTER_OF_CHIMPS\ETILQS_16IXO0NXEHNFHCST7XWI
C:\USERS\JIM\APPDATA\ROAMING\SKYPE\MASTER_OF_CHIMPS\ETILQS_WNLIE4PNJVIJBQVWH1QW
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A8
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHI
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT
C:\USERS\ALL USERS\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATI
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D6611
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-48A5-BC15-5A08F70D
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581F_FE89B852-DD99-4
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A847390D01AECAD25B5C581
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6AE72580A84739
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKE
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\MICROSOFT\CRY
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION D
C:\PROGRAMDATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION DATA\APPLICATION D

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 25 July 2009 - 01:14 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 July 2009 - 01:35 PM

Yes sir, right on it. One question, do you recommend I do this scan in safe mode, or does it matter? I've been following the instructions to a T and I just want to get the best results for the best of us good sir.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:39 AM

Posted 25 July 2009 - 01:47 PM

Do the scan in normal mode.

Most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that run in safe mode so the usual reason for running a scan in that mode does not apply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 July 2009 - 03:13 PM

Um sir it won't let me check off running processes, however, I'll continue the scan with as many as I can get sir.
Sorry if I seem like I'm posting so much I'm just trying to keep you updated.

#15 Please Help Us

Please Help Us
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 25 July 2009 - 11:11 PM

*sigh* Once again, I think somehow the things that were supposed to be hit were not this time sir. Here I'll post the log sir, but it didn't come up with anything worthy. I think whatever this is keeping a deathgrip on not being found. :thumbsup:



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/25/2009 at 15:20:14 PM
User "Jim" on computer "PREFERRED"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Stopped logging on 7/25/2009 at 15:20:23 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/25/2009 at 15:20:56 PM
User "Jim" on computer "PREFERRED"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x300 PT=0x1 WOW64
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZKLPMR7G\vies;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=new+2010+movie+trailers;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=7028563803358604[1]
Hidden: file C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\93E8HPBX\vies;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=new+2010+movie+trailers;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=7337530807191435[1]
Hidden: file C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\12XLFC8G\vies;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=new+2010+movie+trailers;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=3332880976397007[1]
Hidden: file C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZKLPMR7G\vies;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=new+2010+movie+trailers;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=393194362968546[1].4
Hidden: file C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\12XLFC8G\s;sz=300x250;kl=N;klg=en;kt=K;kga=-1;kr=F;kw=pirates+of+the+caribbean+4;kgg=-1;kcr=us;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=8016121329394721[1]
Hidden: file C:\Users\Lynn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZK4X1FV\113,18517,18672,18823,18961,19419,21717,21878,21924,22006,22082,22355,23242,23316,23317,23318,23857,23886&Values=1588&Redirect=;ord=btccuic,beKfrRibtvzWK[1].htm
Hidden: file C:\Users\Lynn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZK4X1FV\113,18517,18672,18961,18982,19419,21717,21925,22006,22082,22352,22356,23316,23317,23318,23857,23886,23903&Values=1588&Redirect=;ord=cagknnq,beKfscpbtweKo[1].htm
Hidden: file C:\Users\Lynn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZDWPBP9Z\113,18517,18672,18961,18982,19419,21717,21878,21924,22006,22082,22355,23242,23316,23317,23318,23857,23886&Values=1588&Redirect=;ord=bhoosbx,beKfscpbtweKW[1].htm
Hidden: file C:\Users\Lynn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZK4X1FV\517,18672,18823,18961,18982,19419,21717,21878,21924,22006,22082,22355,23242,23316,23317,23318,23857,23886&Values=1588&Redirect=;ord=ccigxzj,beKfsgWbtwpWa[1].htm
Hidden: file C:\Users\Lynn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZDWPBP9Z\0,18903,18961,18982,19419,21717,21868,21923,22006,22082,22353,23244,23316,23317,23318,23722,23857,23886,23899&Values=1588&Redirect=;ord=cderton,beKfsonbtxddq[1]
Stopped logging on 7/25/2009 at 15:46:00 PM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users