Jump to content

# My HJT log

## Recommended Posts

Hi, I need to check this computer to see if there is some kind of keylogger, or other malware on it. Not a big deal, I can just reinstall windows, it is a benchmarking computer with not a lot of files stored on it. I am selling items on eBay and somehow, the people at eBay said they got hacked. Well, they got hacked right as an item I was selling ended it's bidding process, the winner was notified, then the same item was re-listed 5 different times on eBay for a lesser amount at a "buy it now" status. They say that this "winner" was a "loser" because he was a fake. At that same time, this "hacker" was able to log into my PayPal account and drain $95 in$5 segments. It was actually $4.95 CAD withdrawn 19 different times. The people at PayPal said that whoever did this had my log in and password for PayPal. Now how could they get my login and password through eBay? I have since changed all of that and locked out the account but I wanted to see if anything strange is in my log. I scanned with avast and spysweeper, spysweeper found "Mal/Behav-024" and Identified it as a virus but I can't find much on it googling around. It is now quarantined. Whether or not the "hacker", "winner", or the "loser" who drained my account was the same person or not I don't know. Now that I have either totally bored you or confused you, here it is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:06:40 PM, on 2/17/2008 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 4788 bytes #### Share this post ##### Link to post ##### Share on other sites Hi Paul Nothing showing in the log other then this Spy Blocker, is run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/ You might want to remove that. What we can do is scan you out and see if anything has been left behind.... Download Combofix from any of the links below, and save it to your desktop.<--Important Link 1 Link 2 Click on this link Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem. Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working. This includes Antivirus, Firewall, and any Spyware scanners that run in the background. • Double click combofix.exe and follow the prompts. Note: Do not mouseclick combofix's window while its running. That may cause it to stall Please be patient while the scan runs, at times it may appear to stall. When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to. After rebooting ensure your Security applications have been re-enabled. In your next reply post: ComboFix.txt New HJT log taken after the above scan has run #### Share this post ##### Link to post ##### Share on other sites Hi, Juliet, here you go: Thanks, ComboFix 08-02-18.1 - Paul 2008-02-17 19:07:55.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1659 [GMT -5:00] Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 ))))))))))))))))))))))))))))))) . 2008-02-17 18:58 . 2008-02-13 10:41 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll 2008-02-17 17:57 . 2008-02-17 17:57 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-17 13:28 . 2008-02-17 13:28 319 --a------ C:\WINDOWS\game.ini 2008-02-17 13:19 . 2008-02-17 13:19 <DIR> d-------- C:\Program Files\Activision 2008-02-17 13:17 . 2008-02-17 13:17 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-02-17 13:13 . 2008-02-17 13:13 <DIR> d-------- C:\Program Files\NVIDIA Corporation 2008-02-17 13:13 . 2008-02-17 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA 2008-02-17 13:12 . 2008-02-17 13:12 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-02-14 14:17 . 2008-02-14 19:56 <DIR> d-------- C:\Documents and Settings\Paul\Contacts 2008-02-14 14:14 . 2008-02-14 14:17 <DIR> d-------- C:\Program Files\MSN Messenger 2008-02-14 14:08 . 2008-02-14 14:08 <DIR> d---s---- C:\Documents and Settings\Paul\UserData 2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Program Files\Webroot 2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-02-13 10:52 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll 2008-02-13 10:52 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2008-02-13 10:52 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2008-02-13 10:52 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2008-02-13 10:52 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-02-13 10:49 . 2008-02-13 10:49 164 --a------ C:\install.dat 2008-02-13 10:47 . 2008-02-13 10:47 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Webroot 2008-02-13 10:42 . 2008-02-17 19:08 7,125,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-02-13 10:42 . 2008-02-17 19:04 87,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-02-13 10:41 . 2008-02-13 10:41 <DIR> d-------- C:\Program Files\Zone Labs 2008-02-13 10:41 . 2008-02-13 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-02-13 10:40 . 2008-02-17 19:00 <DIR> d-------- C:\WINDOWS\Internet Logs 2008-02-13 10:37 . 2008-02-13 10:37 <DIR> d-------- C:\Program Files\Alwil Software 2008-02-13 10:37 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2008-02-13 10:37 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-02-13 10:37 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-02-13 10:37 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-02-13 10:37 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-02-13 10:37 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-02-13 10:37 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-02-13 10:37 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-02-13 10:37 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-02-12 01:53 . 2008-02-12 01:53 <DIR> d-------- C:\WINDOWS\Sun 2008-02-12 01:53 . 2008-02-12 01:53 <DIR> d-------- C:\Program Files\Java 2008-02-12 01:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-02-12 01:52 . 2008-02-12 01:52 <DIR> d-------- C:\Program Files\Common Files\Java 2008-02-11 21:41 . 2008-02-11 21:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-02-11 21:31 . 2008-02-11 21:31 45 --a------ C:\WINDOWS\system32\initdebug.nfo 2008-02-11 21:29 . 2008-02-11 21:29 <DIR> d-------- C:\Program Files\DustBuster XP 2008-02-11 21:27 . 2008-02-11 21:27 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint 2008-02-11 21:26 . 2008-02-11 21:35 <DIR> d-------- C:\Program Files\jv16 PowerTools 2008-02-11 21:26 . 2002-07-17 08:20 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL 2008-02-11 21:26 . 2002-07-17 07:53 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS 2008-02-11 21:26 . 2002-07-17 15:22 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL 2008-02-11 21:26 . 2002-07-17 15:22 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE 2008-02-11 21:25 . 2008-02-11 21:44 <DIR> d-------- C:\Program Files\Microsoft Bootvis 2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d-------- C:\WINDOWS\system32\windows media 2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d--h----- C:\WINDOWS\msdownld.tmp 2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d-------- C:\Program Files\Windows Media Components 2008-02-11 21:20 . 2004-06-22 16:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys 2008-02-11 21:17 . 2008-02-11 21:17 <DIR> d-------- C:\Program Files\MadOnion.com 2008-02-11 19:58 . 2008-02-11 19:58 <DIR> d-------- C:\Program Files\AquaMark3 2008-02-11 19:58 . 2004-10-25 21:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys 2008-02-11 19:50 . 2008-02-11 21:19 <DIR> d-------- C:\Program Files\Futuremark 2008-02-11 18:37 . 2006-10-19 03:11 12,096 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys 2008-02-11 18:37 . 2006-10-19 03:11 10,304 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys 2008-02-11 18:32 . 2008-02-11 18:36 35,792 --a------ C:\WINDOWS\Ascd_tmp.ini 2008-02-11 18:29 . 2008-02-11 18:33 <DIR> d-------- C:\Program Files\Lavalys 2008-02-11 15:30 . 2008-02-11 15:30 <DIR> d-------- C:\Program Files\Executive Software 2008-02-11 14:56 . 2008-02-12 01:53 1,279 --a------ C:\WINDOWS\mozver.dat 2008-02-11 14:53 . 2008-02-11 14:53 <DIR> d-------- C:\Program Files\CCleaner 2008-02-11 14:48 . 2008-02-11 14:48 0 --a------ C:\WINDOWS\nsreg.dat 2008-02-11 14:24 . 2007-11-30 17:31 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-02-11 14:11 . 2008-02-11 14:33 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Corel 2008-02-11 14:11 . 2008-02-11 19:17 5,018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-02-11 14:11 . 2008-02-11 14:11 8 -r-hs---- C:\WINDOWS\system32\493B9F383A.sys 2008-02-11 14:03 . 2008-02-11 14:03 <DIR> d-------- C:\Program Files\Analog Devices 2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Program Files\Corel 2008-02-11 13:40 . 2008-02-11 13:41 <DIR> d-------- C:\Program Files\Common Files\Corel 2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\My Music 2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel 2008-02-11 13:29 . 2005-06-24 17:05 16,958 --a------ C:\WINDOWS\system32\evga.ico 2008-02-11 13:18 . 2008-02-11 18:37 <DIR> d-------- C:\Program Files\ASUS 2008-02-11 13:18 . 2006-01-10 03:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll 2008-02-11 13:18 . 2006-10-18 14:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys 2008-02-11 13:14 . 2008-02-11 13:14 <DIR> d-------- C:\Program Files\Marvell 2008-02-11 13:14 . 2008-02-11 13:28 <DIR> d-------- C:\Program Files\Common Files\InstallShield 2008-02-11 13:14 . 2008-02-11 13:14 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\TMP 2008-02-11 13:07 . 2008-02-11 13:07 <DIR> d-------- C:\WINDOWS\system32\ENU 2008-02-11 13:07 . 2008-02-17 13:28 <DIR> d--h----- C:\Program Files\InstallShield Installation Information 2008-02-11 13:07 . 2008-02-11 13:07 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\InstallShield 2008-02-11 13:07 . 2007-04-11 15:49 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe 2008-02-11 13:07 . 2008-02-11 13:39 670 --a------ C:\WINDOWS\setup.iss 2008-02-11 13:05 . 2008-02-11 13:05 <DIR> d-------- C:\WINDOWS\ASUSInstAll 2008-02-11 13:02 . 2008-02-11 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\system32 2008-02-11 13:02 . 2008-02-11 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\INF 2008-02-11 13:00 . 2008-02-14 14:17 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2008-02-11 13:00 . 2008-02-11 13:07 <DIR> d-------- C:\Program Files\Intel 2008-02-11 13:00 . 2008-02-11 13:00 <DIR> d-------- C:\Intel 2008-02-11 13:00 . 2008-02-11 13:36 36,768 --a------ C:\WINDOWS\Ascd_log.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-11 19:02 93,952 ----a-w C:\WINDOWS\system32\drivers\aeaudio.sys 2008-02-11 19:02 65,536 ----a-w C:\WINDOWS\system32\a3d.dll 2008-02-11 19:02 392,960 ----a-w C:\WINDOWS\system32\drivers\senfilt.sys 2008-02-11 19:02 293,888 ----a-w C:\WINDOWS\system32\drivers\ADIHdAud.sys 2008-02-11 19:02 28,160 ----a-w C:\WINDOWS\system32\PostProc.dll 2008-02-11 18:59 138,752 ----a-w C:\WINDOWS\system32\drivers\hdaudbus.sys 2008-02-11 17:52 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-01 06:32 1,292,766 ----a-r C:\WINDOWS\SET3.tmp 2007-12-01 06:27 1,088,979 ----a-r C:\WINDOWS\SET4.tmp 2007-12-01 06:26 16,674 ----a-r C:\WINDOWS\SET8.tmp 2007-12-01 05:26 74,240 ----a-w C:\WINDOWS\system32\usbui.dll 2007-12-01 05:25 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll 2007-12-01 04:36 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll 2007-12-01 04:36 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll 2007-12-01 04:36 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll 2007-12-01 04:36 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll 2007-12-01 04:36 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll 2007-12-01 04:36 35,328 ----a-w C:\WINDOWS\system32\pid.dll 2007-12-01 04:36 20,992 ----a-w C:\WINDOWS\system32\hid.dll 2007-12-01 04:36 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2007-12-01 04:36 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll 2007-12-01 04:36 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll 2007-12-01 04:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe 2007-12-01 04:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll 2007-12-01 04:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll 2007-12-01 04:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll 2007-12-01 04:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll 2007-12-01 04:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll 2007-12-01 04:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll 2007-12-01 04:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll 2007-12-01 04:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll 2007-12-01 04:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll 2007-12-01 00:26 74,752 ----a-w C:\WINDOWS\system32\storprop.dll 2007-11-30 22:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys 2007-11-30 22:22 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2007-11-30 21:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys 2007-11-30 21:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe 2007-11-30 21:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll 2007-11-30 21:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll 2007-11-30 20:38 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll 2007-11-30 20:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll 2007-11-30 20:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll 2007-11-30 20:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dLL 2007-11-30 20:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll 2007-11-30 20:25 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll 2007-11-30 20:25 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll 2007-11-30 20:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll 2007-11-30 20:23 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll 2007-11-30 20:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll 2007-11-30 20:23 169,984 ----a-w C:\WINDOWS\system32\sccbase.dll 2007-11-30 20:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll 2007-11-30 20:23 101,888 ----a-w C:\WINDOWS\system32\gpkcsp.dll 2007-11-30 20:13 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll 2007-11-30 20:08 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll 2007-11-30 20:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll 2007-11-30 19:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll 2007-11-30 19:53 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll 2007-11-30 19:49 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll 2007-11-30 19:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll 2007-11-30 19:41 53,840 ----a-w C:\WINDOWS\system32\dosx.exe 2007-11-30 19:41 5,120 ----a-w C:\WINDOWS\system32\winnls.dll 2007-11-30 19:40 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll 2007-11-30 19:39 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe 2007-11-30 19:38 3,338 ----a-w C:\WINDOWS\system32\redir.exe 2007-11-30 19:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll 2007-11-30 19:37 42,537 ----a-w C:\WINDOWS\system32\keyboard.sys 2007-11-30 19:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll 2007-11-30 19:36 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys 2007-11-30 19:36 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys 2007-11-30 19:36 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys 2007-11-30 19:36 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys 2007-11-30 19:36 33,840 ----a-w C:\WINDOWS\system32\ntio.sys 2007-11-30 19:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll 2007-11-30 19:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll 2007-11-30 19:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll 2007-11-30 18:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll 2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap] --a------ 2007-09-06 11:19 1426432 C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2007-02-06 11:20 478800 C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help] --a------ 2007-09-11 10:32 880640 C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor] --a------ 2007-09-06 19:57 626688 C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] --a------ 2007-03-21 13:00 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner] --a------ 2007-04-11 17:34 376832 C:\Program Files\ASUS\AI Direct Link\AsCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link] --a------ 2007-08-20 11:42 1209856 C:\Program Files\ASUS\AI Direct Link\AsShare.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2006-11-16 23:16 7770112 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2006-11-16 23:16 81920 C:\WINDOWS\system32\NvMcTray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-11-16 23:16 1622016 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2008-02-11 14:02 868352 C:\Program Files\Analog Devices\Core\smax4pnp.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-17 19:08:29 Windows 5.1.2600 Service Pack 3, v.3264 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-02-17 19:08:43 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:10:09 PM, on 2/17/2008 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 4084 bytes #### Share this post ##### Link to post ##### Share on other sites Go to My Computer->Tools->Folder Options->View tab: • Under the Hidden files and folders heading: • Select - Show hidden files and folders. • Uncheck- Hide protected operating system files (recommended) option. • Also, make sure there is no checkmark beside Hide file extensions for known file types. • Click OK. (Remember to Hide files and folders once done) ============================ Please go to: VirusTotal • Click the Browse button and search for the following file: C:\WINDOWS\Ascd_tmp.ini • Click Open • Then click Send File • Please be patient while the file is scanned. • Once the scan results appear, please provide them in your next reply. Let's get Java updated. Please follow these steps to remove older version Java components and update. • Download the latest version of Java Runtime Environment (JRE) 6 Update 4 • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button • Click the "Download" button to the right. • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue. • Click on the link to download Windows Offline Installation and save to your desktop. Go to Start > Control Panel double-click on the Software icon > add/remove programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) It should have this icon next to it: Select it and click Remove. • Close any programs you may have running - especially your web browser. • Repeat as many times as necessary to remove each Java versions. • Reboot your computer once all Java components are removed. • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version. ================================================================ Clearing Java Cache Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) • On the General tab, under Temporary Internet Files, click the Settings button. • Next, click on the Delete Files button • There are three options in the window to clear the cache - Leave all Checked • Applications Applets Trace and Log Files • Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. • Click OK to leave the Temporary Files Window • Click OK to leave the Java Control Panel. ComboFix didn't really show me anything so I suggest we run a Kaspersky scan.... *Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component. (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 The program launches and downloads the latest definition files. • Once the files are downloaded click on Next • Click on Scan Settings and configure as follows: • Scan using the following Anti-Virus database:Extended • Scan Options:Scan Archives Scan Mail Bases Click OK and, under select a target to scan, select My ComputerWhen the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As (above - red blinking arrow) Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. ====================================================== In your next reply post: File requested scanned Kaspersky log New HJT log Edited by Juliet #### Share this post ##### Link to post ##### Share on other sites Sorry it took so long to get back but I am still dealing with this eBay debacle. I could not find a way to create a text file for the first scan so I took screen shots: ...... ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, February 17, 2008 9:56:04 PM Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 18/02/2008 Kaspersky Anti-Virus database records: 570276 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 23028 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 00:11:30 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\cert8.db Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\history.dat Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\key3.db Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\parent.lock Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\search.sqlite Object is locked skipped C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\435A03A6d01 Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_278.dat Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_764.dat Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped E:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped Scan process completed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:57:32 PM, on 2/17/2008 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 4179 bytes #### Share this post ##### Link to post ##### Share on other sites Welcome back Paul Everything is coming back clean. Have HJT fix this orphaned entry O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Using windows explorer delete these C:\WINDOWS\SET3.tmp C:\WINDOWS\SET4.tmp C:\WINDOWS\SET8.tmp Please download ATF Cleaner by Atribune From Here and save it to your Desktop. Follow the instructions for the browser you use. Read the instructions about the cookies. Delete what you do not need. Double click ATF-Cleaner.exe to run the program. Check the boxes to the left of: Windows Temp Current User Temp All Users Temp Temporary Internet Files Java Cache The rest are optional - if you want to remove the lot, check "Select All". Finally click Empty Selected. When you get the "Done Cleaning" message, click OK. If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well. When you have finished, click on the Exit button in the Main menu. From a tidbit of information I found at TrendMicro, let's see if you can search for a file they say might be related. Go to My Computer->Tools->Folder Options->View tab: [*]Under the Hidden files and folders heading: [*]Select - Show hidden files and folders. [*]Uncheck- Hide protected operating system files (recommended) option. [*]Also, make sure there is no checkmark beside Hide file extensions for known file types. [*] Click OK. (Remember to Hide files and folders once done) Using windows search option, search for WEBPMGER.EXE Info can be found here http://www.trendmicro.com/vinfo/virusencyc...EA&VSect=Sn Post back and let me know if you found anything. #### Share this post ##### Link to post ##### Share on other sites Hi Juliet. Again sorry it's taking so long to get back to ya but this time work got in the way. I have found information that may be crucial to the problem. Two identical emails that I received (among many that day) addressed from eBay that they claim they did not send, and also that they are tainted emails. I forwarded them to spoof@ebay.com and received a message that these are phishing emails. Like a dummy, I had clicked on the provided link and someone apparently got in some fishing on that Sunday afternoon on me. I really like to fish too ...... ........... Anyhow, that sounds like it may have been the culprit. All I did was click on the link. It took me to another site that had an eBay appearance, but I just closed that window and never gave any info. I still have the emails in a folder in my email box, I guess I should delete them. Are they able to get your names and passwords just by clicking on the link? How about I give a bunch of fake names and passwords and send them on a wild goose chase, or better yet use a bunch of experlatives ?? ... ... I know, I know, bad idea. Is there anything I should do? I know a good bit about fishing, not so much on phishing. Thanks, Paul P.S. I followed the latest instructions that you provided, nothing was found on WEBPMGER.EXE. Edited by Paul442 #### Share this post ##### Link to post ##### Share on other sites Morning I've gone back over logs we have trying to pin point anything.... And theres just not anything showing up. Are they able to get your names and passwords just by clicking on the link? Evidently so, I don't know how it's crafted or how it can bypass security on the machine but it happened. Were you using IE?, reason I ask is all your windows updates up to date? Is there anything I should do? I believe you've already changed your account info and passwords? What we need to do is to handle this as if a backdoor trojan, get to a known clean computer and change all passwords where applicable, Pin numbers, credit card numbers, account numbers, etc. should all be changed immediately, and it would be wise to contact those same financial institutions to advise them of your situation. Show Hidden Files and Folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Right click and open the folders below with notepad and check the info inside, look to see if anything is out of the ordinary C:\Documents and Settings\Paul\Contacts C:\Documents and Settings\Paul\UserData C:\install.dat One other scanner I can think of to give more data then what we've already used is DSS, not to say it will show me what I'm looking for, but I think it's worth a try. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. [*]Close all applications and windows. [*]Double-click on dss.exe to run it, and follow the prompts. [*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Use Save As to save both Notepad files to your Desktop and post them in your next reply. Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\ Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. #### Share this post ##### Link to post ##### Share on other sites Hi, And theres just not anything showing up. Is it possible that eBay was the one to have a security breech, and not my computer? Were you using IE? No, Firefox is all your windows updates up to date? Yes, well, using xp sp3 beta, it seems to perform better under benchmarking conditions. I believe you've already changed your account info and passwords? Yes, all of the info and passwords that were entered on this machine. Remember, I don't have too much stored in the computer. It is a benchmarking computer that I just rebuilt with all new components, clean hard drive. If I need to reinstall windows it's not too big of a deal, just a quest of what happened and if there is any way to prevent it from happening again. As of now I am beginning to think that it was eBay with all of the security problems because of your efforts here. I think the way that could happen is eBay has to enter PayPal to send them the money that the winner bidder pays the seller. I'm thinking that the winning bidder, (of whom I was told by eBay that they were a phony and I never got my money), entered PayPal through eBay via a back door. He also put up a bunch of phony merchandise for sale on eBay under my name in an attempt to load up my PayPal account as he drained it. eBay never said I was infected, PayPal never said I was infected. You would think that they would make suggestions to me about the condition of my computer if they thought that was how it happened. I want to keep looking if you feel there is something to find, but I know that your a busy girl and I don't want to waste too much of your time. I really do appreciate your help. I looked through the computer files you listed, and I'm not seeing anything strange at all. In fact the computer has seemed normal the whole time, not a glitch. Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 3.0 Architecture: X86; Language: English CPU 0: Intel Pentium III Xeon processor Percentage of Memory in Use: 28% Physical Memory (total/avail): 2047.01 MiB / 1459.41 MiB Pagefile Memory (total/avail): 1892.87 MiB / 1423.68 MiB Virtual Memory (total/avail): 2047.88 MiB / 1910.76 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 52.73 GiB total, 38.36 GiB free. D: is Fixed (NTFS) - 52.73 GiB total, 52.63 GiB free. E: is Fixed (NTFS) - 51.76 GiB total, 51.69 GiB free. F: is Fixed (NTFS) - 50.5 GiB total, 50.43 GiB free. G: is CDROM (No Media) H: is CDROM (No Media) \\.\PHYSICALDRIVE0 - Volume0 - 207.73 GiB - 4 partitions \PARTITION0 (bootable) - Installable File System - 52.73 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 154.99 GiB - D: - E: - F: -- Security Center ------------------------------------------------------------- -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Paul\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=ASUSMAX ComSpec=C:\WINDOWS\system32\cmd.exe DiskeeperIcon=C:\Program Files\Executive Software\DiskeeperLite\ FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Paul LOGONSERVER=\\ASUSMAX NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Executive Software\DiskeeperLite;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=1706 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp tvdumpflags=8 USERDOMAIN=ASUSMAX USERNAME=Paul USERPROFILE=C:\Documents and Settings\Paul windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Paul (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf 3DMark03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF35F637-72B9-43BE-A281-06EB2854393A}\Setup.exe" -l0x9 3DMark05 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}\setup.exe" -l0x9 -removeonly 3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000} AI Direct Link --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C312984C-E386-4C2D-B33E-7B54355FB16E}\Setup.exe" -l0x9 AI Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{310BC5E2-31AF-49BB-904D-E71EB93645DC}\setup.exe" -l0x9 AquaMark3 --> C:\PROGRA~1\AQUAMA~1\UNWISE.EXE C:\PROGRA~1\AQUAMA~1\INSTALL.LOG ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3} ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0 ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7} ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8} avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Corel Snapfire DVD Maker --> MsiExec.exe /X{17E14D89-3A9F-4706-9F9B-C2DFC7ABE94B} Corel Snapfire Plus --> MsiExec.exe /X{7ADE3A47-B425-45E9-8FF6-11BE2B775645} Diskeeper Lite --> MsiExec.exe /X{A3F60446-48FB-48A8-B5FC-BB3430AEF806} DustBuster XP --> MsiExec.exe /I{7BEF8E43-094D-4C07-9684-EAEBE79BFA04} EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe" EVEREST Ultimate Edition v4.00 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe" EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Intel® Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02} Java 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040} Java SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040} jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools\unins000.exe" Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe MadOnion.com/3DMark2001 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91B323B5-A79C-4D23-BD6D-046C565F9BCF}\Setup.exe" -l0x9 uninstall -uninst Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B} Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033 PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9 PCMark05 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C104E56-A441-429D-A609-D8A46EB92EA1}\setup.exe" -l0x9 -removeonly SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe" Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type170 / Error Event Submitted/Written: 02/19/2008 00:30:16 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 6.0.2900.3264, faulting module urlmon.dll, version 6.0.2900.3264, fault address 0x0003b5ce. Processing media-specific event for [iexplore.exe!ws!] Event Record #/Type169 / Error Event Submitted/Written: 02/19/2008 00:30:07 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 6.0.2900.3264, faulting module urlmon.dll, version 6.0.2900.3264, fault address 0x0003b5ce. Processing media-specific event for [iexplore.exe!ws!] Event Record #/Type153 / Success Event Submitted/Written: 02/18/2008 11:09:44 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type151 / Success Event Submitted/Written: 02/18/2008 10:37:20 PM Event ID/Source: 1102 / .NET Runtime Optimization Service Event Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a Event Record #/Type149 / Success Event Submitted/Written: 02/18/2008 10:37:18 PM Event ID/Source: 1102 / .NET Runtime Optimization Service Event Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type2305 / Error Event Submitted/Written: 02/19/2008 07:03:48 PM / 02/19/2008 07:04:17 PM Event ID/Source: 13316 / ati2mtag Event Description: CV can't load required graphics object Event Record #/Type2303 / Error Event Submitted/Written: 02/19/2008 07:03:53 PM Event ID/Source: 10016 / DCOM Event Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool. Event Record #/Type2300 / Error Event Submitted/Written: 02/19/2008 07:00:33 PM / 02/19/2008 07:01:03 PM Event ID/Source: 13316 / ati2mtag Event Description: CV can't load required graphics object Event Record #/Type2298 / Error Event Submitted/Written: 02/19/2008 07:00:39 PM Event ID/Source: 10016 / DCOM Event Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool. Event Record #/Type2274 / Error Event Submitted/Written: 02/18/2008 11:04:07 PM Event ID/Source: 1002 / Dhcp Event Description: The IP address lease 192.168.1.12 for the Network Card with network address 001D60BD9962 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). -- End of Deckard's System Scanner: finished at 2008-02-19 19:48:41 ------------ Deckard's System Scanner v20071014.68 Run by Paul on 2008-02-19 20:51:32 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Paul.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:51:34 PM, on 2/19/2008 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Documents and Settings\Paul\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Paul.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - Startup: CCC.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 5108 bytes -- Files created between 2008-01-19 and 2008-02-19 ----------------------------- 2008-02-19 19:13:44 0 d--h----- C:\WINDOWS\PIF 2008-02-19 00:14:28 0 dr-h----- C:\Documents and Settings\Paul\Recent 2008-02-18 00:49:11 0 d-------- C:\Documents and Settings\Paul\Application Data\ATI 2008-02-18 00:49:11 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI 2008-02-18 00:48:56 0 --a------ C:\WINDOWS\ativpsrm.bin 2008-02-18 00:37:57 0 d-------- C:\Program Files\Common Files\ATI Technologies 2008-02-18 00:30:16 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart> 2008-02-18 00:28:12 0 d-------- C:\Program Files\ATI Technologies 2008-02-17 23:29:00 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32> 2008-02-17 23:29:00 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL Library> 2008-02-17 21:08:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-02-17 21:08:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-02-17 21:03:25 0 d-------- C:\Program Files\Sun 2008-02-17 21:02:17 0 d-------- C:\Program Files\Java 2008-02-17 21:02:15 0 d-------- C:\Program Files\Common Files\Java 2008-02-17 20:57:53 0 d-------- C:\WINDOWS\system32\appmgmt 2008-02-17 19:07:32 68096 --a------ C:\WINDOWS\system32\zip.exe 2008-02-17 19:07:32 98816 --a------ C:\WINDOWS\system32\sed.exe 2008-02-17 19:07:32 80412 --a------ C:\WINDOWS\system32\grep.exe 2008-02-17 19:07:32 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-02-17 17:57:27 0 d-------- C:\Program Files\Trend Micro 2008-02-17 13:19:24 0 d-------- C:\Program Files\Activision 2008-02-17 13:17:43 0 d--hs---- C:\WINDOWS\ftpcache 2008-02-17 13:13:46 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA 2008-02-17 13:13:18 0 d-------- C:\Program Files\NVIDIA Corporation 2008-02-17 13:12:54 0 d-------- C:\Program Files\NVIDIA nTune Performance Application 2008-02-14 14:17:43 0 d-------- C:\Documents and Settings\Paul\Contacts 2008-02-14 14:14:10 0 d-------- C:\Program Files\MSN Messenger 2008-02-14 14:08:44 0 d---s---- C:\Documents and Settings\Paul\UserData 2008-02-13 10:52:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-02-13 10:52:21 0 d-------- C:\Program Files\Webroot 2008-02-13 10:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-02-13 10:49:32 164 --a------ C:\install.dat 2008-02-13 10:47:45 0 d-------- C:\Documents and Settings\Paul\Application Data\Webroot 2008-02-13 10:42:56 9547808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-02-13 10:41:18 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-02-13 10:41:16 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-02-13 10:41:15 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT Operating System> 2008-02-13 10:41:11 0 d-------- C:\WINDOWS\system32\ZoneLabs 2008-02-13 10:40:38 0 d-------- C:\WINDOWS\Internet Logs 2008-02-13 10:37:11 0 d-------- C:\Program Files\Alwil Software 2008-02-12 01:53:57 0 d-------- C:\WINDOWS\Sun 2008-02-12 01:53:57 0 d-------- C:\Documents and Settings\Paul\Application Data\Sun 2008-02-11 21:41:40 0 d-------- C:\WINDOWS\system32\LogFiles 2008-02-11 21:29:47 0 d-------- C:\Program Files\DustBuster XP 2008-02-11 21:27:18 0 d-------- C:\Program Files\Microsoft IntelliPoint 2008-02-11 21:26:42 0 d-------- C:\Program Files\jv16 PowerTools 2008-02-11 21:26:02 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-02-11 21:26:02 16877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-02-11 21:26:02 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-02-11 21:26:02 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-02-11 21:25:15 0 d-------- C:\Program Files\Microsoft Bootvis 2008-02-11 21:20:33 0 d-------- C:\WINDOWS\system32\windows media 2008-02-11 21:20:15 0 d-------- C:\WINDOWS\RegisteredPackages 2008-02-11 21:20:15 0 d--h----- C:\WINDOWS\msdownld.tmp 2008-02-11 21:20:14 0 d-------- C:\Program Files\Windows Media Components 2008-02-11 21:20:00 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys> 2008-02-11 21:17:37 0 d-------- C:\Program Files\MadOnion.com 2008-02-11 20:49:31 0 d--hs---- C:\WINDOWS\Installer 2008-02-11 20:49:30 0 d-------- C:\Program Files\Common Files\ODBC 2008-02-11 20:49:26 0 d-------- C:\Program Files\Common Files\SpeechEngines 2008-02-11 20:49:25 0 dr------- C:\Program Files 2008-02-11 20:49:25 0 d-------- C:\Program Files\Common Files 2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\Templates 2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\Default User\Start Menu 2008-02-11 20:48:56 0 dr-h----- C:\Documents and Settings\Default User\SendTo 2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\Recent 2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\PrintHood 2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\NetHood 2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\My Documents 2008-02-11 20:48:56 0 dr-h----- C:\Documents and Settings\Default User\Local Settings 2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\Favorites 2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\Desktop 2008-02-11 20:48:56 0 d---s---- C:\Documents and Settings\Default User\Cookies 2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\All Users\Templates 2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\All Users\Start Menu 2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\All Users\Favorites 2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\All Users\Documents 2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\All Users\Desktop 2008-02-11 20:48:42 0 d-------- C:\WINDOWS\system32\CatRoot2 2008-02-11 20:48:42 0 d-------- C:\WINDOWS\system32\CatRoot 2008-02-11 20:48:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data 2008-02-11 20:48:37 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft 2008-02-11 20:48:37 0 dr-h----- C:\Documents and Settings\All Users\Application Data 2008-02-11 20:48:37 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft 2008-02-11 20:48:09 0 d--hs---- C:\System Volume Information 2008-02-11 20:48:09 0 d-------- C:\Documents and Settings 2008-02-11 20:43:41 0 d-------- C:\WINDOWS\OemDir 2008-02-11 20:43:40 0 d-------- C:\WINDOWS 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\WinSxS 2008-02-11 20:43:40 0 dr------- C:\WINDOWS\Web 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\twain_32 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\wins 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\wbem 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\usmt 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\spool 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ShellExt 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\Setup 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ras 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\oobe 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\npp 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\mui 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\inetsrv 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\IME 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\icsxml 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ias 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\export 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\en 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers\etc 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers\disdn 2008-02-11 20:43:40 0 dr-hs--c- C:\WINDOWS\system32\dllcache 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\dhcp 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\config 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\3com_dmi 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\3076 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\2052 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1054 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1042 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1041 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1037 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1033 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1031 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1028 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1025 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\security 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Resources 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\repair 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Provisioning 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\PeerNet 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\pchealth 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Network Diagnostic 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\mui 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\msapps 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\msagent 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Media 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\L2Schemas 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\java 2008-02-11 20:43:40 0 d--h----- C:\WINDOWS\inf 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\ime 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Help 2008-02-11 20:43:40 0 dr--s---- C:\WINDOWS\Fonts 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\ehome 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Driver Cache 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Debug 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Cursors 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Connection Wizard 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Config 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\AppPatch 2008-02-11 20:43:40 0 d-------- C:\WINDOWS\addins 2008-02-11 20:02:51 0 d-------- C:\WINDOWS\system32\Futuremark 2008-02-11 20:02:51 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys 2008-02-11 19:58:18 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip> 2008-02-11 19:58:03 0 d-------- C:\Program Files\AquaMark3 2008-02-11 19:50:08 0 d-------- C:\Program Files\Futuremark 2008-02-11 18:29:06 0 d-------- C:\Program Files\Lavalys 2008-02-11 15:30:24 0 d-------- C:\Program Files\Executive Software 2008-02-11 14:56:33 1279 --a------ C:\WINDOWS\mozver.dat 2008-02-11 14:54:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2008-02-11 14:53:52 0 d-------- C:\Program Files\CCleaner 2008-02-11 14:48:33 0 --a------ C:\WINDOWS\nsreg.dat 2008-02-11 14:48:32 0 d-------- C:\Documents and Settings\Paul\Application Data\Mozilla 2008-02-11 14:46:59 0 d-------- C:\Documents and Settings\Paul\Application Data\Macromedia 2008-02-11 14:46:58 0 d-------- C:\Documents and Settings\Paul\Application Data\Adobe 2008-02-11 14:12:32 0 d-------- C:\WINDOWS\pss 2008-02-11 14:11:43 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-02-11 14:11:43 8 -r-hs---- C:\WINDOWS\system32\493B9F383A.sys 2008-02-11 14:11:38 0 d-------- C:\Documents and Settings\Paul\Application Data\Corel 2008-02-11 14:03:20 53248 -----n--- C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl> 2008-02-11 14:03:20 1285632 -----n--- C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio> 2008-02-11 14:03:20 49152 -----n--- C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp> 2008-02-11 14:03:20 45056 -----n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp> 2008-02-11 14:03:20 0 d-------- C:\Program Files\Analog Devices 2008-02-11 13:40:55 0 d-------- C:\My Music 2008-02-11 13:40:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel 2008-02-11 13:40:45 0 d-------- C:\Program Files\Corel 2008-02-11 13:40:45 0 d-------- C:\Program Files\Common Files\Corel 2008-02-11 13:40:00 0 d-------- C:\Program Files\Common Files\Adobe 2008-02-11 13:39:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2008-02-11 13:30:37 1622016 --a------ C:\WINDOWS\system32\nwiz.exe 2008-02-11 13:30:37 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2008-02-11 13:30:37 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2008-02-11 13:30:37 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2008-02-11 13:30:37 1470464 --a------ C:\WINDOWS\system32\nview.dll 2008-02-11 13:30:37 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2008-02-11 13:30:37 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2008-02-11 13:30:37 425984 --a------ C:\WINDOWS\system32\keystone.exe 2008-02-11 13:30:37 0 d-------- C:\WINDOWS\nview 2008-02-11 13:28:41 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll 2008-02-11 13:28:38 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll 2008-02-11 13:28:17 0 d-------- C:\WINDOWS\system32\EVGA 2008-02-11 13:18:35 24576 -ra------ C:\WINDOWS\system32\AsIO.dll <Not Verified; ; AsIO Dynamic Link Library> 2008-02-11 13:18:33 0 d-------- C:\Program Files\ASUS 2008-02-11 13:14:32 0 d-------- C:\Program Files\Marvell 2008-02-11 13:14:30 0 d-------- C:\Program Files\Common Files\InstallShield 2008-02-11 13:14:28 0 d-------- C:\Documents and Settings\Paul\Application Data\TMP 2008-02-11 13:07:32 126976 --a------ C:\WINDOWS\system32\Imsmudlg.exe <Not Verified; Intel® Corporation; Uninstset Installation Utility> 2008-02-11 13:07:32 0 d-------- C:\WINDOWS\system32\ENU 2008-02-11 13:07:23 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-02-11 13:07:22 0 d-------- C:\Documents and Settings\Paul\Application Data\InstallShield 2008-02-11 13:05:22 0 d-------- C:\WINDOWS\ASUSInstAll 2008-02-11 13:02:00 0 d-------- C:\WINDOWS\system32\drivers\system32 2008-02-11 13:02:00 0 d-------- C:\WINDOWS\system32\drivers\INF 2008-02-11 13:01:00 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2008-02-11 13:00:59 0 d------c- C:\WINDOWS\system32\DRVSTORE 2008-02-11 13:00:58 0 d-------- C:\Program Files\Intel 2008-02-11 13:00:42 0 d-------- C:\Intel 2008-02-11 12:56:25 10288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2008-02-11 12:55:40 0 d-------- C:\Documents and Settings\Paul\Application Data\Identities 2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\Templates 2008-02-11 12:55:35 0 dr------- C:\Documents and Settings\Paul\Start Menu 2008-02-11 12:55:35 0 dr-h----- C:\Documents and Settings\Paul\SendTo 2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\PrintHood 2008-02-11 12:55:35 1572864 --ah----- C:\Documents and Settings\Paul\NTUSER.DAT 2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\NetHood 2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\Local Settings 2008-02-11 12:55:35 0 dr------- C:\Documents and Settings\Paul\Favorites 2008-02-11 12:55:35 0 d-------- C:\Documents and Settings\Paul\Desktop 2008-02-11 12:55:35 0 d---s---- C:\Documents and Settings\Paul\Cookies 2008-02-11 12:55:35 0 dr-h----- C:\Documents and Settings\Paul\Application Data 2008-02-11 12:55:09 0 d-------- C:\WINDOWS\SoftwareDistribution 2008-02-11 12:55:08 0 d---s---- C:\WINDOWS\system32\Microsoft 2008-02-11 12:55:08 0 d-------- C:\WINDOWS\Prefetch 2008-02-11 12:55:08 0 d---s---- C:\Documents and Settings\LocalService\Cookies 2008-02-11 12:55:08 0 d-------- C:\Documents and Settings\LocalService\Application Data 2008-02-11 12:55:08 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft 2008-02-11 12:55:07 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT 2008-02-11 12:55:07 0 d--h----- C:\Documents and Settings\LocalService\Local Settings 2008-02-11 12:54:59 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT 2008-02-11 12:54:59 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings 2008-02-11 12:54:59 0 d---s---- C:\Documents and Settings\NetworkService\Cookies 2008-02-11 12:54:59 0 d-------- C:\Documents and Settings\NetworkService\Application Data 2008-02-11 12:54:59 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft 2008-02-11 12:52:23 0 d-------- C:\WINDOWS\system32\xircom 2008-02-11 12:52:23 0 d-------- C:\Program Files\microsoft frontpage 2008-02-11 12:52:17 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT 2008-02-11 12:52:15 0 -rahs---- C:\MSDOS.SYS 2008-02-11 12:52:15 0 -rahs---- C:\IO.SYS 2008-02-11 12:52:15 0 --a------ C:\CONFIG.SYS 2008-02-11 12:52:15 0 --a------ C:\AUTOEXEC.BAT 2008-02-11 12:51:52 0 d--hs---- C:\Documents and Settings\All Users\DRM 2008-02-11 12:51:48 0 dr------- C:\WINDOWS\Offline Web Pages 2008-02-11 12:51:48 0 d---s---- C:\WINDOWS\Downloaded Program Files 2008-02-11 12:51:43 0 d--h----- C:\Program Files\WindowsUpdate 2008-02-11 12:51:30 0 d-------- C:\WINDOWS\system32\DirectX 2008-02-11 12:51:11 0 d---s---- C:\WINDOWS\Tasks 2008-02-11 12:51:10 0 d-------- C:\Program Files\Common Files\MSSoap 2008-02-11 12:51:07 0 d-------- C:\WINDOWS\srchasst 2008-02-11 12:51:06 0 d-------- C:\WINDOWS\system32\Macromed 2008-02-11 12:51:00 0 d-------- C:\Program Files\Movie Maker 2008-02-11 12:50:40 0 d-------- C:\WINDOWS\system32\Restore 2008-02-11 12:50:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2008-02-11 12:50:14 0 d-------- C:\WINDOWS\Registration 2008-02-11 12:50:12 0 d-------- C:\Program Files\Online Services 2008-02-11 12:50:09 0 d-------- C:\Program Files\Messenger 2008-02-11 12:50:06 0 d-------- C:\Program Files\MSN Gaming Zone 2008-02-11 12:49:22 0 d-------- C:\Program Files\Windows NT 2008-02-11 12:49:14 0 d-------- C:\WINDOWS\system32\MsDtc 2008-02-11 12:49:10 0 d-------- C:\WINDOWS\system32\Com -- Find3M Report --------------------------------------------------------------- 2008-02-11 20:48:56 62 --ahs---- C:\Documents and Settings\Paul\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 07:25 PM] C:\Documents and Settings\Paul\Start Menu\Programs\Startup\ CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [7/17/2007 11:13:34 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner] "C:\Program Files\ASUS\AI Direct Link\AsCmd.exe" -reg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link] "C:\Program Files\ASUS\AI Direct Link\AsShare.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc -- End of Deckard's System Scanner: finished at 2008-02-19 20:52:42 ------------ #### Share this post ##### Link to post ##### Share on other sites For me now, it becomes a guessing game. Somehow secure socket layer was broken, how I don't know. I doubt you'll ever get Ebay or PayPal to ever confess the error was on their end, or even the Bank where your personal account is located..What you could suggest is they do what ever they can to add more security layers to their methods of making transactions?..more security questions or security numbers, an unbreakable SSL, somehow using some kind of tracking methods to ensure against fraud..They would have to do something if more people get robbed and more events like these are reported against them. But you have to stop and think, if this guy never sent you an Email with anything you had to click on such as a link?, and all transactions were through Ebay, PayPal, and your Bank.................. Not much going on here but this does need to be updated. Update Adobe Acrobat Reader * Please go to this link Adobe Acrobat Reader Download Link http://www.adobe.com/products/acrobat/readstep2.html * Cllick Download * On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation. * Click the Continue button * Click Run, and click Run again * Next click the Install Now button and follow the on screen prompts Now click Start---Control Panel. Double click Add or Remove Programs. Adobe Reader 7.0.5 <--click on the program to highlight it, and click on remove. For FireFox users: Click on the “Edit Options…” button in the bar to continue with download 2. Add the web site to the sites which are allowed to install add-ons Click on the “Allow” button to add the site to the list of allowed sites Click on the “Close” button to continue with download 3. Refresh the thank you page Click on the refresh button on your browser. 4. A Firefox security dialog box will appear, prompting you to install the add on Click on the "Install Now" button to continue with download. 5. An add on dialog box will appear Click on the dialog close button. NEXT [*] Click START then RUN [*] Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there. One other scan we can do to check *Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component. (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 The program launches and downloads the latest definition files. • Once the files are downloaded click on Next • Click on Scan Settings and configure as follows: • Scan using the following Anti-Virus database: • Extended • Scan Options:Scan Archives Scan Mail Bases • Click OK and, under select a target to scan, select My Computer When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As (above - red blinking arrow) Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. #### Share this post ##### Link to post ##### Share on other sites For me now, it becomes a guessing game. Ok, I'll play. I doubt you'll ever get eBay or PayPal to ever confess the error was on their end, or even the Bank where your personal account is located. I agree, they will never admit fault. The money was being "funneled" out of PayPal, fortunately my bank account was never effected. PayPal has$95 CAD listed in my account as returned to me, but frozen until the investigation is completed. They have been very cooperative and helpful up to this point. They are sending me one of these for another layer of passwords at no cost (like a $5 value): As I understand it, it is an aditional password that will change every 30 seconds. Here we go, completed with Internet Explorer this time: ------------------------------------------------------------------------------ KASPERSKY ONLINE SCANNER REPORT Wednesday, February 20, 2008 8:03:20 PM Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 20/02/2008 Kaspersky Anti-Virus database records: 574000 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 26492 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 00:12:21 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\pending.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\dfsr.db Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\fsr.log Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\fsrtmp.log Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\tmp.edb Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows Live Contacts\paul69455@msn.com\real\members.stg Object is locked skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012008022020080221\index.dat Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temp\~DF214F.tmp Object is locked skipped C:\Documents and Settings\Paul\Local Settings\Temp\~DF21D9.tmp Object is locked skipped C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_7f8.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. #### Share this post ##### Link to post ##### Share on other sites Paul, as I suspected that log is clean. PayPal has$95 CAD listed in my account as returned to me, but frozen until the investigation is completed. They have been very cooperative and helpful up to this point. They are sending me one of these for another layer of passwords at no cost (like a \$5 value):

I applaud them for helping and trying to investiagte.

I hope the criminal is caught and prosecuted.

Let's leave this topic open for a few days, if in the event something screwy starts to happen come back....

For now I want to leave you with a few preventive tips

Below are recommendations to protect your computer.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Slow Computer? Check here first; it may not be malware

http://www.castlecops.com/postitle175256-0-0-.html

Free Antivirus-AntiSpyware-Firewall Software

#### Share this post

##### Share on other sites
This topic is now closed to further replies.

×

• #### Activity

• Gallery
×
• Create New...