Jump to content
Sign in to follow this  
Paul442

My HJT log

Recommended Posts

Hi, I need to check this computer to see if there is some kind of keylogger, or other malware on it. Not a big deal, I can just reinstall windows, it is a benchmarking computer with not a lot of files stored on it. I am selling items on eBay and somehow, the people at eBay said they got hacked. Well, they got hacked right as an item I was selling ended it's bidding process, the winner was notified, then the same item was re-listed 5 different times on eBay for a lesser amount at a "buy it now" status. They say that this "winner" was a "loser" because he was a fake. At that same time, this "hacker" was able to log into my PayPal account and drain $95 in $5 segments. It was actually $4.95 CAD withdrawn 19 different times. The people at PayPal said that whoever did this had my log in and password for PayPal. Now how could they get my login and password through eBay? I have since changed all of that and locked out the account but I wanted to see if anything strange is in my log. I scanned with avast and spysweeper, spysweeper found "Mal/Behav-024" and Identified it as a virus but I can't find much on it googling around. It is now quarantined.

 

Whether or not the "hacker", "winner", or the "loser" who drained my account was the same person or not I don't know.

 

Now that I have either totally bored you or confused you, here it is:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:06:40 PM, on 2/17/2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 4788 bytes

Share this post


Link to post
Share on other sites

Hi Paul

 

Nothing showing in the log other then this

 

Spy Blocker, is run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

 

You might want to remove that.

 

What we can do is scan you out and see if anything has been left behind....

 

 

Download Combofix from any of the links below, and save it to your desktop.<--Important

 

Link 1

Link 2

Link 3

 

 

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

  • Double click combofix.exe and follow the prompts.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Please be patient while the scan runs, at times it may appear to stall.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.

 

 

In your next reply post:

ComboFix.txt

New HJT log taken after the above scan has run

Share this post


Link to post
Share on other sites

Hi, Juliet, here you go: Thanks,

 

ComboFix 08-02-18.1 - Paul 2008-02-17 19:07:55.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1659 [GMT -5:00]

Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))

.

 

2008-02-17 18:58 . 2008-02-13 10:41 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll

2008-02-17 17:57 . 2008-02-17 17:57 <DIR> d-------- C:\Program Files\Trend Micro

2008-02-17 13:28 . 2008-02-17 13:28 319 --a------ C:\WINDOWS\game.ini

2008-02-17 13:19 . 2008-02-17 13:19 <DIR> d-------- C:\Program Files\Activision

2008-02-17 13:17 . 2008-02-17 13:17 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-02-17 13:13 . 2008-02-17 13:13 <DIR> d-------- C:\Program Files\NVIDIA Corporation

2008-02-17 13:13 . 2008-02-17 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

2008-02-17 13:12 . 2008-02-17 13:12 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application

2008-02-14 14:17 . 2008-02-14 19:56 <DIR> d-------- C:\Documents and Settings\Paul\Contacts

2008-02-14 14:14 . 2008-02-14 14:17 <DIR> d-------- C:\Program Files\MSN Messenger

2008-02-14 14:08 . 2008-02-14 14:08 <DIR> d---s---- C:\Documents and Settings\Paul\UserData

2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Program Files\Webroot

2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot

2008-02-13 10:52 . 2008-02-13 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-02-13 10:52 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll

2008-02-13 10:52 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2008-02-13 10:52 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2008-02-13 10:52 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2008-02-13 10:52 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

2008-02-13 10:49 . 2008-02-13 10:49 164 --a------ C:\install.dat

2008-02-13 10:47 . 2008-02-13 10:47 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Webroot

2008-02-13 10:42 . 2008-02-17 19:08 7,125,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-02-13 10:42 . 2008-02-17 19:04 87,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-02-13 10:41 . 2008-02-13 10:41 <DIR> d-------- C:\Program Files\Zone Labs

2008-02-13 10:41 . 2008-02-13 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-02-13 10:40 . 2008-02-17 19:00 <DIR> d-------- C:\WINDOWS\Internet Logs

2008-02-13 10:37 . 2008-02-13 10:37 <DIR> d-------- C:\Program Files\Alwil Software

2008-02-13 10:37 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll

2008-02-13 10:37 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe

2008-02-13 10:37 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx

2008-02-13 10:37 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr

2008-02-13 10:37 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys

2008-02-13 10:37 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys

2008-02-13 10:37 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys

2008-02-13 10:37 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys

2008-02-13 10:37 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys

2008-02-12 01:53 . 2008-02-12 01:53 <DIR> d-------- C:\WINDOWS\Sun

2008-02-12 01:53 . 2008-02-12 01:53 <DIR> d-------- C:\Program Files\Java

2008-02-12 01:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-02-12 01:52 . 2008-02-12 01:52 <DIR> d-------- C:\Program Files\Common Files\Java

2008-02-11 21:41 . 2008-02-11 21:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2008-02-11 21:31 . 2008-02-11 21:31 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-02-11 21:29 . 2008-02-11 21:29 <DIR> d-------- C:\Program Files\DustBuster XP

2008-02-11 21:27 . 2008-02-11 21:27 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint

2008-02-11 21:26 . 2008-02-11 21:35 <DIR> d-------- C:\Program Files\jv16 PowerTools

2008-02-11 21:26 . 2002-07-17 08:20 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL

2008-02-11 21:26 . 2002-07-17 07:53 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS

2008-02-11 21:26 . 2002-07-17 15:22 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL

2008-02-11 21:26 . 2002-07-17 15:22 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE

2008-02-11 21:25 . 2008-02-11 21:44 <DIR> d-------- C:\Program Files\Microsoft Bootvis

2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d-------- C:\WINDOWS\system32\windows media

2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2008-02-11 21:20 . 2008-02-11 21:20 <DIR> d-------- C:\Program Files\Windows Media Components

2008-02-11 21:20 . 2004-06-22 16:44 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys

2008-02-11 21:17 . 2008-02-11 21:17 <DIR> d-------- C:\Program Files\MadOnion.com

2008-02-11 19:58 . 2008-02-11 19:58 <DIR> d-------- C:\Program Files\AquaMark3

2008-02-11 19:58 . 2004-10-25 21:02 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys

2008-02-11 19:50 . 2008-02-11 21:19 <DIR> d-------- C:\Program Files\Futuremark

2008-02-11 18:37 . 2006-10-19 03:11 12,096 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys

2008-02-11 18:37 . 2006-10-19 03:11 10,304 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys

2008-02-11 18:32 . 2008-02-11 18:36 35,792 --a------ C:\WINDOWS\Ascd_tmp.ini

2008-02-11 18:29 . 2008-02-11 18:33 <DIR> d-------- C:\Program Files\Lavalys

2008-02-11 15:30 . 2008-02-11 15:30 <DIR> d-------- C:\Program Files\Executive Software

2008-02-11 14:56 . 2008-02-12 01:53 1,279 --a------ C:\WINDOWS\mozver.dat

2008-02-11 14:53 . 2008-02-11 14:53 <DIR> d-------- C:\Program Files\CCleaner

2008-02-11 14:48 . 2008-02-11 14:48 0 --a------ C:\WINDOWS\nsreg.dat

2008-02-11 14:24 . 2007-11-30 17:31 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

2008-02-11 14:11 . 2008-02-11 14:33 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Corel

2008-02-11 14:11 . 2008-02-11 19:17 5,018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2008-02-11 14:11 . 2008-02-11 14:11 8 -r-hs---- C:\WINDOWS\system32\493B9F383A.sys

2008-02-11 14:03 . 2008-02-11 14:03 <DIR> d-------- C:\Program Files\Analog Devices

2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Program Files\Corel

2008-02-11 13:40 . 2008-02-11 13:41 <DIR> d-------- C:\Program Files\Common Files\Corel

2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\My Music

2008-02-11 13:40 . 2008-02-11 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel

2008-02-11 13:29 . 2005-06-24 17:05 16,958 --a------ C:\WINDOWS\system32\evga.ico

2008-02-11 13:18 . 2008-02-11 18:37 <DIR> d-------- C:\Program Files\ASUS

2008-02-11 13:18 . 2006-01-10 03:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll

2008-02-11 13:18 . 2006-10-18 14:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys

2008-02-11 13:14 . 2008-02-11 13:14 <DIR> d-------- C:\Program Files\Marvell

2008-02-11 13:14 . 2008-02-11 13:28 <DIR> d-------- C:\Program Files\Common Files\InstallShield

2008-02-11 13:14 . 2008-02-11 13:14 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\TMP

2008-02-11 13:07 . 2008-02-11 13:07 <DIR> d-------- C:\WINDOWS\system32\ENU

2008-02-11 13:07 . 2008-02-17 13:28 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

2008-02-11 13:07 . 2008-02-11 13:07 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\InstallShield

2008-02-11 13:07 . 2007-04-11 15:49 126,976 --a------ C:\WINDOWS\system32\Imsmudlg.exe

2008-02-11 13:07 . 2008-02-11 13:39 670 --a------ C:\WINDOWS\setup.iss

2008-02-11 13:05 . 2008-02-11 13:05 <DIR> d-------- C:\WINDOWS\ASUSInstAll

2008-02-11 13:02 . 2008-02-11 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\system32

2008-02-11 13:02 . 2008-02-11 13:02 <DIR> d-------- C:\WINDOWS\system32\drivers\INF

2008-02-11 13:00 . 2008-02-14 14:17 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-02-11 13:00 . 2008-02-11 13:07 <DIR> d-------- C:\Program Files\Intel

2008-02-11 13:00 . 2008-02-11 13:00 <DIR> d-------- C:\Intel

2008-02-11 13:00 . 2008-02-11 13:36 36,768 --a------ C:\WINDOWS\Ascd_log.ini

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-11 19:02 93,952 ----a-w C:\WINDOWS\system32\drivers\aeaudio.sys

2008-02-11 19:02 65,536 ----a-w C:\WINDOWS\system32\a3d.dll

2008-02-11 19:02 392,960 ----a-w C:\WINDOWS\system32\drivers\senfilt.sys

2008-02-11 19:02 293,888 ----a-w C:\WINDOWS\system32\drivers\ADIHdAud.sys

2008-02-11 19:02 28,160 ----a-w C:\WINDOWS\system32\PostProc.dll

2008-02-11 18:59 138,752 ----a-w C:\WINDOWS\system32\drivers\hdaudbus.sys

2008-02-11 17:52 --------- d-----w C:\Program Files\microsoft frontpage

2007-12-01 06:32 1,292,766 ----a-r C:\WINDOWS\SET3.tmp

2007-12-01 06:27 1,088,979 ----a-r C:\WINDOWS\SET4.tmp

2007-12-01 06:26 16,674 ----a-r C:\WINDOWS\SET8.tmp

2007-12-01 05:26 74,240 ----a-w C:\WINDOWS\system32\usbui.dll

2007-12-01 05:25 4,096 ----a-w C:\WINDOWS\system32\ksuser.dll

2007-12-01 04:36 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll

2007-12-01 04:36 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll

2007-12-01 04:36 483,840 ----a-w C:\WINDOWS\system32\wzcsvc.dll

2007-12-01 04:36 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll

2007-12-01 04:36 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll

2007-12-01 04:36 35,328 ----a-w C:\WINDOWS\system32\pid.dll

2007-12-01 04:36 20,992 ----a-w C:\WINDOWS\system32\hid.dll

2007-12-01 04:36 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2007-12-01 04:36 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll

2007-12-01 04:36 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll

2007-12-01 04:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2007-12-01 04:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll

2007-12-01 04:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2007-12-01 04:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll

2007-12-01 04:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll

2007-12-01 04:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll

2007-12-01 04:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2007-12-01 04:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll

2007-12-01 04:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll

2007-12-01 04:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll

2007-12-01 00:26 74,752 ----a-w C:\WINDOWS\system32\storprop.dll

2007-11-30 22:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys

2007-11-30 22:22 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2007-11-30 21:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys

2007-11-30 21:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2007-11-30 21:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll

2007-11-30 21:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll

2007-11-30 20:38 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll

2007-11-30 20:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll

2007-11-30 20:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll

2007-11-30 20:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dLL

2007-11-30 20:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll

2007-11-30 20:25 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll

2007-11-30 20:25 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll

2007-11-30 20:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll

2007-11-30 20:23 306,176 ----a-w C:\WINDOWS\system32\slbcsp.dll

2007-11-30 20:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll

2007-11-30 20:23 169,984 ----a-w C:\WINDOWS\system32\sccbase.dll

2007-11-30 20:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll

2007-11-30 20:23 101,888 ----a-w C:\WINDOWS\system32\gpkcsp.dll

2007-11-30 20:13 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll

2007-11-30 20:08 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll

2007-11-30 20:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll

2007-11-30 19:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll

2007-11-30 19:53 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll

2007-11-30 19:49 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll

2007-11-30 19:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll

2007-11-30 19:41 53,840 ----a-w C:\WINDOWS\system32\dosx.exe

2007-11-30 19:41 5,120 ----a-w C:\WINDOWS\system32\winnls.dll

2007-11-30 19:40 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll

2007-11-30 19:39 92,224 ----a-w C:\WINDOWS\system32\krnl386.exe

2007-11-30 19:38 3,338 ----a-w C:\WINDOWS\system32\redir.exe

2007-11-30 19:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll

2007-11-30 19:37 42,537 ----a-w C:\WINDOWS\system32\keyboard.sys

2007-11-30 19:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll

2007-11-30 19:36 35,648 ----a-w C:\WINDOWS\system32\ntio411.sys

2007-11-30 19:36 35,424 ----a-w C:\WINDOWS\system32\ntio412.sys

2007-11-30 19:36 34,560 ----a-w C:\WINDOWS\system32\ntio804.sys

2007-11-30 19:36 34,560 ----a-w C:\WINDOWS\system32\ntio404.sys

2007-11-30 19:36 33,840 ----a-w C:\WINDOWS\system32\ntio.sys

2007-11-30 19:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll

2007-11-30 19:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll

2007-11-30 19:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll

2007-11-30 18:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll

2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]

--a------ 2007-09-06 11:19 1426432 C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

--a------ 2007-02-06 11:20 478800 C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help]

--a------ 2007-09-11 10:32 880640 C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor]

--a------ 2007-09-06 19:57 626688 C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

--a------ 2007-03-21 13:00 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner]

--a------ 2007-04-11 17:34 376832 C:\Program Files\ASUS\AI Direct Link\AsCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link]

--a------ 2007-08-20 11:42 1209856 C:\Program Files\ASUS\AI Direct Link\AsShare.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2006-11-16 23:16 7770112 C:\WINDOWS\system32\NvCpl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2006-11-16 23:16 81920 C:\WINDOWS\system32\NvMcTray.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2006-11-16 23:16 1622016 C:\WINDOWS\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

--------- 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a------ 2008-02-11 14:02 868352 C:\Program Files\Analog Devices\Core\smax4pnp.exe

 

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-17 19:08:29

Windows 5.1.2600 Service Pack 3, v.3264 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-02-17 19:08:43

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:10:09 PM, on 2/17/2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 4084 bytes

Share this post


Link to post
Share on other sites

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

    ============================

     

     

    Please go to: VirusTotal

    • Posted Image
    • Click the Browse button and search for the following file: C:\WINDOWS\Ascd_tmp.ini
    • Click Open
    • Then click Send File
    • Please be patient while the file is scanned.
    • Once the scan results appear, please provide them in your next reply.

     

     

     

     

     

     

     

    Let's get Java updated.

     

    Please follow these steps to remove older version Java components and update.

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 4
    • Scroll to Java Runtime Environment (JRE) 6 Update 4 and click on the download button
    • Click the "Download" button to the right.
    • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
    • Click on the link to download Windows Offline Installation and save to your desktop.

       

      Go to Start > Control Panel double-click on the Software icon > add/remove programs.

      Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

      It should have this icon next to it: Posted Image

      Select it and click Remove.

    • Close any programs you may have running - especially your web browser.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
    ================================================================

    Clearing Java Cache

    Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image

    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave all Checked
      • Applications

        Applets

        Trace and Log Files

    • Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

     

    ComboFix didn't really show me anything so I suggest we run a Kaspersky scan....

     

     

    *Note

    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

    Please don't go surfing while your resident protection is disabled!

    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

    Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

     

    Click Yes, when prompted to install its ActiveX component.

    (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

    Or use Firefox with IE-Tab plugin

    https://addons.mozilla.org/en-US/firefox/addon/1419

    The program launches and downloads the latest definition files.

    • Once the files are downloaded click on Next
    • Click on Scan Settings and configure as follows:
      • Scan using the following Anti-Virus database:Extended
  • Scan Options:Scan Archives

    Scan Mail Bases

Click OK and, under select a target to scan, select My ComputerWhen the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

 

Posted Image

 

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

======================================================

 

 

In your next reply post:

 

File requested scanned

Kaspersky log

New HJT log

Edited by Juliet

Share this post


Link to post
Share on other sites

Sorry it took so long to get back but I am still dealing with this eBay debacle.

 

I could not find a way to create a text file for the first scan so I took screen shots:

 

Posted Image ...... Posted Image

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Sunday, February 17, 2008 9:56:04 PM

Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 18/02/2008

Kaspersky Anti-Virus database records: 570276

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

 

Scan Statistics:

Total number of scanned objects: 23028

Number of viruses found: 0

Number of infected objects: 0

Number of suspicious objects: 0

Duration of the scan process: 00:11:30

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\cert8.db Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\history.dat Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\key3.db Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\parent.lock Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\435A03A6d01 Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\g7j1l8i4.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_278.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_764.dat Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped

E:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\System Volume Information\_restore{6D6C2933-150E-4DC4-8879-374A9FF8EB1C}\RP4\change.log Object is locked skipped

 

Scan process completed.

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:57:32 PM, on 2/17/2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 4179 bytes

Share this post


Link to post
Share on other sites

Welcome back Paul

 

Everything is coming back clean.

 

Have HJT fix this orphaned entry

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

 

Using windows explorer delete these

 

C:\WINDOWS\SET3.tmp

C:\WINDOWS\SET4.tmp

C:\WINDOWS\SET8.tmp

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

 

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

From a tidbit of information I found at TrendMicro, let's see if you can search for a file they say might be related.

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

 

Using windows search option, search for

WEBPMGER.EXE

 

 

Info can be found here

http://www.trendmicro.com/vinfo/virusencyc...EA&VSect=Sn

 

Post back and let me know if you found anything.

Share this post


Link to post
Share on other sites

Hi Juliet. Again sorry it's taking so long to get back to ya but this time work got in the way.

 

I have found information that may be crucial to the problem. Two identical emails that I received (among many that day) addressed from eBay that they claim they did not send, and also that they are tainted emails. I forwarded them to spoof@ebay.com and received a message that these are phishing emails. Like a dummy, I had clicked on the provided link and someone apparently got in some fishing on that Sunday afternoon on me. I really like to fish too ...... :(

 

Posted Image ........... Posted Image

 

Anyhow, that sounds like it may have been the culprit. All I did was click on the link. It took me to another site that had an eBay appearance, but I just closed that window and never gave any info. I still have the emails in a folder in my email box, I guess I should delete them. Are they able to get your names and passwords just by clicking on the link? How about I give a bunch of fake names and passwords and send them on a wild goose chase, or better yet use a bunch of experlatives ?? ... :mrgreen: ... I know, I know, bad idea. Is there anything I should do? I know a good bit about fishing, not so much on phishing.

 

Thanks, Paul

 

P.S. I followed the latest instructions that you provided, nothing was found on WEBPMGER.EXE.

Edited by Paul442

Share this post


Link to post
Share on other sites

Morning

 

I've gone back over logs we have trying to pin point anything....

And theres just not anything showing up.

Are they able to get your names and passwords just by clicking on the link?

Evidently so, I don't know how it's crafted or how it can bypass security on the machine but it happened.

Were you using IE?, reason I ask is all your windows updates up to date?

Is there anything I should do?

I believe you've already changed your account info and passwords?

What we need to do is to handle this as if a backdoor trojan, get to a known clean computer and change all passwords where applicable, Pin numbers, credit card numbers, account numbers, etc. should all be changed immediately, and it would be wise to contact those same financial institutions to advise them of your situation.

 

 

 

Show Hidden Files and Folders

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

 

Right click and open the folders below with notepad and check the info inside, look to see if anything is out of the ordinary

 

C:\Documents and Settings\Paul\Contacts

C:\Documents and Settings\Paul\UserData

C:\install.dat

 

 

One other scanner I can think of to give more data then what we've already used is DSS, not to say it will show me what I'm looking for, but I think it's worth a try.

 

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

[*]Close all applications and windows.

[*]Double-click on dss.exe to run it, and follow the prompts.

[*]When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized

Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note:A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

 

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Share this post


Link to post
Share on other sites

Hi,

 

And theres just not anything showing up.

Is it possible that eBay was the one to have a security breech, and not my computer?

 

Were you using IE?

No, Firefox

 

is all your windows updates up to date?

Yes, well, using xp sp3 beta, it seems to perform better under benchmarking conditions.

 

I believe you've already changed your account info and passwords?

Yes, all of the info and passwords that were entered on this machine. Remember, I don't have too much stored in the computer. It is a benchmarking computer that I just rebuilt with all new components, clean hard drive. If I need to reinstall windows it's not too big of a deal, just a quest of what happened and if there is any way to prevent it from happening again. As of now I am beginning to think that it was eBay with all of the security problems because of your efforts here. I think the way that could happen is eBay has to enter PayPal to send them the money that the winner bidder pays the seller. I'm thinking that the winning bidder, (of whom I was told by eBay that they were a phony and I never got my money), entered PayPal through eBay via a back door. He also put up a bunch of phony merchandise for sale on eBay under my name in an attempt to load up my PayPal account as he drained it. eBay never said I was infected, PayPal never said I was infected. You would think that they would make suggestions to me about the condition of my computer if they thought that was how it happened. I want to keep looking if you feel there is something to find, but I know that your a busy girl and I don't want to waste too much of your time. I really do appreciate your help.

 

I looked through the computer files you listed, and I'm not seeing anything strange at all. In fact the computer has seemed normal the whole time, not a glitch.

 

 

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Professional (build 2600) SP 3.0

Architecture: X86; Language: English

 

CPU 0: Intel Pentium III Xeon processor

Percentage of Memory in Use: 28%

Physical Memory (total/avail): 2047.01 MiB / 1459.41 MiB

Pagefile Memory (total/avail): 1892.87 MiB / 1423.68 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1910.76 MiB

 

A: is Removable (No Media)

C: is Fixed (NTFS) - 52.73 GiB total, 38.36 GiB free.

D: is Fixed (NTFS) - 52.73 GiB total, 52.63 GiB free.

E: is Fixed (NTFS) - 51.76 GiB total, 51.69 GiB free.

F: is Fixed (NTFS) - 50.5 GiB total, 50.43 GiB free.

G: is CDROM (No Media)

H: is CDROM (No Media)

 

\\.\PHYSICALDRIVE0 - Volume0 - 207.73 GiB - 4 partitions

\PARTITION0 (bootable) - Installable File System - 52.73 GiB - C:

\PARTITION1 - Extended w/Extended Int 13 - 154.99 GiB - D: - E: - F:

 

 

 

-- Security Center -------------------------------------------------------------

 

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Paul\Application Data

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=ASUSMAX

ComSpec=C:\WINDOWS\system32\cmd.exe

DiskeeperIcon=C:\Program Files\Executive Software\DiskeeperLite\

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Paul

LOGONSERVER=\\ASUSMAX

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Executive Software\DiskeeperLite;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 6, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=1706

ProgramFiles=C:\Program Files

PROMPT=$P$G

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp

TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp

tvdumpflags=8

USERDOMAIN=ASUSMAX

USERNAME=Paul

USERPROFILE=C:\Documents and Settings\Paul

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Paul (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

3DMark03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF35F637-72B9-43BE-A281-06EB2854393A}\Setup.exe" -l0x9

3DMark05 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}\setup.exe" -l0x9 -removeonly

3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}

AI Direct Link --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C312984C-E386-4C2D-B33E-7B54355FB16E}\Setup.exe" -l0x9

AI Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{310BC5E2-31AF-49BB-904D-E71EB93645DC}\setup.exe" -l0x9

AquaMark3 --> C:\PROGRA~1\AQUAMA~1\UNWISE.EXE C:\PROGRA~1\AQUAMA~1\INSTALL.LOG

ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}

ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0

ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}

ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}

avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup

CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"

Corel Snapfire DVD Maker --> MsiExec.exe /X{17E14D89-3A9F-4706-9F9B-C2DFC7ABE94B}

Corel Snapfire Plus --> MsiExec.exe /X{7ADE3A47-B425-45E9-8FF6-11BE2B775645}

Diskeeper Lite --> MsiExec.exe /X{A3F60446-48FB-48A8-B5FC-BB3430AEF806}

DustBuster XP --> MsiExec.exe /I{7BEF8E43-094D-4C07-9684-EAEBE79BFA04}

EVEREST Home Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"

EVEREST Ultimate Edition v4.00 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"

EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly

HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Intel® Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe

Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}

Java 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}

Java SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}

jv16 PowerTools 1.3 --> "C:\Program Files\jv16 PowerTools\unins000.exe"

Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

MadOnion.com/3DMark2001 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91B323B5-A79C-4D23-BD6D-046C565F9BCF}\Setup.exe" -l0x9 uninstall -uninst

Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}

Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}

Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}

Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033

PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9

PCMark05 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C104E56-A441-429D-A609-D8A46EB92EA1}\setup.exe" -l0x9 -removeonly

SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly

Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"

Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}

Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type170 / Error

Event Submitted/Written: 02/19/2008 00:30:16 AM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application iexplore.exe, version 6.0.2900.3264, faulting module urlmon.dll, version 6.0.2900.3264, fault address 0x0003b5ce.

Processing media-specific event for [iexplore.exe!ws!]

 

Event Record #/Type169 / Error

Event Submitted/Written: 02/19/2008 00:30:07 AM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application iexplore.exe, version 6.0.2900.3264, faulting module urlmon.dll, version 6.0.2900.3264, fault address 0x0003b5ce.

Processing media-specific event for [iexplore.exe!ws!]

 

Event Record #/Type153 / Success

Event Submitted/Written: 02/18/2008 11:09:44 PM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type151 / Success

Event Submitted/Written: 02/18/2008 10:37:20 PM

Event ID/Source: 1102 / .NET Runtime Optimization Service

Event Description:

.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

 

Event Record #/Type149 / Success

Event Submitted/Written: 02/18/2008 10:37:18 PM

Event ID/Source: 1102 / .NET Runtime Optimization Service

Event Description:

.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type2305 / Error

Event Submitted/Written: 02/19/2008 07:03:48 PM / 02/19/2008 07:04:17 PM

Event ID/Source: 13316 / ati2mtag

Event Description:

CV can't load required graphics object

 

Event Record #/Type2303 / Error

Event Submitted/Written: 02/19/2008 07:03:53 PM

Event ID/Source: 10016 / DCOM

Event Description:

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

 

Event Record #/Type2300 / Error

Event Submitted/Written: 02/19/2008 07:00:33 PM / 02/19/2008 07:01:03 PM

Event ID/Source: 13316 / ati2mtag

Event Description:

CV can't load required graphics object

 

Event Record #/Type2298 / Error

Event Submitted/Written: 02/19/2008 07:00:39 PM

Event ID/Source: 10016 / DCOM

Event Description:

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID

{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

 

Event Record #/Type2274 / Error

Event Submitted/Written: 02/18/2008 11:04:07 PM

Event ID/Source: 1002 / Dhcp

Event Description:

The IP address lease 192.168.1.12 for the Network Card with network address 001D60BD9962 has been

denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

 

 

 

-- End of Deckard's System Scanner: finished at 2008-02-19 19:48:41 ------------

 

 

 

 

Deckard's System Scanner v20071014.68

Run by Paul on 2008-02-19 20:51:32

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis (run as Paul.exe) ------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:51:34 PM, on 2/19/2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Documents and Settings\Paul\Desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Paul.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - Startup: CCC.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

--

End of file - 5108 bytes

 

-- Files created between 2008-01-19 and 2008-02-19 -----------------------------

 

2008-02-19 19:13:44 0 d--h----- C:\WINDOWS\PIF

2008-02-19 00:14:28 0 dr-h----- C:\Documents and Settings\Paul\Recent

2008-02-18 00:49:11 0 d-------- C:\Documents and Settings\Paul\Application Data\ATI

2008-02-18 00:49:11 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI

2008-02-18 00:48:56 0 --a------ C:\WINDOWS\ativpsrm.bin

2008-02-18 00:37:57 0 d-------- C:\Program Files\Common Files\ATI Technologies

2008-02-18 00:30:16 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>

2008-02-18 00:28:12 0 d-------- C:\Program Files\ATI Technologies

2008-02-17 23:29:00 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>

2008-02-17 23:29:00 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL Library>

2008-02-17 21:08:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-02-17 21:08:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-02-17 21:03:25 0 d-------- C:\Program Files\Sun

2008-02-17 21:02:17 0 d-------- C:\Program Files\Java

2008-02-17 21:02:15 0 d-------- C:\Program Files\Common Files\Java

2008-02-17 20:57:53 0 d-------- C:\WINDOWS\system32\appmgmt

2008-02-17 19:07:32 68096 --a------ C:\WINDOWS\system32\zip.exe

2008-02-17 19:07:32 98816 --a------ C:\WINDOWS\system32\sed.exe

2008-02-17 19:07:32 80412 --a------ C:\WINDOWS\system32\grep.exe

2008-02-17 19:07:32 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-02-17 17:57:27 0 d-------- C:\Program Files\Trend Micro

2008-02-17 13:19:24 0 d-------- C:\Program Files\Activision

2008-02-17 13:17:43 0 d--hs---- C:\WINDOWS\ftpcache

2008-02-17 13:13:46 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

2008-02-17 13:13:18 0 d-------- C:\Program Files\NVIDIA Corporation

2008-02-17 13:12:54 0 d-------- C:\Program Files\NVIDIA nTune Performance Application

2008-02-14 14:17:43 0 d-------- C:\Documents and Settings\Paul\Contacts

2008-02-14 14:14:10 0 d-------- C:\Program Files\MSN Messenger

2008-02-14 14:08:44 0 d---s---- C:\Documents and Settings\Paul\UserData

2008-02-13 10:52:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot

2008-02-13 10:52:21 0 d-------- C:\Program Files\Webroot

2008-02-13 10:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-02-13 10:49:32 164 --a------ C:\install.dat

2008-02-13 10:47:45 0 d-------- C:\Documents and Settings\Paul\Application Data\Webroot

2008-02-13 10:42:56 9547808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-02-13 10:41:18 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-02-13 10:41:16 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2008-02-13 10:41:15 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT Operating System>

2008-02-13 10:41:11 0 d-------- C:\WINDOWS\system32\ZoneLabs

2008-02-13 10:40:38 0 d-------- C:\WINDOWS\Internet Logs

2008-02-13 10:37:11 0 d-------- C:\Program Files\Alwil Software

2008-02-12 01:53:57 0 d-------- C:\WINDOWS\Sun

2008-02-12 01:53:57 0 d-------- C:\Documents and Settings\Paul\Application Data\Sun

2008-02-11 21:41:40 0 d-------- C:\WINDOWS\system32\LogFiles

2008-02-11 21:29:47 0 d-------- C:\Program Files\DustBuster XP

2008-02-11 21:27:18 0 d-------- C:\Program Files\Microsoft IntelliPoint

2008-02-11 21:26:42 0 d-------- C:\Program Files\jv16 PowerTools

2008-02-11 21:26:02 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>

2008-02-11 21:26:02 16877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>

2008-02-11 21:26:02 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer>

2008-02-11 21:26:02 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>

2008-02-11 21:25:15 0 d-------- C:\Program Files\Microsoft Bootvis

2008-02-11 21:20:33 0 d-------- C:\WINDOWS\system32\windows media

2008-02-11 21:20:15 0 d-------- C:\WINDOWS\RegisteredPackages

2008-02-11 21:20:15 0 d--h----- C:\WINDOWS\msdownld.tmp

2008-02-11 21:20:14 0 d-------- C:\Program Files\Windows Media Components

2008-02-11 21:20:00 5632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>

2008-02-11 21:17:37 0 d-------- C:\Program Files\MadOnion.com

2008-02-11 20:49:31 0 d--hs---- C:\WINDOWS\Installer

2008-02-11 20:49:30 0 d-------- C:\Program Files\Common Files\ODBC

2008-02-11 20:49:26 0 d-------- C:\Program Files\Common Files\SpeechEngines

2008-02-11 20:49:25 0 dr------- C:\Program Files

2008-02-11 20:49:25 0 d-------- C:\Program Files\Common Files

2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\Templates

2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\Default User\Start Menu

2008-02-11 20:48:56 0 dr-h----- C:\Documents and Settings\Default User\SendTo

2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\Recent

2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\PrintHood

2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\Default User\NetHood

2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\My Documents

2008-02-11 20:48:56 0 dr-h----- C:\Documents and Settings\Default User\Local Settings

2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\Favorites

2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\Default User\Desktop

2008-02-11 20:48:56 0 d---s---- C:\Documents and Settings\Default User\Cookies

2008-02-11 20:48:56 0 d--h----- C:\Documents and Settings\All Users\Templates

2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\All Users\Start Menu

2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\All Users\Favorites

2008-02-11 20:48:56 0 dr------- C:\Documents and Settings\All Users\Documents

2008-02-11 20:48:56 0 d-------- C:\Documents and Settings\All Users\Desktop

2008-02-11 20:48:42 0 d-------- C:\WINDOWS\system32\CatRoot2

2008-02-11 20:48:42 0 d-------- C:\WINDOWS\system32\CatRoot

2008-02-11 20:48:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data

2008-02-11 20:48:37 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft

2008-02-11 20:48:37 0 dr-h----- C:\Documents and Settings\All Users\Application Data

2008-02-11 20:48:37 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft

2008-02-11 20:48:09 0 d--hs---- C:\System Volume Information

2008-02-11 20:48:09 0 d-------- C:\Documents and Settings

2008-02-11 20:43:41 0 d-------- C:\WINDOWS\OemDir

2008-02-11 20:43:40 0 d-------- C:\WINDOWS

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\WinSxS

2008-02-11 20:43:40 0 dr------- C:\WINDOWS\Web

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\twain_32

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\wins

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\wbem

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\usmt

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\spool

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ShellExt

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\Setup

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ras

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\oobe

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\npp

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\mui

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\inetsrv

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\IME

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\icsxml

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\ias

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\export

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\en

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers\etc

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\drivers\disdn

2008-02-11 20:43:40 0 dr-hs--c- C:\WINDOWS\system32\dllcache

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\dhcp

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\config

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\3com_dmi

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\3076

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\2052

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1054

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1042

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1041

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1037

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1033

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1031

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1028

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system32\1025

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\system

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\security

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Resources

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\repair

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Provisioning

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\PeerNet

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\pchealth

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Network Diagnostic

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\mui

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\msapps

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\msagent

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Media

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\L2Schemas

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\java

2008-02-11 20:43:40 0 d--h----- C:\WINDOWS\inf

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\ime

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Help

2008-02-11 20:43:40 0 dr--s---- C:\WINDOWS\Fonts

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\ehome

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Driver Cache

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Debug

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Cursors

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Connection Wizard

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\Config

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\AppPatch

2008-02-11 20:43:40 0 d-------- C:\WINDOWS\addins

2008-02-11 20:02:51 0 d-------- C:\WINDOWS\system32\Futuremark

2008-02-11 20:02:51 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys

2008-02-11 19:58:18 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>

2008-02-11 19:58:03 0 d-------- C:\Program Files\AquaMark3

2008-02-11 19:50:08 0 d-------- C:\Program Files\Futuremark

2008-02-11 18:29:06 0 d-------- C:\Program Files\Lavalys

2008-02-11 15:30:24 0 d-------- C:\Program Files\Executive Software

2008-02-11 14:56:33 1279 --a------ C:\WINDOWS\mozver.dat

2008-02-11 14:54:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Google

2008-02-11 14:53:52 0 d-------- C:\Program Files\CCleaner

2008-02-11 14:48:33 0 --a------ C:\WINDOWS\nsreg.dat

2008-02-11 14:48:32 0 d-------- C:\Documents and Settings\Paul\Application Data\Mozilla

2008-02-11 14:46:59 0 d-------- C:\Documents and Settings\Paul\Application Data\Macromedia

2008-02-11 14:46:58 0 d-------- C:\Documents and Settings\Paul\Application Data\Adobe

2008-02-11 14:12:32 0 d-------- C:\WINDOWS\pss

2008-02-11 14:11:43 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2008-02-11 14:11:43 8 -r-hs---- C:\WINDOWS\system32\493B9F383A.sys

2008-02-11 14:11:38 0 d-------- C:\Documents and Settings\Paul\Application Data\Corel

2008-02-11 14:03:20 53248 -----n--- C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>

2008-02-11 14:03:20 1285632 -----n--- C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>

2008-02-11 14:03:20 49152 -----n--- C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>

2008-02-11 14:03:20 45056 -----n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>

2008-02-11 14:03:20 0 d-------- C:\Program Files\Analog Devices

2008-02-11 13:40:55 0 d-------- C:\My Music

2008-02-11 13:40:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel

2008-02-11 13:40:45 0 d-------- C:\Program Files\Corel

2008-02-11 13:40:45 0 d-------- C:\Program Files\Common Files\Corel

2008-02-11 13:40:00 0 d-------- C:\Program Files\Common Files\Adobe

2008-02-11 13:39:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe

2008-02-11 13:30:37 1622016 --a------ C:\WINDOWS\system32\nwiz.exe

2008-02-11 13:30:37 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll

2008-02-11 13:30:37 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll

2008-02-11 13:30:37 466944 --a------ C:\WINDOWS\system32\nvshell.dll

2008-02-11 13:30:37 1470464 --a------ C:\WINDOWS\system32\nview.dll

2008-02-11 13:30:37 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe

2008-02-11 13:30:37 442368 --a------ C:\WINDOWS\system32\nvappbar.exe

2008-02-11 13:30:37 425984 --a------ C:\WINDOWS\system32\keystone.exe

2008-02-11 13:30:37 0 d-------- C:\WINDOWS\nview

2008-02-11 13:28:41 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll

2008-02-11 13:28:38 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll

2008-02-11 13:28:17 0 d-------- C:\WINDOWS\system32\EVGA

2008-02-11 13:18:35 24576 -ra------ C:\WINDOWS\system32\AsIO.dll <Not Verified; ; AsIO Dynamic Link Library>

2008-02-11 13:18:33 0 d-------- C:\Program Files\ASUS

2008-02-11 13:14:32 0 d-------- C:\Program Files\Marvell

2008-02-11 13:14:30 0 d-------- C:\Program Files\Common Files\InstallShield

2008-02-11 13:14:28 0 d-------- C:\Documents and Settings\Paul\Application Data\TMP

2008-02-11 13:07:32 126976 --a------ C:\WINDOWS\system32\Imsmudlg.exe <Not Verified; Intel® Corporation; Uninstset Installation Utility>

2008-02-11 13:07:32 0 d-------- C:\WINDOWS\system32\ENU

2008-02-11 13:07:23 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-02-11 13:07:22 0 d-------- C:\Documents and Settings\Paul\Application Data\InstallShield

2008-02-11 13:05:22 0 d-------- C:\WINDOWS\ASUSInstAll

2008-02-11 13:02:00 0 d-------- C:\WINDOWS\system32\drivers\system32

2008-02-11 13:02:00 0 d-------- C:\WINDOWS\system32\drivers\INF

2008-02-11 13:01:00 0 d-------- C:\WINDOWS\system32\ReinstallBackups

2008-02-11 13:00:59 0 d------c- C:\WINDOWS\system32\DRVSTORE

2008-02-11 13:00:58 0 d-------- C:\Program Files\Intel

2008-02-11 13:00:42 0 d-------- C:\Intel

2008-02-11 12:56:25 10288 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS

2008-02-11 12:55:40 0 d-------- C:\Documents and Settings\Paul\Application Data\Identities

2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\Templates

2008-02-11 12:55:35 0 dr------- C:\Documents and Settings\Paul\Start Menu

2008-02-11 12:55:35 0 dr-h----- C:\Documents and Settings\Paul\SendTo

2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\PrintHood

2008-02-11 12:55:35 1572864 --ah----- C:\Documents and Settings\Paul\NTUSER.DAT

2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\NetHood

2008-02-11 12:55:35 0 d--h----- C:\Documents and Settings\Paul\Local Settings

2008-02-11 12:55:35 0 dr------- C:\Documents and Settings\Paul\Favorites

2008-02-11 12:55:35 0 d-------- C:\Documents and Settings\Paul\Desktop

2008-02-11 12:55:35 0 d---s---- C:\Documents and Settings\Paul\Cookies

2008-02-11 12:55:35 0 dr-h----- C:\Documents and Settings\Paul\Application Data

2008-02-11 12:55:09 0 d-------- C:\WINDOWS\SoftwareDistribution

2008-02-11 12:55:08 0 d---s---- C:\WINDOWS\system32\Microsoft

2008-02-11 12:55:08 0 d-------- C:\WINDOWS\Prefetch

2008-02-11 12:55:08 0 d---s---- C:\Documents and Settings\LocalService\Cookies

2008-02-11 12:55:08 0 d-------- C:\Documents and Settings\LocalService\Application Data

2008-02-11 12:55:08 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft

2008-02-11 12:55:07 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT

2008-02-11 12:55:07 0 d--h----- C:\Documents and Settings\LocalService\Local Settings

2008-02-11 12:54:59 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT

2008-02-11 12:54:59 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings

2008-02-11 12:54:59 0 d---s---- C:\Documents and Settings\NetworkService\Cookies

2008-02-11 12:54:59 0 d-------- C:\Documents and Settings\NetworkService\Application Data

2008-02-11 12:54:59 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft

2008-02-11 12:52:23 0 d-------- C:\WINDOWS\system32\xircom

2008-02-11 12:52:23 0 d-------- C:\Program Files\microsoft frontpage

2008-02-11 12:52:17 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT

2008-02-11 12:52:15 0 -rahs---- C:\MSDOS.SYS

2008-02-11 12:52:15 0 -rahs---- C:\IO.SYS

2008-02-11 12:52:15 0 --a------ C:\CONFIG.SYS

2008-02-11 12:52:15 0 --a------ C:\AUTOEXEC.BAT

2008-02-11 12:51:52 0 d--hs---- C:\Documents and Settings\All Users\DRM

2008-02-11 12:51:48 0 dr------- C:\WINDOWS\Offline Web Pages

2008-02-11 12:51:48 0 d---s---- C:\WINDOWS\Downloaded Program Files

2008-02-11 12:51:43 0 d--h----- C:\Program Files\WindowsUpdate

2008-02-11 12:51:30 0 d-------- C:\WINDOWS\system32\DirectX

2008-02-11 12:51:11 0 d---s---- C:\WINDOWS\Tasks

2008-02-11 12:51:10 0 d-------- C:\Program Files\Common Files\MSSoap

2008-02-11 12:51:07 0 d-------- C:\WINDOWS\srchasst

2008-02-11 12:51:06 0 d-------- C:\WINDOWS\system32\Macromed

2008-02-11 12:51:00 0 d-------- C:\Program Files\Movie Maker

2008-02-11 12:50:40 0 d-------- C:\WINDOWS\system32\Restore

2008-02-11 12:50:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat

2008-02-11 12:50:14 0 d-------- C:\WINDOWS\Registration

2008-02-11 12:50:12 0 d-------- C:\Program Files\Online Services

2008-02-11 12:50:09 0 d-------- C:\Program Files\Messenger

2008-02-11 12:50:06 0 d-------- C:\Program Files\MSN Gaming Zone

2008-02-11 12:49:22 0 d-------- C:\Program Files\Windows NT

2008-02-11 12:49:14 0 d-------- C:\WINDOWS\system32\MsDtc

2008-02-11 12:49:10 0 d-------- C:\WINDOWS\system32\Com

 

 

-- Find3M Report ---------------------------------------------------------------

 

2008-02-11 20:48:56 62 --ahs---- C:\Documents and Settings\Paul\Application Data\desktop.ini

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]

"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [09/04/2007 07:25 PM]

 

C:\Documents and Settings\Paul\Start Menu\Programs\Startup\

CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [7/17/2007 11:13:34 AM]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

C:\WINDOWS\System32\dimsntfy.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]

"C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpu Level Up help]

C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPU Power Monitor]

"C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch As Cmd Runner]

"C:\Program Files\ASUS\AI Direct Link\AsCmd.exe" -reg

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Direct Link]

"C:\Program Files\ASUS\AI Direct Link\AsShare.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

C:\Program Files\Analog Devices\Core\smax4pnp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

eapsvcs eaphost

dot3svc dot3svc

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

napagent

hkmsvc

 

 

 

 

-- End of Deckard's System Scanner: finished at 2008-02-19 20:52:42 ------------

Share this post


Link to post
Share on other sites

For me now, it becomes a guessing game.

Somehow secure socket layer was broken, how I don't know.

 

I doubt you'll ever get Ebay or PayPal to ever confess the error was on their end, or even the Bank where your personal account is located..What you could suggest is they do what ever they can to add more security layers to their methods of making transactions?..more security questions or security numbers, an unbreakable SSL, somehow using some kind of tracking methods to ensure against fraud..They would have to do something if more people get robbed and more events like these are reported against them. But you have to stop and think, if this guy never sent you an Email with anything you had to click on such as a link?, and all transactions were through Ebay, PayPal, and your Bank..................

 

 

Not much going on here but this does need to be updated.

 

Update Adobe Acrobat Reader

 

 

* Please go to this link Adobe Acrobat Reader Download Link

http://www.adobe.com/products/acrobat/readstep2.html

* Cllick Download

* On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.

* Click the Continue button

* Click Run, and click Run again

* Next click the Install Now button and follow the on screen prompts

 

Now click Start---Control Panel. Double click Add or Remove Programs.

 

Adobe Reader 7.0.5 <--click on the program to highlight it, and click on remove.

 

 

For FireFox users:

 

Click on the “Edit Options…” button in the bar to continue with download

2. Add the web site to the sites which are allowed to install add-ons

Click on the “Allow” button to add the site to the list of allowed sites

 

Click on the “Close” button to continue with download

3. Refresh the thank you page

 

Click on the refresh button on your browser.

4. A Firefox security dialog box will appear, prompting you to install the add on

 

Click on the "Install Now" button to continue with download.

5. An add on dialog box will appear

 

Click on the dialog close button.

 

 

 

 

NEXT

 

[*] Click START then RUN

[*] Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

 

 

 

One other scan we can do to check

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

 

Posted Image

 

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

Share this post


Link to post
Share on other sites

For me now, it becomes a guessing game.

Ok, I'll play.

 

I doubt you'll ever get eBay or PayPal to ever confess the error was on their end, or even the Bank where your personal account is located.

I agree, they will never admit fault.

The money was being "funneled" out of PayPal, fortunately my bank account was never effected. PayPal has $95 CAD listed in my account as returned to me, but frozen until the investigation is completed. They have been very cooperative and helpful up to this point. They are sending me one of these for another layer of passwords at no cost (like a $5 value):

Posted Image

As I understand it, it is an aditional password that will change every 30 seconds.

 

 

Here we go, completed with Internet Explorer this time:

 

------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Wednesday, February 20, 2008 8:03:20 PM

Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3264 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 20/02/2008

Kaspersky Anti-Virus database records: 574000

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

 

Scan Statistics:

Total number of scanned objects: 26492

Number of viruses found: 0

Number of infected objects: 0

Number of suspicious objects: 0

Duration of the scan process: 00:12:21

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\dfsr.db Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\fsr.log Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Messenger\paul69455@msn.com\SharingMetadata\Working\database_7C54_AE60_54AE_1CC0\tmp.edb Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows Live Contacts\paul69455@msn.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012008022020080221\index.dat Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Temp\~DF214F.tmp Object is locked skipped

C:\Documents and Settings\Paul\Local Settings\Temp\~DF21D9.tmp Object is locked skipped

C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_7f8.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

 

Scan process completed.

Share this post


Link to post
Share on other sites

Paul, as I suspected that log is clean.

PayPal has $95 CAD listed in my account as returned to me, but frozen until the investigation is completed. They have been very cooperative and helpful up to this point. They are sending me one of these for another layer of passwords at no cost (like a $5 value):

I applaud them for helping and trying to investiagte.

I hope the criminal is caught and prosecuted.

 

Let's leave this topic open for a few days, if in the event something screwy starts to happen come back....

 

For now I want to leave you with a few preventive tips

 

Below are recommendations to protect your computer.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

 

How to prevent Malware: Created by Miekiemoes

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Slow Computer? Check here first; it may not be malware

http://www.castlecops.com/postitle175256-0-0-.html

Free Antivirus-AntiSpyware-Firewall Software

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...