Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

email problem [RESOLVED]


  • This topic is locked This topic is locked

#1
nondaj

nondaj

    Member

  • Member
  • PipPipPip
  • 412 posts
PC stats: Computer Specs:
Dell XPS400 Dimension
XP-Pro Version 2002 SP2
Pentium ® D CPU 2.80 GHz
2.79 GHz, 2.00 GB of Ram

E Drive – Sony CD-RW CRX217 E
IDE\CD Rom Sony
F Drive – HL-DT-ST DVD+-RW
GWA4164B
Video Card – Nvidia GeForce 6800
Sound Card – Sigma Tel High Defin.
Audio CODEC

Problem:
1 - receipt of emails from unknown correspondents asking who I am and why I am
emailing them

2 - noted in some emails I supposedly sent to one unknown correspondent, that a list exists
of unknown people who are receiving emails from me.

3 - have just received an email and noted that the sender is one person but inside the email
itself, the sender is listed as an entirely different person whom I know and who also knows
the sender listed in the email in my inbox.

4 - maintain rules of NEVER forwarding emails, use blind copies, use copy/paste of info when
possible, use notepad rather than MSWord as notepad appears not to use forwarding lines
that appear in emails; have MailWasher program to monitor emails before they reach my
Outlook Express mailbox, and monitor my address book constantly to make sure no
foreign names are listed therein.

5 - have notified correspondents involved in situation in attempt to glean any information
from them about how they handle emails and address book. Though have requested no
forwarding of emails to me nor any I send to them, I feel they are not adhering to my
requests and so may be contributing to the problem.


Submitting Hi-Jack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:02 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ewido.net/redirect.cgi?buy
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Magic%20Farm/Images/stg_drm.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - https://www.verizon....emailheader.jpg

--
End of file - 5543 bytes
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello nondaj, :)

Your Hijack log looks good. Just a couple questions and then we will have a look and see if we find anything out of the ordinary

receipt of emails from unknown correspondents asking who I am and why I am
emailing them

Does anything appear in your outbox to these people?

3 - have just received an email and noted that the sender is one person but inside the email
itself, the sender is listed as an entirely different person whom I know and who also knows
the sender listed in the email in my inbox.

This sounds like a forwarded e-mail You received?

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
nondaj

nondaj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 412 posts
Have not noted anything in my outbox re this people but will keep a check from now on.

Re forwarded email - did not note that this particular email was forwarded - the info within it was a link to the Greeting Card site to which I belong.


HOWEVER, I think most people that send me emails do so re sending pics/data via forwarding. I am really puzzled when I tell each person about the hazards of forwarding emails, that it seem to roll off their 'email backs' like water and the duck. Either just do not believe it or are simply too lazy to go through any extra effort in sending data and pics other ways.

When I see re: re: re: in subject line or numerous perpendicular lines along the left side of an email - FORWARDING going on. So how to avoid such a situation I have yet to figure out unless I start ceasing communication with such people. Which means most of my address book goes down the drain as well as the pleasure one gets from emailing:(
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
I understand, I don't like it when people forward either. I keep one secure e-mail that I use for Banks , bills etc. and one I use for friends. People really need to take privacy and confidentiality on the internet more seriously as you do. I'm afraid theres just not much you can do. Did you by chance run the DSS scan?
  • 0

#5
nondaj

nondaj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 412 posts
Gee what is the DSS scan? So of course did not run it :) Will do so and where did I miss it? If it was on the site where I posted my log - the tech I was talking with, Wannabe1, had told me to ONLY download the Hi-Jack files, install and then post the log - do nothing else. So willing to do the DSS if I can find same.
  • 0

#6
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Second Post, nondaj. :)

http://www.geekstogo...s...t&p=1240595
  • 0

#7
nondaj

nondaj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 412 posts
Here is info from DSS scan as requested:

Deckard's System Scanner v20071014.68
Run by Jean on 2008-05-17 19:11:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-18 02:11:40 UTC - RP802 - Deckard's System Scanner Restore Point
1: 2008-05-18 01:39:10 UTC - RP801 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jean.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:59 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FireTrust\MailWasher Free\MailWasher.exe
C:\Documents and Settings\Jean\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jean.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ewido.net/redirect.cgi?buy
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Magic%20Farm/Images/stg_drm.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - https://www.verizon....emailheader.jpg

--
End of file - 5837 bytes

-- File Associations -----------------------------------------------------------

.reg - regedit - DefaultIcon - unable to read value
.reg - regedit - shell\open\command - regedit.exe %1
.reg - regedit - shell\edit\command - unable to read value
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 GiveIo - c:\windows\system32\drivers\giveio.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 atinewp2 (ATI eHomeWonder, WDM Video CODEC) - c:\windows\system32\drivers\atinewp2.sys <Not Verified; ATI Technologies Inc.; eHomeWonder>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 STHDA (SigmaTel High Definition Audio CODEC) - c:\windows\system32\drivers\sthda.sys <Not Verified; SigmaTel, Inc.; C-Major Audio>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SimpTcp (Simple TCP/IP Services) - c:\windows\system32\tcpsvcs.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 UxTuneUp (TuneUp Theme Extension) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 p2pgasvc (Peer Networking Group Authentication) - c:\windows\system32\svchost.exe -k p2psvc <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SNMP (SNMP Service) - c:\windows\system32\snmp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-17 17:40:18 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 11:14:40 0 d-------- C:\Program Files\Trend Micro
2008-05-14 09:04:21 0 dr-h----- C:\Documents and Settings\Jean\Recent
2008-05-10 23:05:42 0 d-------- C:\Program Files\The Lost Crown
2008-05-10 18:12:55 0 d-------- C:\Program Files\Focus
2008-05-08 21:14:21 8673861 --a------ C:\SH3_Patch3_Multilanguage.exe <Not Verified; Macrovision Corporation; InstallShield ®>
2008-05-07 14:43:56 0 d-------- C:\Documents and Settings\Jean\Application Data\Malwarebytes
2008-05-07 14:43:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-07 14:43:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 20:52:35 0 d-------- C:\Program Files\Windows Defender
2008-04-29 17:00:45 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-27 21:32:48 0 d-------- C:\Program Files\Pronunciation Power
2008-04-24 14:10:10 155648 --a----c- C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-04-24 14:08:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-24 14:08:24 106496 --a----c- C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-04-24 14:08:24 38912 --a----c- C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-24 14:08:24 544768 --a----c- C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2008-04-24 14:08:24 569344 --a----c- C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2008-04-24 14:08:16 0 d-------- C:\Program Files\Ahead
2008-04-24 12:53:08 0 d-------- C:\WINDOWS\Performance
2008-04-24 12:52:39 0 d-------- C:\Program Files\Microsoft Windows Vista Upgrade Advisor
2008-04-24 12:50:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-04-22 19:27:41 0 d-------- C:\Program Files\DOSBox-0.72
2008-04-22 19:23:52 0 d-------- C:\VDMS LaunchPad
2008-04-22 19:21:30 0 d-------- C:\Program Files\VDMSound
2008-04-19 08:12:23 26 --a----c- C:\WINDOWS\winstart.bat
2008-04-19 08:12:23 123 --a----c- C:\WINDOWS\tmpcpyis.bat


-- Find3M Report ---------------------------------------------------------------

2008-05-17 19:08:09 0 d-------- C:\Documents and Settings\Jean\Application Data\MailWasherPro
2008-05-17 15:54:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-13 22:22:36 0 d-------- C:\Program Files\Common Files
2008-05-13 22:22:18 0 d-------- C:\Documents and Settings\Jean\Application Data\Adobe
2008-05-11 00:06:07 0 d-------- C:\Documents and Settings\Jean\Application Data\Skype
2008-05-10 22:23:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-08 15:20:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-03 18:30:42 0 d-------- C:\Program Files\Mulawa Dreaming
2008-04-29 16:24:15 0 d-------- C:\Documents and Settings\Jean\Application Data\AVG7
2008-04-24 14:08:26 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-24 13:49:47 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-24 13:44:00 0 d-------- C:\Documents and Settings\Jean\Application Data\Roxio
2008-04-24 13:31:19 0 d-------- C:\Program Files\FLT
2008-04-24 13:28:46 0 d-------- C:\Documents and Settings\Jean\Application Data\SpinTop
2008-04-23 09:10:27 0 d-------- C:\Program Files\DOSBox-0.71
2008-04-22 20:35:16 0 d-------- C:\Program Files\DOSBox-0.70
2008-04-20 19:34:33 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-19 08:12:23 122 --a----c- C:\WINDOWS\tmpdelis.bat
2008-04-17 11:19:51 0 d-------- C:\Documents and Settings\Jean\Application Data\Mozilla
2008-04-11 19:39:32 0 d-------- C:\Program Files\FireTrust
2008-04-11 19:38:33 0 d-------- C:\Program Files\Skype
2008-04-11 19:38:30 0 d-------- C:\Program Files\Common Files\Skype
2008-04-05 20:59:49 0 d--h----- C:\Program Files\Zero G Registry
2008-04-05 20:50:20 0 d-------- C:\Program Files\Ubi Soft
2008-04-05 19:56:50 0 d-------- C:\Documents and Settings\Jean\Application Data\SolSuite
2008-04-05 18:55:39 0 d-------- C:\Program Files\The Adventure Company
2008-04-05 18:54:28 0 d-------- C:\Program Files\TestGen
2008-04-01 15:20:21 0 d-------- C:\Documents and Settings\Jean\Application Data\TestGen
2008-03-30 11:47:03 0 d-------- C:\Program Files\123 Free Puzzle
2008-03-29 10:56:00 0 --a----c- C:\Program Files\temp01
2008-03-28 21:54:39 0 d-------- C:\Program Files\Magic Farm
2008-03-28 21:52:06 0 d-------- C:\Documents and Settings\Jean\Application Data\Meridian93
2008-03-24 11:11:03 0 d-------- C:\Documents and Settings\Jean\Application Data\WinRAR
2008-03-19 09:17:32 0 d-------- C:\Program Files\IObit
2008-03-13 23:01:33 115712 --a----c- C:\WINDOWS\3 Peak Space Cards Uninstaller.exe
2008-02-23 23:02:11 2539 --a----c- C:\WINDOWS\unins000.dat
2008-02-23 22:59:57 691545 --a----c- C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
12/10/2007 02:46 PM 1510424 --a--c--- C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= C:\Program Files\free-downloads.net\tbfree.dll [12/10/2007 02:46 PM 1510424]

[-HKEY_CLASSES_ROOT\CLSID\{ECDEE021-0D17-467F-A1FF-C7A115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/08/2005 06:57 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^donnajean^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\donnajean\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EM_EXEC]
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
"C:\Program Files\LogMeIn\LogMeInSystray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Outlook]
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Inbox /recycle

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Outlook118]
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Inbox /recycle

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Outlook198]
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Inbox /recycle

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Outlook740]
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Inbox /recycle

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Outlook893]
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Calendar

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\program files\riven\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartRAM]
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smileycons]
C:\Program Files\Smileycons\smileycons.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"SigmatelSysTrayApp"=stsystra.exe
"Verizon_McciTrayApp"=C:\Program Files\Verizon\McciTrayApp.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8002 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-17 19:13:27 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 2046.09 MiB / 1606.6 MiB
Pagefile Memory (total/avail): 4991.79 MiB / 4707.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.91 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.81 GiB total, 208.36 GiB free.
D: is Fixed (FAT) - 0.02 GiB total, 0.01 GiB free.
E: is CDROM (CDFS)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-75NCB1 - 232.83 GiB - 2 partitions
\PARTITION0 - Unknown - 15.66 MiB
\PARTITION1 (bootable) - Installable File System - 232.81 GiB

\\.\PHYSICALDRIVE5 - HP PSC 2355 USB Device

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Avant Browser\\avant.exe"="C:\\Program Files\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"C:\\Program Files\\Myst Online\\UruExplorer.exe"="C:\\Program Files\\Myst Online\\UruExplorer.exe:*:Enabled:UruExplorer"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jean\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DONNA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jean
LOGONSERVER=\\DONNA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared;;;C:\Program Files\VDMSound;C:\Program Files\VDMSound
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jean\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jean\LOCALS~1\Temp
USERDOMAIN=DONNA
USERNAME=Jean
USERPROFILE=C:\Documents and Settings\Jean
VDMSPath=C:\Program Files\VDMSound
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

LogMeInRemoteUser (admin)
Jean (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{7104189A-C592-4A56-AC9E-7C0CA135DA3C}
--> MsiExec.exe /X{7B4AB13C-1A5C-4BC5-ABA6-762F8198444C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1000 Solitaire Games --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\1000 Solitaire\DeIsL1.isu" -c"C:\Program Files\Cosmi\1000 Solitaire\_ISREG32.DLL"
6000 Sound Effects --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\6KSFX\DeIsL1.isu" -c"C:\Program Files\Cosmi\6KSFX\_ISREG32.DLL"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Advanced WindowsCare Personal --> "C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"
AGEIA PhysX v6.10.25 --> MsiExec.exe /X{7104189A-C592-4A56-AC9E-7C0CA135DA3C}
Amazing Calendar Maker --> C:\WINDOWS\uninst.exe -fC:\Calendar\DeIsL2.isu -cC:\Calendar\_ISREG32.DLL
American McGee's Alice™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77B5AD60-8F14-11D4-9BC9-0050041A1090}\Setup.exe"
AQUAZONE "Virtual Aquarium Collection" --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6A9D7C4-1E5B-42FD-98F5-E067A942AEE1}\Setup.exe" -l0x9
Barrow Hill --> C:\Program Files\Barrow Hill\Uninstall Barrow Hill.exe
Boomerang Stationery --> MsiExec.exe /I{B1544704-124C-11D3-825E-00C04F6843FE}
Canon Digital Camera USB WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\DC USB WIA\Uninst.isu" -c"C:\Program Files\Canon\DC USB WIA\SetupWia.dll"
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PhotoRecord\Uninst.isu" -c"C:\Program Files\Canon\PhotoRecord\Program\uninstdll.dll"
Canon Utilities RAW Image Converter --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RAW Image Converter\Uninst.isu"
Canon Utilities RemoteCapture 2.2 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\RemoteCapture\Uninst.isu"
Canon Utilities ZoomBrowser EX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ZoomBrowser EX\Uninst.isu" -c"C:\Program Files\Canon\ZoomBrowser EX\Program\uninstallutilities.dll"
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
DellConnect --> C:\Documents and Settings\All Users\Application Data\GTek\GTRemote\GTRCUnin.exe /selfdelete
ESET NOD32 Antivirus --> MsiExec.exe /I{86A6E235-C08F-4A14-B14C-793C7D8844A0}
free-downloads.net Toolbar --> C:\PROGRA~1\FREE-D~1.NET\UNWISE.EXE C:\PROGRA~1\FREE-D~1.NET\INSTALL.LOG
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\Setup.exe" -l0409 -INTELUNINST
Intel® PRO Network Connections Drivers --> Prounstl.exe
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech MouseWare 9.60 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
LUMIX Simple Viewer --> C:\Program Files\InstallShield Installation Information\{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}\setup.exe -runfromtemp -l0x0009 -removeonly
MailWasher Free 6.1 --> "C:\Program Files\FireTrust\MailWasher Free\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Forest Floor Stationery --> MsiExec.exe /I{048CDCD6-124C-11D3-825E-00C04F6843FE}
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word Font Repair Macro --> MsiExec.exe /I{9553E941-0EED-11D3-8257-00C04F6843FE}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
My Kitchen Stationery --> MsiExec.exe /I{5100250E-124B-11D3-825E-00C04F6843FE}
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\Oalinst.exe" /U
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Pronunciation Power 1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Pronunciation Power\Uninst.isu"
QuickTime for Windows (32-bit) --> C:\WINDOWS\QTW32DEL.EXE
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shirleetaire --> C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Shirleetaire\ST5UNST.LOG"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Solitaire Antics Deluxe --> C:\Masque\SOLITA~1\UNWISE.EXE C:\Masque\SOLITA~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
TestGen --> C:\WINDOWS\unvise32.exe C:\Program Files\TestGen\uninstal.log
The Awakened --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E478F3F-7A7B-42C5-BE9C-40FC0E07665F}\setup.exe" -l0x9 -removeonly
The Lost Crown Uninstaller --> "C:\Program Files\The Lost Crown\unins000.exe"
The Pandora Directive --> C:\WINDOWS\uninst.exe -fC:\pandora\DeIsL1.isu
The Rosetta Stone Classic --> C:\WINDOWS\uninst.exe -f"C:\Program Files\FLT\DeIsL2.isu"
Three Shuffles --> C:\PROGRA~1\DESERT~1\THREES~1\UNWISE.EXE C:\PROGRA~1\DESERT~1\THREES~1\INSTALL.LOG
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Uru - Ages Beyond Myst --> "C:\Program Files\Ubi Soft\Cyan Worlds\Uru - Ages Beyond Myst\UninstallerData\Uninstall Uru - Ages Beyond Myst.exe"
VDMSound --> C:\Program Files\VDMSound\uninst.exe
Verizon Online Help and Support --> C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG
Wallpaper Stationery --> MsiExec.exe /I{7A4C82FE-1248-11D3-825E-00C04F6843FE}
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Support Tools --> MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
Windows Vista Upgrade Advisor --> MsiExec.exe /I{C6AA3FB7-804F-4808-AD91-B62D6ED9B788}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type15277 / Error
Event Submitted/Written: 05/16/2008 08:07:59 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15262 / Error
Event Submitted/Written: 05/13/2008 10:26:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application fp_ax_cab_installer.exe, version 9.0.124.0, faulting module nsisarray.dll, version 0.0.0.0, fault address 0x00003a6b.
Processing media-specific event for [fp_ax_cab_installer.exe!ws!]

Event Record #/Type15233 / Error
Event Submitted/Written: 05/10/2008 10:14:54 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type15209 / Warning
Event Submitted/Written: 05/08/2008 08:01:23 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type15208 / Warning
Event Submitted/Written: 05/08/2008 08:01:23 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type61024 / Error
Event Submitted/Written: 05/17/2008 07:12:53 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DESKTOP.INI' on the volume 'DP(1)0x7e00-0xfa8600+1'. It has stopped monitoring the volume.

Event Record #/Type60974 / Error
Event Submitted/Written: 05/17/2008 03:40:09 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DESKTOP.INI' on the volume 'DP(1)0x7e00-0xfa8600+1'. It has stopped monitoring the volume.

Event Record #/Type60946 / Error
Event Submitted/Written: 05/16/2008 09:07:47 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DESKTOP.INI' on the volume 'DP(1)0x7e00-0xfa8600+1'. It has stopped monitoring the volume.

Event Record #/Type60885 / Warning
Event Submitted/Written: 05/15/2008 09:50:17 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type60873 / Error
Event Submitted/Written: 05/15/2008 02:42:01 PM
Event ID/Source: 1 / sr
Event Description:
The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DESKTOP.INI' on the volume 'DP(1)0x7e00-0xfa8600+1'. It has stopped monitoring the volume.



-- End of Deckard's System Scanner: finished at 2008-05-17 19:13:27 ------------
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi nondaj,

The logs look fine,Just something minor to fix. Also let me know if your still havingthe e-mail problem

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

Next Please

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Thanks :)
  • 0

#9
nondaj

nondaj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 412 posts
Here is info requesed - hope I followed through correctly. Also in answer to your question re email problems now:
So far have received no further emails from people I do not know. Am having problem with large numbers of emails coming in and then they "stick" as though one refuses to download completely thus holding up all the others behind it. Seems to ocur when people send me pictues either large downloads or numerous pictues to download. Have to resort to reading mail on my server in order to "unstick" the one email.

Also Wannabe1 seems to feel if we do not come up with answers after these various scans we have been doing, then the problem originates when people forward and refuse to do so properly or monitor their address books. If this is the case then have couple of questions:

Anyway to ever get around people forwarding my emails neglecting to copy/paste; use blind copies, use notepad monitor address books? Have requested all to do the foregoing but people are either too lazy or just do not appreciate the harzards of forwards. How to get around them?

Why is it some emails I get with pictures I receive I cannot copy/paste, save to desktop, save to notepad/ms word. Attempts to do so will produce emails with red Xs instead of pictures or I get messages of: 'cannot find archieve for this file' 'some pictures will not be sent on' 'cannot find association for this file'. Seems to happens both with attachments and embedded material.





GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-20 16:29:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sphl.sys ZwCreateKey [0xBA6AA0E0]
SSDT sphl.sys ZwEnumerateKey [0xBA6C7CA2]
SSDT sphl.sys ZwEnumerateValueKey [0xBA6C8030]
SSDT sphl.sys ZwOpenKey [0xBA6AA0C0]
SSDT sphl.sys ZwQueryKey [0xBA6C8108]
SSDT sphl.sys ZwQueryValueKey [0xBA6C7F88]
SSDT sphl.sys ZwSetValueKey [0xBA6C819A]

---- Kernel code sections - GMER 1.0.14 ----

? sphl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B92B662C 5 Bytes JMP 89DDF1D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1852] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6AB046] sphl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6AB142] sphl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6AB0C4] sphl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6AB7CE] sphl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6AB6A4] sphl.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89DDE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 888CB500
Device \Driver\usbuhci \Device\USBPDO-0 893111F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E501F8
Device \Driver\dmio \Device\DmControl\DmConfig 89E501F8
Device \Driver\dmio \Device\DmControl\DmPnP 89E501F8
Device \Driver\dmio \Device\DmControl\DmInfo 89E501F8
Device \Driver\usbuhci \Device\USBPDO-1 893111F8
Device \Driver\usbuhci \Device\USBPDO-2 893111F8
Device \Driver\usbuhci \Device\USBPDO-3 893111F8
Device \Driver\usbehci \Device\USBPDO-4 892FA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\NetBT \Device\NetBT_Tcpip_{120175C7-A5DE-4402-9564-0E81A511AD8F} 8893E1F8
Device \Driver\usbstor \Device\00000072 889211F8
Device \Driver\atapi \Device\Ide\IdePort0 89E4F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89E4F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89E4F1F8
Device \Driver\usbstor \Device\00000075 889211F8
Device \Driver\usbstor \Device\00000076 889211F8
Device \Driver\usbstor \Device\00000077 889211F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8893E1F8
Device \Driver\usbstor \Device\00000078 889211F8
Device \Driver\NetBT \Device\NetbiosSmb 8893E1F8
Device \Driver\usbstor \Device\0000006b 889211F8
Device \Driver\usbuhci \Device\USBFDO-0 893111F8
Device \Driver\usbuhci \Device\USBFDO-1 893111F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88931500
Device \Driver\usbstor \Device\0000007b 889211F8
Device \Driver\usbuhci \Device\USBFDO-2 893111F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88931500
Device \Driver\usbuhci \Device\USBFDO-3 893111F8
Device \Driver\usbehci \Device\USBFDO-4 892FA1F8
Device \Driver\Ftdisk \Device\FtControl 89DE11F8
Device \FileSystem\Fastfat \Fat 888CB500

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 89320500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0[email protected] 0x23 0x0C 0xD3 0x09 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0[email protected] 0x23 0x0C 0xD3 0x09 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x6D 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x6D 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x62 0x67 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6D 0x61 0x6D 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6F 0x61 0x66 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x66 0x61 0x62 0x64 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x69 0x61 0x66 0x63 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x66 0x61 0x65 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6F 0x61 0x6C 0x63 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] C:\PROGRA~1\MICROS~2\Office\OUTLLIB.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?

---- EOF - GMER 1.0.14 ----GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-20 16:29:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sphl.sys ZwCreateKey [0xBA6AA0E0]
SSDT sphl.sys ZwEnumerateKey [0xBA6C7CA2]
SSDT sphl.sys ZwEnumerateValueKey [0xBA6C8030]
SSDT sphl.sys ZwOpenKey [0xBA6AA0C0]
SSDT sphl.sys ZwQueryKey [0xBA6C8108]
SSDT sphl.sys ZwQueryValueKey [0xBA6C7F88]
SSDT sphl.sys ZwSetValueKey [0xBA6C819A]

---- Kernel code sections - GMER 1.0.14 ----

? sphl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B92B662C 5 Bytes JMP 89DDF1D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1852] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3232] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6AB046] sphl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6AB142] sphl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6AB0C4] sphl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6AB7CE] sphl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6AB6A4] sphl.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89DDE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 888CB500
Device \Driver\usbuhci \Device\USBPDO-0 893111F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E501F8
Device \Driver\dmio \Device\DmControl\DmConfig 89E501F8
Device \Driver\dmio \Device\DmControl\DmPnP 89E501F8
Device \Driver\dmio \Device\DmControl\DmInfo 89E501F8
Device \Driver\usbuhci \Device\USBPDO-1 893111F8
Device \Driver\usbuhci \Device\USBPDO-2 893111F8
Device \Driver\usbuhci \Device\USBPDO-3 893111F8
Device \Driver\usbehci \Device\USBPDO-4 892FA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\NetBT \Device\NetBT_Tcpip_{120175C7-A5DE-4402-9564-0E81A511AD8F} 8893E1F8
Device \Driver\usbstor \Device\00000072 889211F8
Device \Driver\atapi \Device\Ide\IdePort0 89E4F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89E4F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89E4F1F8
Device \Driver\usbstor \Device\00000075 889211F8
Device \Driver\usbstor \Device\00000076 889211F8
Device \Driver\usbstor \Device\00000077 889211F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8893E1F8
Device \Driver\usbstor \Device\00000078 889211F8
Device \Driver\NetBT \Device\NetbiosSmb 8893E1F8
Device \Driver\usbstor \Device\0000006b 889211F8
Device \Driver\usbuhci \Device\USBFDO-0 893111F8
Device \Driver\usbuhci \Device\USBFDO-1 893111F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88931500
Device \Driver\usbstor \Device\0000007b 889211F8
Device \Driver\usbuhci \Device\USBFDO-2 893111F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88931500
Device \Driver\usbuhci \Device\USBFDO-3 893111F8
Device \Driver\usbehci \Device\USBFDO-4 892FA1F8
Device \Driver\Ftdisk \Device\FtControl 89DE11F8
Device \FileSystem\Fastfat \Fat 888CB500

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 89320500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0[email protected] 0x23 0x0C 0xD3 0x09 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0[email protected] 0x23 0x0C 0xD3 0x09 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x6D 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x6D 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6A 0x61 0x62 0x67 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6D 0x61 0x6D 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6F 0x61 0x66 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x66 0x61 0x62 0x64 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x69 0x61 0x66 0x63 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x66 0x61 0x65 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{77DC1A39-F0B6-206E-C977-3FC350D757AC}\[email protected] 0x6F 0x61 0x6C 0x63 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] C:\PROGRA~1\MICROS~2\Office\OUTLLIB.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{EB9A3602-1A27-35A0-22AE-35C6E60CA4B0}\[email protected] 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?

---- EOF - GMER 1.0.14 ----
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Your computer looks fine.

The way these types of e-male worms propegate is by getting into your system then collecting your addresses from your address book and sending e-mails to all of those people. Usually something generic, like "look at this" or "something funny I saw" with a link in that e-mail, which when clicked will download and do the same thing, and over and over. This is why e-mail worms spread so quickly. In your case that doesn't appear to be whats happening. All your scans look fine, actually very good.

Am having problem with large numbers of emails coming in and then they "stick" as though one refuses to download completely thus holding up all the others behind it. Seems to ocur when people send me pictues either large downloads or numerous pictues to download.

This is usually normal as pictures arre much bigger than a simple text e-mail. The sticking should not happen though

Why is it some emails I get with pictures I receive I cannot copy/paste, save to desktop, save to notepad/ms word. Attempts to do so will produce emails with red Xs instead of pictures or I get messages of: 'cannot find archieve for this file' 'some pictures will not be sent on' 'cannot find association for this file'. Seems to happens both with attachments and embedded material.

I have an idea on all three error messages, but I no longer use outlook. Someone with more experience with it should help you with that. My specialty is malware (Nice choice with NOD32 by the way :) )

Do you have any questions?
  • 0

#11
nondaj

nondaj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 412 posts
Many many thanks for all your time and work on my email issue. Huge relief that all is well with my computer. I think I have narrowed down the problem - my son works in a lab for a research hospital and the staff emails each other and friends all kinds of jokes all the time. One email I got from a person who wondered who I was has a friend that works in the SAME lab! So putting two and two together it seems none of the staff have the time to do any cleaning of emails - they just simply forward on to all their recipients. How things get so confused around emails going to wrong people am not clear but am sure that is what is going on. So need to tackle the problem there and just keep on keepin on.

Re my other issues will cast about for email program help.

Again thanks so much for your help. Now should I go ahead and delete all the downloads that I have been instructed to use etc. such as all the Hi-Jack files, daft.exe and dss.ex plus gmer.ex? I would not know how to use or interpret.
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

Again thanks so much for your help. Now should I go ahead and delete all the downloads that I have been instructed to use etc. such as all the Hi-Jack files, daft.exe and dss.ex plus gmer.ex? I would not know how to use or interpret.

Yes, you need to uninstall Hijackthis via control panel add/remove programs, the rest you can just delete.

Glad you got your problem resolved and your very welcome for the help :)
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP