Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Check Log! Urgent [Resolved]

Started by killer12 , Sep 30 2007 06:21 PM

  • This topic is locked This topic is locked

#1
killer12
Posted 30 September 2007 - 06:21 PM

killer12

    Member

  • Member
  • PipPip
  • 65 posts
Just today i received a email on my computer that says my ebay account has been blocked because it has been compromised by outside parties. I have no knowledge of this or even that i have an ebay account for this email. Please look thur my log to see if there is anything. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 8:21:05 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec AntiVirus\SavRoam.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\SmartFTP Client\SmartFTP.exe
D:\Program Files\Avant Browser\avant.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
RatHat
Posted 30 September 2007 - 08:59 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

I would expect that the email you received is Spam, and not a real warning from Ebay, have a look at the message headers and post them here for me.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

After that, Reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets see if there is anything hidden inside your machine:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, please run an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Regards,
RatHat
  • 0

#3
killer12
Posted 01 October 2007 - 04:15 PM

killer12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
What did you mean by look at the message header and post dem there?
Thanks for helping me

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 01, 2007 6:13:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426104
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 27055
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:25:45

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7DB52C6E-E2AF-404B-907D-8DFCA38F9581}\RP28\change.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
D:\Documents and Settings\Harry\Application Data\Aim\xaisqazm\yugispy\cert8.db Object is locked skipped
D:\Documents and Settings\Harry\Application Data\Aim\xaisqazm\yugispy\key3.db Object is locked skipped
D:\Documents and Settings\Harry\Application Data\MailFrontier\ASD.log Object is locked skipped
D:\Documents and Settings\Harry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
D:\Documents and Settings\Harry\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\History\History.IE5\MSHist012007100120071002\index.dat Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\Temp\~DF283E.tmp Object is locked skipped
D:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Harry\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Harry\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
D:\Program Files\Symantec AntiVirus\SAVRT205NAV~.TMP Object is locked skipped
D:\Program Files\Symantec AntiVirus\SAVRT900NAV~.TMP Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7DB52C6E-E2AF-404B-907D-8DFCA38F9581}\RP28\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\HARRY-3A332A758.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
D:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\Temp\ZLT037a9.TMP Object is locked skipped
D:\WINDOWS\Temp\ZLT05faa.TMP Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Deckard's System Scanner v20070905.67
Run by Harry on 2007-10-01 17:26:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
28: 2007-10-01 21:26:14 UTC - RP28 - Deckard's System Scanner Restore Point
27: 2007-10-01 20:19:55 UTC - RP27 - System Checkpoint
26: 2007-09-30 15:28:58 UTC - RP26 - Installed SUPERAntiSpyware Free Edition
25: 2007-09-30 15:11:56 UTC - RP25 - Software Distribution Service 3.0
24: 2007-09-29 23:50:13 UTC - RP24 - Installed MapleStory.


-- First Restore Point --
1: 2007-09-29 16:45:43 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Harry.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-01 17:27:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Symantec AntiVirus\VPTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec AntiVirus\SavRoam.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
D:\WINDOWS\system32\svchost.exe
D:\Documents and Settings\Harry\Desktop\dss.exe
D:\Program Files\Hijackthis\Harry.exe

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra 'Tools' menuitem: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe


-- HijackThis Fixed Entries (D:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20071001-171842-183 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - d:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - d:\program files\superantispyware\saskutil.sys
R2 npkcrypt - d:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 npkcusb - d:\nexon\maplestory\npkcusb.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R3 SASENUM - d:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 ADIHdAudAddService (ADI UAA Function Driver for High Definition Audio Service) - d:\windows\system32\drivers\adihdaud.sys (file missing)
S3 AEAudioService (AEAudio Service) - d:\windows\system32\drivers\aeaudio.sys (file missing)
S3 SenFiltService (SenFilt Service) - d:\windows\system32\drivers\senfilt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&CF81C54&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&CF81C54&0&08F0
Service:


-- Files created between 2007-09-01 and 2007-10-01 -----------------------------

2007-10-01 17:19:18 0 d-------- D:\WINDOWS\system32\LogFiles
2007-10-01 17:12:13 0 dr-h----- D:\Documents and Settings\Harry\Recent
2007-09-30 11:29:05 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-30 11:28:59 0 d-------- D:\Program Files\SUPERAntiSpyware
2007-09-30 11:28:59 0 d-------- D:\Documents and Settings\Harry\Application Data\SUPERAntiSpyware.com
2007-09-30 11:28:40 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-09-30 11:11:18 118784 --a------ D:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-09-30 11:11:17 0 d-------- D:\Program Files\SpywareBlaster
2007-09-29 21:36:36 0 d-------- D:\Documents and Settings\Harry\Application Data\WinRAR
2007-09-29 19:52:38 0 d-------- D:\Documents and Settings\Harry\Application Data\Nexon
2007-09-29 19:52:00 4682 --a------ D:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-09-29 19:50:14 0 d-------- D:\Nexon
2007-09-29 19:24:41 0 d-------- D:\Program Files\Symantec
2007-09-29 19:23:53 0 d-------- D:\Program Files\Symantec AntiVirus
2007-09-29 19:23:53 0 d-------- D:\Program Files\Common Files\Symantec Shared
2007-09-29 19:23:53 0 d-------- D:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 19:23:32 0 d-------- D:\Documents and Settings\All Users\Application Data\Avg7
2007-09-29 19:23:28 0 d-------- D:\Documents and Settings\Harry\Application Data\InstallShield
2007-09-29 17:30:12 0 d-------- D:\Program Files\Valve
2007-09-29 16:02:11 0 d-------- D:\WINDOWS\system32\ActiveScan
2007-09-29 15:24:34 0 d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-29 15:24:32 0 d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-09-29 14:13:14 0 d-------- D:\Documents and Settings\Harry\Application Data\SmartFTP
2007-09-29 14:10:58 0 d-------- D:\Documents and Settings\Harry\Application Data\MailFrontier
2007-09-29 14:05:10 1851168 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2007-09-29 14:01:39 0 d-------- D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-29 14:01:30 4212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-09-29 14:01:24 11264 --a------ D:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-09-29 14:01:07 0 d-------- D:\WINDOWS\system32\ZoneLabs
2007-09-29 14:00:46 0 d-------- D:\WINDOWS\Internet Logs
2007-09-29 13:47:01 0 d-------- D:\WINDOWS\Sun
2007-09-29 13:47:01 0 d-------- D:\Documents and Settings\Harry\Application Data\Sun
2007-09-29 13:46:07 0 d-------- D:\Program Files\Java
2007-09-29 13:42:48 0 d-------- D:\Program Files\Common Files\Java
2007-09-29 13:41:51 0 d-------- D:\Documents and Settings\Harry\Application Data\Macromedia
2007-09-29 13:41:07 0 d-------- D:\Documents and Settings\Harry\Application Data\Aim
2007-09-29 13:41:00 0 d-------- D:\Program Files\Common Files\AOL
2007-09-29 13:40:59 0 d-------- D:\Program Files\Viewpoint
2007-09-29 13:40:59 0 d-------- D:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-29 13:40:58 0 d-------- D:\Program Files\AOD
2007-09-29 13:40:53 0 d-------- D:\Program Files\AIM
2007-09-29 13:39:55 0 d-------- D:\Program Files\Yahoo!
2007-09-29 13:39:49 0 d-------- D:\Program Files\CCleaner
2007-09-29 13:38:52 0 d-------- D:\Documents and Settings\Harry\Application Data\Avant Profiles
2007-09-29 13:32:10 0 d-------- D:\WINDOWS\network diagnostic
2007-09-29 13:24:32 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-09-29 13:23:09 0 d--hs---- D:\Documents and Settings\Harry\UserData
2007-09-29 13:21:28 0 d-------- D:\Documents and Settings\Harry\Application Data\ATI
2007-09-29 13:19:45 0 d-------- D:\Program Files\SmartFTP Client
2007-09-29 13:19:22 0 d-------- D:\Program Files\Avant Browser
2007-09-29 13:15:39 0 d-------- D:\Program Files\Combined Community Codec Pack
2007-09-29 13:14:36 0 d-------- D:\WINDOWS\RegisteredPackages
2007-09-29 13:07:37 0 d-------- D:\Program Files\Common Files\ATI Technologies
2007-09-29 13:02:11 520192 -----n--- D:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-29 13:01:42 0 d-------- D:\Program Files\ATI Technologies
2007-09-29 12:56:07 0 d-------- D:\WINDOWS\system32\PreInstall
2007-09-29 12:52:06 0 d-------- D:\WINDOWS\system32\SoftwareDistribution
2007-09-29 12:51:31 0 d-------- D:\WINDOWS\system32\Attansic
2007-09-29 12:51:28 0 d-------- D:\Program Files\Attansic
2007-09-29 12:50:21 23552 -ra------ D:\WINDOWS\system32\PostProc.dll <Not Verified; Analog Devices, Inc.; SoundMAX coinstaller>
2007-09-29 12:50:21 65536 -----n--- D:\WINDOWS\system32\a3d.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-09-29 12:50:02 0 d--h----- D:\Program Files\InstallShield Installation Information
2007-09-29 12:48:30 0 d-------- D:\Program Files\Common Files\InstallShield
2007-09-29 12:47:37 0 d-------- D:\WINDOWS\system32\ReinstallBackups
2007-09-29 12:47:36 0 d-------- D:\Program Files\Intel
2007-09-29 12:46:56 5824 --a------ D:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-09-29 12:45:32 0 d-------- D:\Documents and Settings\Harry\Application Data\Identities
2007-09-29 12:45:25 0 d--h----- D:\Documents and Settings\Harry\Templates
2007-09-29 12:45:25 0 dr------- D:\Documents and Settings\Harry\Start Menu
2007-09-29 12:45:25 0 dr-h----- D:\Documents and Settings\Harry\SendTo
2007-09-29 12:45:25 0 d--h----- D:\Documents and Settings\Harry\PrintHood
2007-09-29 12:45:25 1835008 --ah----- D:\Documents and Settings\Harry\NTUSER.DAT
2007-09-29 12:45:25 0 d--h----- D:\Documents and Settings\Harry\NetHood
2007-09-29 12:45:25 0 dr------- D:\Documents and Settings\Harry\My Documents
2007-09-29 12:45:25 0 d--h----- D:\Documents and Settings\Harry\Local Settings
2007-09-29 12:45:25 0 dr------- D:\Documents and Settings\Harry\Favorites
2007-09-29 12:45:25 0 d-------- D:\Documents and Settings\Harry\Desktop
2007-09-29 12:45:25 0 d--hs---- D:\Documents and Settings\Harry\Cookies
2007-09-29 12:45:25 0 dr-h----- D:\Documents and Settings\Harry\Application Data
2007-09-29 12:44:44 0 d-------- D:\WINDOWS\SoftwareDistribution
2007-09-29 12:44:43 0 d-------- D:\WINDOWS\Prefetch
2007-09-29 12:44:42 0 d---s---- D:\WINDOWS\system32\Microsoft
2007-09-29 12:44:41 262144 --ah----- D:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-29 12:44:41 0 d--h----- D:\Documents and Settings\LocalService\Local Settings
2007-09-29 12:44:41 0 d--hs---- D:\Documents and Settings\LocalService\Cookies
2007-09-29 12:44:41 0 d-------- D:\Documents and Settings\LocalService\Application Data
2007-09-29 12:44:41 0 d---s---- D:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-29 12:44:29 225280 --ah----- D:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-29 12:44:29 0 d--h----- D:\Documents and Settings\NetworkService\Local Settings
2007-09-29 12:44:29 0 d--hs---- D:\Documents and Settings\NetworkService\Cookies
2007-09-29 12:44:29 0 d-------- D:\Documents and Settings\NetworkService\Application Data
2007-09-29 12:44:29 0 d---s---- D:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-29 12:42:09 0 d-------- D:\WINDOWS\system32\xircom
2007-09-29 12:42:09 0 d-------- D:\Program Files\microsoft frontpage
2007-09-29 12:42:07 225280 ---h----- D:\Documents and Settings\Default User\NTUSER.DAT
2007-09-29 12:42:05 0 d--h----- D:\WINDOWS\$hf_mig$
2007-09-29 12:41:09 0 d--hs---- D:\Documents and Settings\All Users\DRM
2007-09-29 12:41:02 0 dr------- D:\WINDOWS\Offline Web Pages
2007-09-29 12:41:02 0 d---s---- D:\WINDOWS\Downloaded Program Files
2007-09-29 12:40:53 0 d--h----- D:\Program Files\WindowsUpdate
2007-09-29 12:40:36 0 d-------- D:\WINDOWS\system32\DirectX
2007-09-29 12:40:06 0 d---s---- D:\WINDOWS\Tasks
2007-09-29 12:40:05 0 d-------- D:\Program Files\Common Files\MSSoap
2007-09-29 12:40:01 0 d-------- D:\WINDOWS\system32\Macromed
2007-09-29 12:40:01 0 d-------- D:\WINDOWS\srchasst
2007-09-29 12:39:54 0 d-------- D:\Program Files\Movie Maker
2007-09-29 12:39:47 0 d-------- D:\WINDOWS\system32\Restore
2007-09-29 12:39:32 21640 --a------ D:\WINDOWS\system32\emptyregdb.dat
2007-09-29 12:39:17 0 d-------- D:\WINDOWS\Registration
2007-09-29 12:38:53 0 d-------- D:\Program Files\Online Services
2007-09-29 12:38:49 0 d-------- D:\Program Files\Messenger
2007-09-29 12:38:45 0 d-------- D:\Program Files\MSN Gaming Zone
2007-09-29 12:38:10 0 d-------- D:\Program Files\Windows NT
2007-09-29 12:38:07 0 d-------- D:\WINDOWS\system32\MsDtc
2007-09-29 12:38:06 0 d-------- D:\WINDOWS\system32\Com
2007-09-29 08:33:57 0 d--hs---- D:\WINDOWS\Installer
2007-09-29 08:33:56 0 d-------- D:\Program Files\Common Files\ODBC
2007-09-29 08:33:53 0 dr------- D:\Program Files
2007-09-29 08:33:53 0 d-------- D:\Program Files\Common Files
2007-09-29 08:33:53 0 d-------- D:\Program Files\Common Files\SpeechEngines
2007-09-29 08:33:28 0 d--h----- D:\Documents and Settings\Default User\Templates
2007-09-29 08:33:28 0 dr------- D:\Documents and Settings\Default User\Start Menu
2007-09-29 08:33:28 0 dr-h----- D:\Documents and Settings\Default User\SendTo
2007-09-29 08:33:28 0 d--h----- D:\Documents and Settings\Default User\Recent
2007-09-29 08:33:28 0 d--h----- D:\Documents and Settings\Default User\PrintHood
2007-09-29 08:33:28 0 d--h----- D:\Documents and Settings\Default User\NetHood
2007-09-29 08:33:28 0 d-------- D:\Documents and Settings\Default User\My Documents
2007-09-29 08:33:28 0 dr-h----- D:\Documents and Settings\Default User\Local Settings
2007-09-29 08:33:28 0 d-------- D:\Documents and Settings\Default User\Favorites
2007-09-29 08:33:28 0 d-------- D:\Documents and Settings\Default User\Desktop
2007-09-29 08:33:28 0 d---s---- D:\Documents and Settings\Default User\Cookies
2007-09-29 08:33:28 0 d--h----- D:\Documents and Settings\All Users\Templates
2007-09-29 08:33:28 0 dr------- D:\Documents and Settings\All Users\Start Menu
2007-09-29 08:33:28 0 d-------- D:\Documents and Settings\All Users\Favorites
2007-09-29 08:33:28 0 dr------- D:\Documents and Settings\All Users\Documents
2007-09-29 08:33:28 0 d-------- D:\Documents and Settings\All Users\Desktop
2007-09-29 08:33:17 0 d-------- D:\WINDOWS\system32\CatRoot2
2007-09-29 08:33:17 0 d-------- D:\WINDOWS\system32\CatRoot
2007-09-29 08:33:11 0 dr-h----- D:\Documents and Settings\Default User\Application Data
2007-09-29 08:33:11 0 d---s---- D:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-29 08:33:11 0 dr-h----- D:\Documents and Settings\All Users\Application Data
2007-09-29 08:33:11 0 d---s---- D:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-29 08:32:50 0 d--hs---- D:\System Volume Information
2007-09-29 08:32:50 0 d-------- D:\Documents and Settings
2007-09-29 08:26:42 0 d-------- D:\WINDOWS
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\WinSxS
2007-09-29 08:26:42 0 dr------- D:\WINDOWS\Web
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\twain_32
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\wins
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\wbem
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\usmt
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\spool
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\ShellExt
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\Setup
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\ras
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\oobe
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\npp
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\mui
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\inetsrv
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\IME
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\icsxml
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\ias
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\export
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\drivers
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\drivers\etc
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\drivers\disdn
2007-09-29 08:26:42 0 dr-hs--c- D:\WINDOWS\system32\dllcache
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\dhcp
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\config
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\3com_dmi
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\3076
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\2052
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1054
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1042
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1041
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1037
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1033
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1031
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1028
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system32\1025
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\system
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\security
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Resources
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\repair
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Provisioning
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\PeerNet
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\pchealth
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\mui
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\msapps
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\msagent
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Media
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\java
2007-09-29 08:26:42 0 d--h----- D:\WINDOWS\inf
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\ime
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Help
2007-09-29 08:26:42 0 dr--s---- D:\WINDOWS\Fonts
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Driver Cache
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Debug
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Cursors
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Connection Wizard
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\Config
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\AppPatch
2007-09-29 08:26:42 0 d-------- D:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-09-29 08:33:28 62 --ahs---- D:\Documents and Settings\Harry\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [10/27/2004 03:21 PM D:\WINDOWS\system32\HdAShCut.exe]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]
"ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/21/2006 05:38 PM]
"vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [03/14/2007 07:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [02/28/2006 08:00 AM]
"AIM"="D:\PROGRA~1\AIM\aim.exe" [08/01/2006 03:35 PM]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll




-- End of Deckard's System Scanner: finished at 2007-10-01 17:30:13 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1023.11 MiB / 557.94 MiB
Pagefile Memory (total/avail): 2461.9 MiB / 2032.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.29 MiB

C: is Fixed (NTFS) - 38 GiB total, 21.28 GiB free.
D: is Fixed (NTFS) - 108.59 GiB total, 97.57 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 - Extended w/Extended Int 13 - 108.59 GiB - D:
\PARTITION2 (bootable) - Installable File System - 38 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.408.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.408.000 (Check Point, LTD.) Disabled
AV: Symantec AntiVirus Corporate Edition v10.1.6.6000 (Symantec Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="D:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Avant Browser\\avant.exe"="D:\\Program Files\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"D:\\Program Files\\AIM\\aim.exe"="D:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\Harry\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=HARRY-3A332A758
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Harry
LOGONSERVER=\\HARRY-3A332A758
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=040a
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Harry\LOCALS~1\Temp
TMP=D:\DOCUME~1\Harry\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=HARRY-3A332A758
USERNAME=Harry
USERPROFILE=D:\Documents and Settings\Harry
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Harry (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> D:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
AOL Instant Messenger --> D:\Program Files\AIM\uninstll.exe -LOG= D:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "D:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
ATI - Software Uninstall Utility --> D:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
Attansic Giga Ethernet Utility --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime700\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9
Attansic L1 Gigabit Ethernet Driver --> rundll32.exe D:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst D:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
Avant Browser (remove only) --> "D:\Program Files\Avant Browser\uninst.exe"
AVIVO Codecs --> MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2007-07-22 --> "D:\Program Files\Combined Community Codec Pack\unins000.exe"
Counter-Strike™ --> MsiExec.exe /I{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}
High Definition Audio Driver Package - KB888111 --> D:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
Hijackthis 1.99.1 --> "D:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> D:\Program Files\Hijackthis\HijackThis.exe /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Online Scanner --> D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 3.1 (Symantec Corporation) --> "D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
MapleStory --> MsiExec.exe /I{9DA92370-2929-4A4D-B3DF-B1651D77C6AA}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Panda ActiveScan --> D:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SpywareBlaster v3.5.1 --> "D:\Program Files\SpywareBlaster\unins000.exe"
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
Viewpoint Media Player --> D:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> D:\WINDOWS\system32\regsvr32 /u D:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> D:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm Security Suite --> D:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type230 / Warning
Event Submitted/Written: 09/29/2007 09:41:30 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\Documents and Settings\Harry\Desktop\PspStuff\JeaDArcUSA.part1.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type229 / Warning
Event Submitted/Written: 09/29/2007 09:41:30 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\Documents and Settings\Harry\Desktop\PspStuff\JeaDArcUSA.part7.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type228 / Warning
Event Submitted/Written: 09/29/2007 09:41:30 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\Documents and Settings\Harry\Desktop\PspStuff\JeaDArcUSA.part6.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type227 / Warning
Event Submitted/Written: 09/29/2007 09:41:30 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\Documents and Settings\Harry\Desktop\PspStuff\JeaDArcUSA.part5.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type226 / Warning
Event Submitted/Written: 09/29/2007 09:41:30 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside D:\Documents and Settings\Harry\Desktop\PspStuff\JeaDArcUSA.part4.rar due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type605 / Warning
Event Submitted/Written: 09/30/2007 00:16:02 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type604 / Warning
Event Submitted/Written: 09/29/2007 09:32:23 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type603 / Warning
Event Submitted/Written: 09/29/2007 08:53:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type602 / Warning
Event Submitted/Written: 09/29/2007 08:31:19 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type549 / Warning
Event Submitted/Written: 09/29/2007 07:29:27 PM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to reboot HARRY-3A332A758 failed



-- End of Deckard's System Scanner: finished at 2007-10-01 17:30:13 ------------
  • 0

#4
RatHat
Posted 01 October 2007 - 09:28 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Harry,

Well firstly, your log is clean, though I would like you to do a bit of a cleanup and also remove Viewpoint.

Start off by running ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Click to download ViewpointKiller
  • Unzip all of the contents of "ViewpointKiller.zip" to a location such as your desktop
  • Browse to the folder that contains ViewpointKiller and double click ViewpointKiller.exe
  • Select the "File" menu, and select "Check to see if you have Viewpoint installed"
  • If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu
Note: Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

When ViewpointKiller has completed it will open a log for you, please paste the contents in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets check the security of important software to see whether you need to download any additional updates.

Program Updates
  • Go to the Secunia Software Inspector website
  • Click the Start Now button, allow the Java applet to load, and open to the scan page
  • Make sure you check the Enable thorough system inspection located under the Start button
  • Click the Start button to run the scan (this will take about five minutes)
  • When the scan has completed, read the report and update your programs as shown
Note: Links to the program updates are included in the report

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I note that you have a good AV, AS and firewall so you are good to go there.

Now regards the email header, open your email program, locate the message from "Ebay" and right click on it. Choose Properties, then Message Source or Details. You should see something like the following:

Received: from n-cdhq-util.com (172.164.15.22) by
n-cdhq-ex1.com (172.164.15.21) with Microsoft SMTP Server id
8.0.744.0; Thu, 13 Sep 2007 14:53:06 -0500
Received: from cprkukabzms02.uk.cprk.com
(no-dns-yet.demon.co.uk[212.240.134.50]) by n-cdhq-util.com with
MailMarshal (v6,2,1,3252) id <B46e9945d0003>; Thu, 13 Sep 2007 14:46:41 -0500
From: ** UK - Noc <[email protected]>
CC: ** UK - Noc <[email protected]>
Content-Class: urn:content-classes:message
Date: Thu, 13 Sep 2007 14:53:00 -0500
Subject: T12_Sun_Outages


This will allow us to see where the email came from and determine if it was spam.

Regards,
RatHat
  • 0

#5
killer12
Posted 02 October 2007 - 05:33 PM

killer12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
I don't know if i provided the right Header but here it is.

From [email protected] Sun Sep 30 13:31:15 2007
X-Apparently-To: [email protected] via 66.163.178.162; Sun, 30 Sep 2007 13:31:27 -0700
X-Originating-IP: [66.244.250.227]
Return-Path: <[email protected]>
Authentication-Results: mta365.mail.mud.yahoo.com from=e.bay.com; domainkeys=neutral (no sig)
Received: from 66.244.250.227 (HELO qmail-wm-norm-0.netfirms.com) (66.244.250.227) by mta365.mail.mud.yahoo.com with SMTP; Sun, 30 Sep 2007 13:31:27 -0700
Received: (qmail 55956 invoked from network); 30 Sep 2007 20:31:26 -0000
Received: from unknown (10.8.7.3) by 0 with QMQP; 30 Sep 2007 20:31:26 -0000
Received: from 205.188.117.197 (proxying for unknown) (SquirrelMail authenticated user [email protected]) by wm3 with HTTP; Sun, 30 Sep 2007 16:31:15 -0400 (EDT)
Message-ID: <44831.205.188.117.197.1191184275.squirrel@wm3>
Date: Sun, 30 Sep 2007 16:31:15 -0400 (EDT)
Subject: FPA NOTICE: eBay Registration Suspension
From: "[email protected]" <[email protected]> Add to Address Book Add Mobile Alert
To: [email protected]
Reply-to: [email protected]
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/html;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Content-Length: 6602


Here is the viewpoint thing.

----------------------------------
ViewpointKiller Version 1.22 (beta)

ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Tue Oct 02 19:24:46 2007

ViewpointKiller was able to close "aim.exe" successfully.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller determined that "ViewpointService.exe" was not running.


Falling back to alternate "Viewpoint Manager Service" closure...

It appears that the alternate "Viewpoint Manager Service" closure failed, or the service is not running.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "D:\Program Files".

ViewpointKiller determined that the path "D:\Program Files\Viewpoint\Viewpoint Media Player" does exist.
ViewpointKiller was able to remove the "D:\Program Files\Viewpoint\Viewpoint Media Player" folder successfully.
ViewpointKiller determined that the path "D:\Program Files\Viewpoint\Viewpoint Experience Technology" does not exist.
ViewpointKiller did not find the folder "D:\Program Files\Viewpoint\Viewpoint Experience Technology".
ViewpointKiller determined that the path "D:\Documents and Settings\All Users\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "D:\Documents and Settings\All Users\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "D:\Program Files\MetaStream" does not exist.
ViewpointKiller did not find the folder "D:\Program Files\MetaStream".
ViewpointKiller determined that the path "D:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "D:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "D:\Program Files\Viewpoint\Common" does exist.
ViewpointKiller was able to remove the "D:\Program Files\Viewpoint\Common" folder successfully.
Finished reporting.
----------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 7:37:06 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Symantec AntiVirus\SavRoam.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Symantec AntiVirus\DoScan.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Avant Browser\avant.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar Search - d:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - D:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by killer12, 02 October 2007 - 05:38 PM.

  • 0

#6
RatHat
Posted 02 October 2007 - 09:55 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
In the message header you posted, it states: Received: from 205.188.117.197 (proxying for unknown) (SquirrelMail authenticated user [email protected])

205.188.117.197 is the address for America Online, so that is OK, however I would strongly suspect that this mail is from a spammer and nothing to worry about as long as you have not clicked on any links or opened any attachments.

Other than this, you log is clean and you are good to go. Enjoy your training, you will learn a lot from it, even if it does seem daunting at the beginning.

I will keep this log open for the next couple of days, so if you have any further problems, post a reply to this thread.

Regards, and good luck,
RatHat

Edited by RatHat, 03 October 2007 - 04:38 AM.

  • 0

#7
killer12
Posted 03 October 2007 - 03:51 PM

killer12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 65 posts
good to know that my computer is safe and clean ^_^. Thanks
  • 0

#8
RatHat
Posted 06 October 2007 - 01:43 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your'e the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP