Ebay/Paypal Problem

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Ebay/Paypal Problem

Post by tractorlovr on 19th February 2010, 2:10 pm

When I try to log into ebay or paypal, it asks for personal information like my SSN, mother's maiden name, credit card information, which paypal already has my CC info. I researched it online & found that it could be a Rootkit virus Sinowal?? I used Malwarebytes' to try to get rid of it & that found nothing. I did HiJack This & below is my log. I don't know what to do next to get rid of this...


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [TexTally] "C:\Program Files\NCH Swift Sound\TexTally\textally.exe" -logon
O4 - HKLM\..\Run: [FastFox] "C:\Program Files\NCH Swift Sound\FastFox\fastfox.exe" -logon
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} (WWHearts Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 11946 bytes

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 19th February 2010, 8:44 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 20th February 2010, 2:24 pm

Ok I did the above things. This is my MBAM log

2/19/2010 9:10:28 PM
mbam-log-2010-02-19 (21-10-28).txt

Scan type: Quick Scan
Objects scanned: 212744
Time elapsed: 52 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



This is the log from 1-30-10


1/30/2010 12:33:35 AM
mbam-log-2010-01-30 (00-33-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 267412
Time elapsed: 2 hour(s), 22 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\general antivirus_is1 (Rogue.GeneralAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ITGrdEngine (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows logon process (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\9GMLCGSV\eH96f8855eV0100f070006R3db1a730102Tdd9ac1dc201l0409K5c48502d30dP000201080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9GMLCGSV\eH96f8855eV0100f070006R3db1a730102Tdd9ac1dc201l0409K5c48502d30dP000201080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 20th February 2010, 8:22 pm

Hello.
Are you editing these logs? MBAM should show your OS, and it's not doing that, nor does your first Hijack This log show the header, which contains information I need to know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 20th February 2010, 8:39 pm

Sorry...

Malwarebytes' Anti-Malware 1.44
Database version: 3657
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/30/2010 12:33:35 AM
mbam-log-2010-01-30 (00-33-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 267412
Time elapsed: 2 hour(s), 22 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\general antivirus_is1 (Rogue.GeneralAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ITGrdEngine (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows logon process (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\9GMLCGSV\eH96f8855eV0100f070006R3db1a730102Tdd9ac1dc201l0409K5c48502d30dP000201080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9GMLCGSV\eH96f8855eV0100f070006R3db1a730102Tdd9ac1dc201l0409K5c48502d30dP000201080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.44
Database version: 3764
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 9:10:28 PM
mbam-log-2010-02-19 (21-10-28).txt

Scan type: Quick Scan
Objects scanned: 212744
Time elapsed: 52 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 20th February 2010, 8:42 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 21st February 2010, 2:09 am

ComboFix 10-02-20.03 - Owner 02/20/2010 19:54:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.507 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\fad.sys

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 00:45 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 08:49 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 08:45 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-20 08:45 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe
AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M91DOY8L\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-20 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86CFE4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e7f28
\Driver\ACPI -> 0x86cfe4d0
\Driver\atapi -> atapi.sys @ 0xf7612852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
PacketIndicateHandler -> NDIS.sys @ 0xf752ba21
SendHandler -> NDIS.sys @ 0xf750987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-02-20 20:04:10
ComboFix-quarantined-files.txt 2010-02-21 02:03

Pre-Run: 36,883,972,096 bytes free
Post-Run: 37,968,633,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 24E290B887C2FC0AA7DF13EE1BF51DCC

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 21st February 2010, 4:20 pm

Hello.
Please go to Start > Run. In the Run box, copy/paste in the following:

"C:\Windows\system32\mbr.exe" -f

Please post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 21st February 2010, 6:30 pm

I copy & pasted the above into Run but all I got was a box that popped up saying:

Windows cannot find 'C:\Windows\system32\mbr.exe' -f. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, ad then click search.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 21st February 2010, 8:18 pm

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 22nd February 2010, 4:59 am

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86cfe4d0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 22nd February 2010, 8:28 pm

Hello.
Please go to Start > Run. In the Run box, copy/paste in the following:

%userprofile%\Desktop\mbr.exe -f

Please post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 22nd February 2010, 8:55 pm

When I tried that, I got a box that said

Windows cannot find 'C:/Documents'. Make sure you typed the name correctly, and try again. To search for a file, click the Start button, and then click Search.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 22nd February 2010, 9:08 pm

Make sure mbr.exe is on your Desktop, then try this command.

"%userprofile%\Desktop\mbr.exe" -f

Difference is the two quote marks.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 22nd February 2010, 9:54 pm

mbr.exe is Malwarebytes' right? It is on my desktop but it's saying that windows can't find C:/Documents and Settings/Owner/Desktop/mbr.exe

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 22nd February 2010, 9:58 pm

Hello.
I want to see one more log:


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Ebay/Paypal Problem

Post by tractorlovr on 22nd February 2010, 11:01 pm

My TDSSKiller log:

16:10:44:013 4092 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
16:10:44:013 4092 ================================================================================
16:10:44:013 4092 SystemInfo:

16:10:44:013 4092 OS Version: 5.1.2600 ServicePack: 3.0
16:10:44:013 4092 Product type: Workstation
16:10:44:013 4092 ComputerName: JENSENS
16:10:44:013 4092 UserName: Owner
16:10:44:013 4092 Windows directory: C:\WINDOWS
16:10:44:013 4092 Processor architecture: Intel x86
16:10:44:013 4092 Number of processors: 1
16:10:44:013 4092 Page size: 0x1000
16:10:44:013 4092 Boot type: Normal boot
16:10:44:013 4092 ================================================================================
16:10:44:060 4092 UnloadDriverW: NtUnloadDriver error 2
16:10:44:060 4092 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:10:44:091 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:10:44:591 4092 UtilityInit: KLMD drop and load success
16:10:44:591 4092 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
16:10:44:591 4092 UtilityInit: KLMD open success
16:10:44:591 4092 UtilityInit: Initialize success
16:10:44:591 4092
16:10:44:591 4092 Scanning Services ...
16:10:44:591 4092 CreateRegParser: Registry parser init started
16:10:44:591 4092 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:10:44:591 4092 CreateRegParser: DisableWow64Redirection error
16:10:44:591 4092 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:10:44:623 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:10:44:623 4092 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:10:44:623 4092 wfopen_ex: Trying to KLMD file open
16:10:44:623 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:10:44:623 4092 wfopen_ex: File opened ok (Flags 2)
16:10:44:623 4092 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384C10
16:10:44:623 4092 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:10:44:638 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:10:44:638 4092 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:10:44:638 4092 wfopen_ex: Trying to KLMD file open
16:10:44:638 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:10:44:638 4092 wfopen_ex: File opened ok (Flags 2)
16:10:44:638 4092 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384B00
16:10:44:638 4092 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:10:44:638 4092 CreateRegParser: EnableWow64Redirection error
16:10:44:638 4092 CreateRegParser: RegParser init completed
16:10:45:419 4092 GetAdvancedServicesInfo: Raw services enum returned 312 services
16:10:45:419 4092 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:10:45:419 4092 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:10:45:419 4092
16:10:45:419 4092 Scanning Kernel memory ...
16:10:45:419 4092 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:10:45:419 4092 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86FD4A08
16:10:45:419 4092 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
16:10:45:419 4092
16:10:45:419 4092 DetectCureTDL3: DEVICE_OBJECT: 86F48C68
16:10:45:419 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F48C68
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F48C68[0x38]
16:10:45:419 4092 DetectCureTDL3: DRIVER_OBJECT: 86FD4A08
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FD4A08[0xA8]
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0xE1606358[0x18]
16:10:45:419 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:419 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:419 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:419 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:466 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:466 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:466 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:10:45:482 4092
16:10:45:482 4092 DetectCureTDL3: DEVICE_OBJECT: 86F499F0
16:10:45:482 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F499F0
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F499F0[0x38]
16:10:45:482 4092 DetectCureTDL3: DRIVER_OBJECT: 86FD4A08
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FD4A08[0xA8]
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0xE1606358[0x18]
16:10:45:482 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:482 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:482 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:482 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:513 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:10:45:513 4092
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86F4BAB8
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F4BAB8
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86F47F18
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F47F18
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86FCFD98
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FCFD98
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FCFD98[0x38]
16:10:45:513 4092 DetectCureTDL3: DRIVER_OBJECT: 86F51840
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F51840[0xA8]
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0xE16090F0[0x1A]
16:10:45:513 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE : F76166F2
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76166F2
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_READ : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_WRITE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7616712
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7612852
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_POWER : F761673C
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F761D336
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:513 4092 TDL3_FileDetect: Processing driver: atapi
16:10:45:513 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:513 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 KLMD_ReadMem: Trying to ReadMemory 0xF7613864[0x400]
16:10:45:544 4092 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:10:45:544 4092 TDL3_FileDetect: Processing driver: atapi
16:10:45:544 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:10:45:544 4092
16:10:45:544 4092 Completed
16:10:45:544 4092
16:10:45:544 4092 Results:
16:10:45:544 4092 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092
16:10:45:591 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:10:45:591 4092 UtilityDeinit: KLMD(ARK) unloaded successfully

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 12:09 am

MBR::
[/QUOTE]
[*]Save this as CFScript.txt, in the same location as ComboFix.exe



[*]Referring to the picture above, drag CFScript into ComboFix.exe
[*]When finished, it shall produce a log for you at C:\ComboFix.txt
[*]Please post the contents of the log in your next reply.
[/LIST]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 23rd February 2010, 1:04 am

ComboFix 10-02-21.02 - Owner 02/22/2010 18:46:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.408 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZV1L1E1I\cfscriptb4i[1].gif
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 00:46 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-21 02:32 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 08:49 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 08:45 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLMD21
*Deregistered* - klmd21
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-22 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86CFE4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e7f28
\Driver\ACPI -> 0x86cfe4d0
\Driver\atapi -> atapi.sys @ 0xf7612852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
PacketIndicateHandler -> NDIS.sys @ 0xf752ba21
SendHandler -> NDIS.sys @ 0xf750987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-02-22 18:59:51
ComboFix-quarantined-files.txt 2010-02-23 00:59
ComboFix2.txt 2010-02-21 02:04

Pre-Run: 37,956,198,400 bytes free
Post-Run: 37,959,225,344 bytes free

- - End Of File - - 06C004BE013B36A26F013B757ECC86E4

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 1:34 am

Hello.
I know what's wrong, I've just seen something I didn't see before. I need you to stay in this with me, this one is a nasty bugger, but it can be defeated. This is one long and advanced fix, follow my instructions carefully.



Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

control userpasswords2

Now when this next window opens, highlight the user "HelpAssistant", and click remove. Okay any prompts.

Close the user account editor.

Next, click Start > Run and copy/paste the following bolded text into the Run box and click OK:

regedit

Follow this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters

Under the Parameters key, there's a value called "ServiceDll", which should be pointing at %systemroot%\system32\termsrv32.dll

Double click on the value "ServiceDll" so you can edit the filepath, then remove the "32" out of the filename so it should now be set to "%systemroot%\system32\termsrv.dll"
======

Next, go to this folder in bold:

C:\Windows\system32

Once in the system32 folder, find termsrv32.dll, right click and rename it. Remove the 3 so it should now be called termsrv2.dll
======

Now, please make sure mbr.exe is located on your Desktop!! << IMPORTANT

Now open a new notepad file.
Input this into the notepad file:

@echo off
cd %userprofile%
cd Desktop
mbr.exe -f
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Mbr.exe should make a logfile on your Desktop, DO NOT post it just yet. Once you have run my bat file once, run it AGAIN!! << IMPORTANT

please post the second log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 23rd February 2010, 3:42 am

I hope I did this right...

mbr.exe is the same as Malwarebytes' Anti-Malware correct? The only log that I see on my desktop is a notepad file that says mbr & contains the following info - Is this what you need?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86cfe4d0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
Use "Recovery Console" command "fixmbr" to clear infection !

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 2:33 pm

Hello.
Good work, we've killed the rootkit. The MBR is okay now, just leftover code, but we'll clean that up later.

The hacker is using remote desktop connection to your machine, so we have to close that port off.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "2479:TCP"=-
    "3246:TCP"=-
    "3389:TCP"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 2:40 pm

Note: Made an error in my script, just edited it now, please make sure you have the updated version, refresh this page if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 23rd February 2010, 5:34 pm

ComboFix 10-02-22.07 - Owner 02/23/2010 10:02:12.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.381 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 12:46 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-23 02:10 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 08:49 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 08:45 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLMD21
*Deregistered* - klmd21
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-23 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86CFE4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e7f28
\Driver\ACPI -> 0x86cfe4d0
\Driver\atapi -> atapi.sys @ 0xf7612852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
PacketIndicateHandler -> NDIS.sys @ 0xf752ba21
SendHandler -> NDIS.sys @ 0xf750987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-23 10:41:37
ComboFix-quarantined-files.txt 2010-02-23 16:29
ComboFix2.txt 2010-02-23 15:17
ComboFix3.txt 2010-02-23 00:59
ComboFix4.txt 2010-02-21 02:04

Pre-Run: 37,960,187,904 bytes free
Post-Run: 37,941,014,528 bytes free

- - End Of File - - 913273236B34E60D3B87B84C10F6B82B

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 6:07 pm

Hmm, something else is going on here.

Did you remove the user account and change the registry value back to what I asked?

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 23rd February 2010, 7:38 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/23 13:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDFCD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C31000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECEE9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc
Status: Size mismatch (API: 27516, Raw: 27482)

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d26310 Size: 153

==EOF==

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 23rd February 2010, 8:05 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 24th February 2010, 2:18 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-23 20:18:24
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxldypoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017B28F5
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017B2781
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017B2873
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017B27B9
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017B27F1
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F228F5
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F22781
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F22873
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F227B9
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F227F1
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007D28F5
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007D2781
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007D2873
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007D27B9
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007D27F1
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CC28F5
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CC2781
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CC2873
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CC27B9
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CC27F1
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C628F5
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C62781
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C62873
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C627B9
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C627F1
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C528F5
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C52781
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C52873
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C527B9
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C527F1
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010528F5
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01052781
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01052873
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010527B9
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010527F1
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011028F5
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01102781
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01102873
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011027B9
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011027F1
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A028F5
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03A02781
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A02873
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03A027B9
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A027F1
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A528F5
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A52781
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A52873
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A527B9
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A527F1
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E328F5
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E32781
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E32873
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E327B9
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E327F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D228F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D22781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D22873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D227B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D227F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D028F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D02781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D02873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D027B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D027F1
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E428F5
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E42781
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E42873
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E427B9
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E427F1
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013D28F5
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013D2781
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013D2873
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013D27B9
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013D27F1
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010E28F5
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010E2781
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010E2873
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010E27B9
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010E27F1
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017728F5
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01772781
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01772873
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017727B9
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017727F1
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 052128F5
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 05212781
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 05212873
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 052127B9
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 052127F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02C5299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02C5294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02C52911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02C52EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02C52F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02C52BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 02C529B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02C5370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02C52D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 02C532E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 02C532F2
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06A328F5
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06A32781
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06A32873
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06A327B9
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06A327F1
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06BA28F5
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06BA2781
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06BA2873
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06BA27B9
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06BA27F1
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 034828F5
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!send 71AB4C27 5 Bytes JMP 03482781
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03482873
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!recv 71AB676F 5 Bytes JMP 034827B9
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 034827F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD28F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CD2781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CD2873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD27B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CD27F1
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F228F5
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F22781
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01F22873
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01F227B9
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01F227F1
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011428F5
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01142781
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01142873
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011427B9
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011427F1
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 023528F5
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!send 71AB4C27 5 Bytes JMP 02352781
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02352873
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!recv 71AB676F 5 Bytes JMP 023527B9
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 023527F1
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F728F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F72781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F72873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F727B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F727F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02FF299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02FF294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02FF2911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02FF2EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02FF2F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02FF2BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 02FF29B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02FF370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02FF2D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 02FF32E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 02FF32F2

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000050 86D26310
Device \Driver\ACPI \Device\00000051 86D26310
Device \Driver\ACPI \Device\00000044 86D26310
Device \Driver\ACPI \Device\00000047 86D26310
Device \Driver\ACPI \Device\00000048 86D26310
Device \Driver\ACPI \Device\00000055 86D26310

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000049 86D26310
Device \Driver\ACPI \Device\00000056 86D26310

---- EOF - GMER 1.0.15 ----

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 24th February 2010, 3:50 pm

Hello.

Now, please make sure mbr.exe is located on your Desktop!! << IMPORTANT

Now open a new notepad file.
Input this into the notepad file:

@echo off
cd %userprofile%
cd Desktop
mbr.exe -f
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Mbr.exe should make a logfile on your Desktop, DO NOT post it just yet. Once you have run my bat file once, run it AGAIN!! << IMPORTANT

Next, DO NOT reboot the machine.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 25th February 2010, 12:54 am

OTL logfile created on: 2/24/2010 6:31:50 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 449.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.15 Gb Free Space | 59.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/12/12 10:00:20 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/20 17:42:52 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/20 17:42:51 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/20 17:42:44 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 14:31:16 | 002,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/03 18:11:57 | 000,382,384 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/03 18:11:57 | 000,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/09/10 16:40:06 | 000,289,576 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/09/10 12:00:00 | 000,525,664 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 20:41:18 | 001,241,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.bin
PRC - [2008/03/14 20:41:18 | 001,019,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.exe
PRC - [2008/03/12 12:05:36 | 000,163,128 | ---- | M] (SpiralFrog) -- C:\Program Files\SpiralFrog\Spiralfrog.exe
PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
PRC - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2005/12/08 10:03:02 | 000,811,008 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
PRC - [2005/10/19 08:59:12 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2003/08/29 04:59:24 | 000,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2002/08/14 17:29:26 | 000,090,112 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2002/06/27 00:53:26 | 000,303,104 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2002/06/27 00:34:44 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/06/27 00:21:30 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
PRC - [2002/06/27 00:20:58 | 000,323,646 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
PRC - [2002/04/11 03:19:36 | 000,077,824 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2002/04/11 03:19:34 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PRC - [2002/02/15 10:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/03/04 20:22:53 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) [Auto | Running] -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -- (QuickBooksDB)
SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/08/20 17:42:52 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/20 17:42:52 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/10 09:00:08 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/06/18 09:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/17 12:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/05 19:46:22 | 000,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/10/18 03:00:00 | 000,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/10/19 08:59:12 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/10/07 19:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/03/09 21:31:02 | 000,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 21:31:02 | 000,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 21:31:00 | 000,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/01/15 14:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/14 12:38:36 | 000,108,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel(R) Graphics Platform (SoftBIOS)
DRV - [2003/01/14 12:38:30 | 000,078,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel(R) Graphics Chipset (KCH)
DRV - [2002/12/19 17:48:48 | 000,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/09/03 10:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/04/01 13:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/23 00:33:12 | 000,010,192 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 07:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local



O1 HOSTS File: ([2009/04/04 07:30:30 | 000,304,232 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10480 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [FastFox] C:\Program Files\NCH Swift Sound\FastFox\fastfox.exe (NCH Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe (SpiralFrog)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TexTally] C:\Program Files\NCH Swift Sound\TexTally\textally.exe (NCH Software)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: bankfirstonline.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} [You must be registered and logged in to see this link.] (Mines Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} [You must be registered and logged in to see this link.] (SkillGam Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} [You must be registered and logged in to see this link.] (FunGamesLoader Object)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} [You must be registered and logged in to see this link.] (TPIR Control)
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} [You must be registered and logged in to see this link.] (Brickout Control)
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} [You must be registered and logged in to see this link.] (Jigsaw Genius Control)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} [You must be registered and logged in to see this link.] (SolitaireRush Control)
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} [You must be registered and logged in to see this link.] (WWHearts Control)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} [You must be registered and logged in to see this link.] (BJA Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} [You must be registered and logged in to see this link.] (Bejeweled Control)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} [You must be registered and logged in to see this link.] (SpiderSolitaire Control)
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} [You must be registered and logged in to see this link.] (Blockwerx Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} [You must be registered and logged in to see this link.] (ContactExtractor Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} [You must be registered and logged in to see this link.] (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} [You must be registered and logged in to see this link.] (WordMojo Control)
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} [You must be registered and logged in to see this link.] (Cubis Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} [You must be registered and logged in to see this link.] (WoF Control)
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} [You must be registered and logged in to see this link.] (SwapIt Control)
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} [You must be registered and logged in to see this link.] (Hangman Control)
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} [You must be registered and logged in to see this link.] (Tilecity Control)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} [You must be registered and logged in to see this link.] (Royal Control)
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} [You must be registered and logged in to see this link.] (Paint Control)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} [You must be registered and logged in to see this link.] (FamilyFeud Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} [You must be registered and logged in to see this link.] (GolfSol Control)
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} [You must be registered and logged in to see this link.] (WWSpades Control)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/04 20:27:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/24 18:31:09 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 05:54:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/23 12:20:16 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/02/23 09:59:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/22 18:42:06 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/02/20 19:47:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/20 19:46:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/20 19:46:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/20 19:46:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/20 19:46:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/20 19:30:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/19 16:51:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 16:51:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 16:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/14 13:41:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2010/02/14 13:36:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2010/02/14 12:40:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/02/14 12:17:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/14 12:09:49 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/09 14:41:07 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/01/31 08:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/30 07:33:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/29 08:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/29 08:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/30 20:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/13 12:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 18:29:52 | 000,000,062 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/24 18:02:09 | 056,199,314 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/24 17:59:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/24 17:59:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/24 06:33:16 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/02/24 06:31:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/24 06:30:41 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/23 14:09:17 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:19 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/23 12:15:00 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/02/23 10:19:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/23 08:43:19 | 003,869,515 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/22 16:08:47 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/22 16:06:20 | 000,153,078 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:20 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/19 16:51:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/18 23:15:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/15 10:23:17 | 000,009,612 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/02/15 09:12:49 | 000,129,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Christmas Card List.doc
[2010/02/15 09:09:47 | 000,011,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Phone List.odt
[2010/02/15 08:57:03 | 000,016,888 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Invitation.odt
[2010/02/14 10:32:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/07 18:55:44 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/30 21:07:33 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2010/01/28 19:27:57 | 000,090,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/23 14:09:12 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:17 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 21:35:51 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/22 16:06:17 | 000,153,078 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/20 19:47:26 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/20 19:46:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/20 19:46:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/20 19:46:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/20 19:46:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/20 19:46:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/20 19:44:29 | 003,869,515 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/19 16:51:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:16 | 000,009,612 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/01/28 18:31:50 | 000,090,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[2010/01/26 16:21:01 | 000,078,848 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2009/06/09 18:03:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/26 18:19:07 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/26 18:19:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/11/06 14:37:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSINFO32.INI
[2008/08/18 17:08:06 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2008/08/18 17:08:03 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2008/08/01 16:16:12 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 14:08:16 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/07 18:48:51 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/03/09 21:31:04 | 000,552,960 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 25th February 2010, 12:55 am

OTL Extras logfile created on: 2/24/2010 6:31:50 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 449.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.15 Gb Free Space | 59.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}" = Microsoft IntelliPoint 4.0
"{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}" = Dell Picture Studio - Dell Image Expert
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1CD870CF-D67A-4691-962A-56E202D66733}" = StarOffice 8
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{41B9E2CF-0B3F-442A-B5B3-592A4A355634}" = iTunes
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = B44Inst
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{82DFB852-9594-4668-9C66-28BB6E94BCB2}" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{95738B44-49CF-4C62-A620-320F1007B14A}" = SpiralFrog Download Manager 0.8.25
"{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}" = Readiris 7.5
"{AA9768AA-FF0B-4C66-A085-31E934F77841}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = B57Inst
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox
"{ED93995E-8BF2-480F-8EA4-7D29E29A7052}" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG8Uninstall" = AVG 8.5
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Express" = Express Dictate
"FastFox" = FastFox
"hp instant support" = hp instant support
"hp psc 2100 series_Driver" = hp psc 2100 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x Driver Installer
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Driver Installer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mavis Beacon Teaches Typing 16" = Mavis Beacon Teaches Typing 16
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Photo Viewer" = Photo Viewer 2.3
"PSC 2000 Series" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
"Scribe" = Express Scribe
"Sky Rangers Simulator" = Sky Rangers Simulator
"TexTally" = TexTally
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/24/2010 3:04:07 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
1:04:07 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '920a7a9e-a356-4fd5-bfad-71c52e63610c'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'Not enough storage is available to process this command.

'.
This
job has been canceled, and the DownloaderManager will attempt it again. If you
see this error frequently, you may have a mis-configuration, or another administrator
process/user is canceling BITS jobs. It is also possible that some mis-configuration
of the Manifest file is causing BITS to have trouble with a source or destination
path; be sure that all SOURCE paths are valid URLs, and that all DESTINATION paths
are valid LOCAL UNC paths--__shares are not allowed__. TargetSite: NULL HelpLink:
NULL Source: NULL

Error - 2/24/2010 3:04:09 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
1:04:09 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

Error - 2/24/2010 4:53:51 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
2:53:50 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '63d18033-b994-4a8e-a8f6-2258bf85e518'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'The client does not have sufficient access rights
to the requested server object. '. This job has been canceled, and the DownloaderManager
will attempt it again. If you see this error frequently, you may have a mis-configuration,
or another administrator process/user is canceling BITS jobs. It is also possible
that some mis-configuration of the Manifest file is causing BITS to have trouble
with a source or destination path; be sure that all SOURCE paths are valid URLs,
and that all DESTINATION paths are valid LOCAL UNC paths--__shares are not allowed__.
TargetSite:
NULL HelpLink: NULL Source: NULL

Error - 2/24/2010 4:53:53 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
2:53:53 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

Error - 2/24/2010 8:12:57 AM | Computer Name = JENSENS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2010 8:13:24 AM | Computer Name = JENSENS | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 2/24/2010 8:25:37 PM | Computer Name = JENSENS | Source = Application Hang | ID = 1002
Description = Hanging application fastfox.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2010 8:25:45 PM | Computer Name = JENSENS | Source = Application Hang | ID = 1001
Description = Fault bucket 335464970.

Error - 2/24/2010 8:26:11 PM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
6:26:10 PM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '633bda85-cc56-4b6b-aa96-7aea465ce85f'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'The client does not have sufficient access rights
to the requested server object. '. This job has been canceled, and the DownloaderManager
will attempt it again. If you see this error frequently, you may have a mis-configuration,
or another administrator process/user is canceling BITS jobs. It is also possible
that some mis-configuration of the Manifest file is causing BITS to have trouble
with a source or destination path; be sure that all SOURCE paths are valid URLs,
and that all DESTINATION paths are valid LOCAL UNC paths--__shares are not allowed__.
TargetSite:
NULL HelpLink: NULL Source: NULL

Error - 2/24/2010 8:26:14 PM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
6:26:14 PM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

[ System Events ]
Error - 2/14/2010 10:00:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:12:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:24:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:36:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:48:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 11:00:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 11:07:20 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 100000d4, parameter1 ee6d0038, parameter2 00000002, parameter3
00000001, parameter4 804dbc9a.

Error - 2/14/2010 11:54:08 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3
00000000, parameter4 804fd603.

Error - 2/24/2010 4:53:30 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000008e, parameter1 c0000005, parameter2 ec5631f4, parameter3
ecc84aa0, parameter4 00000000.

Error - 2/24/2010 8:25:58 PM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 ffffff94, parameter2 00000002, parameter3
00000000, parameter4 804fd682.


< End of report >

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 25th February 2010, 1:04 am

Hello.

Please reboot your computer, and when booting, select the new extra option you should have, and boot into the recovery console.



Once in the RC, type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.
=====

Next, please re-run Combofix and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 25th February 2010, 2:55 am

ComboFix 10-02-24.01 - Owner 02/24/2010 20:37:17.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.526 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\WINDOWS
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\UserData
2010-02-23 19:24 . 2010-02-23 19:24 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\PrivacIE
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IETldCache
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IECompatCache
2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 02:34 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-25 02:34 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-25 02:33 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-25 00:30 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-25 02:31 . 2010-02-25 02:31 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-03-05 02:22 . 2008-03-05 02:22 295424 c:\windows\system32\termsrv2.dll
- 2002-09-03 16:37 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2002-09-03 16:37 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 12:32 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-24 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-24 20:51:41
ComboFix-quarantined-files.txt 2010-02-25 02:51
ComboFix2.txt 2010-02-23 16:41
ComboFix3.txt 2010-02-23 15:17
ComboFix4.txt 2010-02-23 00:59
ComboFix5.txt 2010-02-25 02:36

Pre-Run: 36,036,419,584 bytes free
Post-Run: 36,001,275,904 bytes free

- - End Of File - - BD2FBB9B85562A727339FE9655E92369

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 25th February 2010, 1:01 pm

Hello.

Good work, we squashed it. Did you remove the HelpAssistant user accounts via control userpasswords2 like I asked? just making sure so we can move onto the next bit.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 26th February 2010, 12:19 am

Ummm....I'm not sure....I think I've done everything you've asked. I follow your steps step by step. How can I double check that this is done?

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 26th February 2010, 12:27 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

control userpasswords2

When this user account control window opens, check what users are listed, and make sure HelpAssistant isn't there.

If if it there, highlight it by clicking on it once, and press remove.

let me know.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 26th February 2010, 12:52 am

Ok...I do remember doing that but for some reason it was still there. I did it again & removed it.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 26th February 2010, 11:16 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "65533:TCP=-
    "52344:TCP"=-
    "2479:TCP"=-
    "3246:TCP"=-
    "3389:TCP"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "65533:TCP=-
    "52344:TCP"=-
    "2479:TCP"=-
    "3246:TCP"=-
    "3389:TCP"=-


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 27th February 2010, 3:39 pm

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\52344:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2479:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\3246:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\3389:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\52344:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2479:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3246:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3389:TCP deleted successfully.

OTL by OldTimer - Version 3.1.30.1 log created on 02272010_093924

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 27th February 2010, 8:16 pm

Hello.
Well done, we are getting close to end. I'm still slightly paranoid, so next, please delete the two OTL mades, and re-run OTL.

Please post only EXTRAS.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 27th February 2010, 11:06 pm

I ran it but it did not create a file called extras.txt. It only created otl.txt & here is the log

OTL logfile created on: 2/27/2010 4:15:48 PM - Run 2
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 233.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 52.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.41 Gb Free Space | 59.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/12/28 08:07:10 | 000,761,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgscanx.exe
PRC - [2009/12/12 10:00:20 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/20 17:42:52 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/20 17:42:51 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/20 17:42:44 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 14:31:16 | 002,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/03 18:11:57 | 000,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/09/10 16:40:06 | 000,289,576 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/09/10 12:00:00 | 000,525,664 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 20:41:18 | 001,241,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.bin
PRC - [2008/03/14 20:41:18 | 001,019,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.exe
PRC - [2008/03/12 12:05:36 | 000,163,128 | ---- | M] (SpiralFrog) -- C:\Program Files\SpiralFrog\Spiralfrog.exe
PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
PRC - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2005/12/08 10:03:02 | 000,811,008 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
PRC - [2005/10/19 08:59:12 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2003/08/29 04:59:24 | 000,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2002/08/14 17:29:26 | 000,090,112 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2002/06/27 00:53:26 | 000,303,104 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2002/06/27 00:34:44 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/06/27 00:21:30 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
PRC - [2002/06/27 00:20:58 | 000,323,646 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
PRC - [2002/04/11 03:19:36 | 000,077,824 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2002/04/11 03:19:34 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PRC - [2002/02/15 10:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 18:11:56 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) [Auto | Running] -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -- (QuickBooksDB)
SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/08/20 17:42:52 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/20 17:42:52 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/10 09:00:08 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/06/18 09:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/17 12:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/05 19:46:22 | 000,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/10/18 03:00:00 | 000,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/10/19 08:59:12 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/10/07 19:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/03/09 21:31:02 | 000,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 21:31:02 | 000,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 21:31:00 | 000,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/01/15 14:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/14 12:38:36 | 000,108,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel(R) Graphics Platform (SoftBIOS)
DRV - [2003/01/14 12:38:30 | 000,078,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel(R) Graphics Chipset (KCH)
DRV - [2002/12/19 17:48:48 | 000,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/09/03 10:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/04/01 13:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/23 00:33:12 | 000,010,192 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 07:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local



O1 HOSTS File: ([2009/04/04 07:30:30 | 000,304,232 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10480 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [FastFox] C:\Program Files\NCH Swift Sound\FastFox\fastfox.exe (NCH Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe (SpiralFrog)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TexTally] C:\Program Files\NCH Swift Sound\TexTally\textally.exe (NCH Software)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: bankfirstonline.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} [You must be registered and logged in to see this link.] (Mines Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} [You must be registered and logged in to see this link.] (SkillGam Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} [You must be registered and logged in to see this link.] (FunGamesLoader Object)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} [You must be registered and logged in to see this link.] (TPIR Control)
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} [You must be registered and logged in to see this link.] (Brickout Control)
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} [You must be registered and logged in to see this link.] (Jigsaw Genius Control)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} [You must be registered and logged in to see this link.] (SolitaireRush Control)
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} [You must be registered and logged in to see this link.] (WWHearts Control)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} [You must be registered and logged in to see this link.] (BJA Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} [You must be registered and logged in to see this link.] (Bejeweled Control)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} [You must be registered and logged in to see this link.] (SpiderSolitaire Control)
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} [You must be registered and logged in to see this link.] (Blockwerx Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} [You must be registered and logged in to see this link.] (ContactExtractor Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} [You must be registered and logged in to see this link.] (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} [You must be registered and logged in to see this link.] (WordMojo Control)
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} [You must be registered and logged in to see this link.] (Cubis Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} [You must be registered and logged in to see this link.] (WoF Control)
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} [You must be registered and logged in to see this link.] (SwapIt Control)
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} [You must be registered and logged in to see this link.] (Hangman Control)
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} [You must be registered and logged in to see this link.] (Tilecity Control)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} [You must be registered and logged in to see this link.] (Royal Control)
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} [You must be registered and logged in to see this link.] (Paint Control)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} [You must be registered and logged in to see this link.] (FamilyFeud Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} [You must be registered and logged in to see this link.] (GolfSol Control)
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} [You must be registered and logged in to see this link.] (WWSpades Control)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/04 20:27:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/27 15:52:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/27 09:39:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/24 18:31:09 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/23 12:20:16 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/02/23 09:59:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/22 18:42:06 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/02/20 19:47:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/20 19:46:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/20 19:46:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/20 19:46:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/20 19:46:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/20 19:30:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/19 16:51:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 16:51:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 16:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/14 13:41:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2010/02/14 13:36:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2010/02/14 12:40:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/02/14 12:17:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/14 12:09:49 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/09 14:41:07 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/01/31 08:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/30 07:33:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/29 08:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/29 08:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/30 20:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/13 12:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/26 18:00:33 | 056,305,693 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/26 17:58:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/26 17:58:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 07:08:00 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/02/26 07:08:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/25 23:15:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/25 18:17:22 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/02/24 20:47:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/24 20:35:36 | 003,871,969 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 18:29:52 | 000,000,062 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/24 06:31:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/23 14:09:17 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:19 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 16:08:47 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/22 16:06:20 | 000,153,078 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:20 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/19 16:51:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:17 | 000,009,612 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/02/15 09:12:49 | 000,129,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Christmas Card List.doc
[2010/02/15 09:09:47 | 000,011,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Phone List.odt
[2010/02/15 08:57:03 | 000,016,888 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Invitation.odt
[2010/02/14 10:32:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/07 18:55:44 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/30 21:07:33 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2010/01/28 19:27:57 | 000,090,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/23 14:09:12 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:17 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 21:35:51 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/22 16:06:17 | 000,153,078 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/20 19:47:26 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/20 19:46:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/20 19:46:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/20 19:46:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/20 19:46:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/20 19:46:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/20 19:44:29 | 003,871,969 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/19 16:51:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:16 | 000,009,612 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/01/28 18:31:50 | 000,090,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[2009/06/09 18:03:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/26 18:19:07 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/26 18:19:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/11/06 14:37:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSINFO32.INI
[2008/08/18 17:08:06 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2008/08/18 17:08:03 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2008/08/01 16:16:12 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 14:08:16 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/07 18:48:51 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/03/09 21:31:04 | 000,552,960 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 28th February 2010, 1:35 am

Hello.
That's OTL.txt, please post extras.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 28th February 2010, 1:41 am

Yes, I know...like I said it didn't create extras.txt.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 28th February 2010, 1:45 am

Okay, please re-run Combofix one more time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 28th February 2010, 2:26 am

ComboFix 10-02-27.04 - Owner 02/27/2010 20:04:38.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.394 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 15:39 . 2010-02-27 15:39 -------- d-----w- C:\_OTL
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\WINDOWS
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\UserData
2010-02-23 19:24 . 2010-02-23 19:24 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\PrivacIE
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IETldCache
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IECompatCache
2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 00:06 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-27 00:05 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-27 00:05 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-25 00:30 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 23:58 . 2010-02-26 23:58 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-03-05 02:22 . 2008-03-05 02:22 295424 c:\windows\system32\termsrv2.dll
- 2002-09-03 16:37 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2002-09-03 16:37 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 12:32 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-27 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-27 20:20:21
ComboFix-quarantined-files.txt 2010-02-28 02:20
ComboFix2.txt 2010-02-25 02:51
ComboFix3.txt 2010-02-23 16:41
ComboFix4.txt 2010-02-23 15:17
ComboFix5.txt 2010-02-28 02:03

Pre-Run: 35,794,292,736 bytes free
Post-Run: 35,842,961,408 bytes free

- - End Of File - - 8E572E75B12AA9DA6B7F682EABF7404E

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 28th February 2010, 11:42 pm

Hello.

Good work, were winning, last bit to take out, that HelpAssistant account. Follow my instructions in the order they are written.

Please create a folder on your Desktop called SWReg.

  1. Download SWReg.exe from [You must be registered and logged in to see this link.].
  2. Save SWReg.exe inside the SWReg folder you just created.

    Do not run SWReg.exe.

    Now open a new Notepad file, and input this into the Notepad file:

    @echo off
    swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
    swreg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /s >>log.txt
    start notepad log.txt

    Save this as SWReg.bat, save it inside the SWReg folder as well.
    Double click SWReg.bat and the black cmd window will open and close, this is normal.

  3. Make sure both SWReg.exe and SWReg.bat as located next to each other for this to work.
  4. Now, double click on SWReg.bat to run the script.
  5. Once done, a Notepad log file will open, copy and paste that log back here.


Next,

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.



Copy and paste the 2 logs back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 3rd March 2010, 1:54 am

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 858229908 (0x33278c94)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 848386158 (0x3291586e)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628e8030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1429914964 (0x553ac554)
ProfileLoadTimeHigh REG_DWORD 30061066 (0x1cab20a)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628eb030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1528698658 (0x5b1e1722)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\QBDataServiceUser
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ee030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 998229908 (0x3b7fc794)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS.000
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ef030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1266069296 (0xb48950d0)
ProfileLoadTimeHigh REG_DWORD 30062000 (0x1cab5b0)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628f4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 260 (0x104)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 666469788 (0x27b9859c)
ProfileLoadTimeHigh REG_DWORD 29996347 (0x1c9b53b)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f0000000100010089c288264ae933f4519421ce4634af44ffe6c4c5c23b5d448970d0e5f0cc10bb46e2915f8eaf15e973900f302492ae95d67cdf7943160331d2e1769c973138d600000000000000000800480000d4fb42b4a710b7a4cc933bbaae8589927b38cad56058d3c7493d2fad47e0ffe42fdbe87f01406aacdc44c01061e26c37c727ccf6fc79fdc0e3ea005f5c34410000000000000000

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 858229908 (0x33278c94)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 848386158 (0x3291586e)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628e8030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1429914964 (0x553ac554)
ProfileLoadTimeHigh REG_DWORD 30061066 (0x1cab20a)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628eb030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1528698658 (0x5b1e1722)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\QBDataServiceUser
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ee030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 998229908 (0x3b7fc794)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS.000
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ef030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1266069296 (0xb48950d0)
ProfileLoadTimeHigh REG_DWORD 30062000 (0x1cab5b0)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628f4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 260 (0x104)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 666469788 (0x27b9859c)
ProfileLoadTimeHigh REG_DWORD 29996347 (0x1c9b53b)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f0000000100010089c288264ae933f4519421ce4634af44ffe6c4c5c23b5d448970d0e5f0cc10bb46e2915f8eaf15e973900f302492ae95d67cdf7943160331d2e1769c973138d600000000000000000800480000d4fb42b4a710b7a4cc933bbaae8589927b38cad56058d3c7493d2fad47e0ffe42fdbe87f01406aacdc44c01061e26c37c727ccf6fc79fdc0e3ea005f5c34410000000000000000

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 3rd March 2010, 1:56 am

When I double clicked on the fix.bat, it opened & closed like normal & opened a notepad file but it's blank...I have nothing to post from that.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by Belahzur on 3rd March 2010, 2:57 pm

Try this instead.

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant.JENSENS>"%userprofile%\desktop\log.txt"
net user HelpAssistant.JENSENS.000>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Ebay/Paypal Problem

Post by tractorlovr on 4th March 2010, 3:57 am

Still a blank notepad.

tractorlovr
Novice
Novice

Posts Posts : 30
Joined Joined : 2010-01-29
OS OS : Windows xp
Points Points : 25464
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum