GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

ebay paypal redirect/hijack

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

ebay paypal redirect/hijack

Post by yolinda on Sun Apr 04, 2010 7:33 am

Hello,

I have been experiencing this problem for quite a while. I have downloaded and scanned my system with Kapersky, Norton, McAfee, Panda, Trend Micro, Viper, Spybot, Adware, etc. Sometimes the problem goes away for a few log ins, then comes back. I did do hijack this previously (about a week ago) and removed the items that were suspicious to me. None of these programs have found a virus or trojan, but I think they may have killed a 'piece' (maybe a cookie or something) it used that is getting regenerated.

I am a very experienced user, but have not been able to kill this one. I've researched the web and tried many fixes, but nothing has worked. I've seen several threads from other users with this same problem that have posted on here and have been helped, so I am doing the same as instructed instead of trying to follow their threads. I did see on one that it said to go to run and type "control userpasswords2" and listed there is HelpAssistant in the Administrator group, but I have not done anything with it yet.

Thank you very much for your help! Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:13:01 AM, on 4/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\ApVxdWin.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\pavsrv51.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Panda Security\Panda Internet Security 2010\AVENGINE.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2010\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2010\Inicio.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\yo\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14578 bytes

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Sun Apr 04, 2010 8:29 am

I just ran Malwarebytes... here is the log for that:

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3952

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 4:22:22 AM
mbam-log-2010-04-04 (04-22-22).txt

Scan type: Quick scan
Objects scanned: 141464
Time elapsed: 27 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Sun Apr 04, 2010 2:42 pm

Hello Yolinda and Welcome to GeekPolice Malware removal forum.

My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at GeekPolice offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. Gmer, DDS, ComboFix, RSIT and hijackthis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.[/b]


  1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.

  2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

  3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

  4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

  5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly. Right On!

OK. Yolinda......If you have a Vista computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Please carefully follow the next set of steps:


Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

I see you have Viewpoint Media Player installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

[You must be registered and logged in to see this link.]


I suggest you remove the programs now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player .
===========*==========
**Note: In the event you already have old versions of Combofix I need you to delete them, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read the: [You must be registered and logged in to see this link.]

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer



Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Sun Apr 04, 2010 10:09 pm

Hi Net Surfer,

Thank you so much for helping me....

I uninstalled Adobe Acrobat Reader (I have Acrobat Professional 8 also, which I did not uninstall, but did uninstall reader.) Then downloaded and installed Acrobat 9.3.0

I also uninstalled Viewpoint Media Player.

I downloaded Combofix as instructed, and renamed as it from the download/save window. I have tried to run it several times, it opens and gets to the Autoscan window that says a scan is normally 10 minutes, but cna be more, but then it just sits there. I've let it 'run' for over 2 hours, but still no change. I've rebooted and tried running again, but still same result.

I think that even though I've deactivated Panda security, it may be causing problems and I am inclined to uninstall it (it is only a trial version anyway, one of the many I've tried to use to get this problem fixed), but did not want to do so without checking with you first.

Please let me know what you would like me to do next, and again, thank you for all of your help.

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 05, 2010 11:41 am

Hello again Yolinda, Honored

Many onboard AV's, Firewalls, and Anti-Malware programs can and will interfere with the running of ComboFix.

These onboard AV's detect and quarantine/delete files that CF needs to do it's job. They are not malicious files, rather files that you often see in online scan results listed as 'possibly unwanted tool'. As these AV's cannot determine whether these files are being used for malicious purposes, they assume the worst and quarantine or delete them.

Go ahead and uninstall your anti-virus program and please try running combofix again.


Now, If it hangs at the "finding infected files" part. In that case, press:
ctrl+alt+delete, and click the processes tab.

This will list out a number of processes that are running on your computer. You may see the following running:

  • CF19313.cfxxe
  • PEV.exe
  • NirCmd.cfxxe
  • PEV.cfxxe
Please select any processes except for CF19313.cfxxe and click end process.
Combofix should continue its run after one of those have been terminated. Again, make sure that you don't terminate the CF19313.cfxxe process.

Let me know how that goes Big Grin


After you had run Combofix tool, you will need to reinstall an antivirus before you connect to the internet and you may need a firewall to keep you safe.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

For a free anti-virus, Click on one of this links:

[You must be registered and logged in to see this link.]

Some more links to free anti-virus programs(Note. Choose only one)

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Mouse over Free Software in the upper right corner)

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

You don't seem to have a third-party firewall installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls:

Here are some free firewalls: *[You must be registered and logged in to see this link.]
or [You must be registered and logged in to see this link.]
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall [You must be registered and logged in to see this link.]

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

*If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.


Kind regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Mon Apr 05, 2010 8:32 pm

Uninstalled Panda. Still cannot get ComboFix to run. It just sits at the "Finding Infected Files" screen. I did go to Task Manager & first time Process tab did not have any of the files you listed. then I rebooted and tried again. This time I had "CF22874.cfxxe" running, but not the others & the window was frozen. I rebooted & tried again, this time a message came up saying ComboFix was corrupted and I might have a patching virus "Virux" to redownload ComboFix. I did so, and it still hung in the same spot.

I also downloaded AVG and tried to install, but it froze on the install. I am going try downloading/installing Kapersky while I await your response.

Thank you,
yolinda

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 05, 2010 10:38 pm

Hello Yolinda,

If the system is infected with the Virut virus, I am afraid there is no defense against it.

I am including two scans that will detect if Virut is present. Although the instructions call for the cure of the virus, if it is virut, system files may be affected and if cured and or deleted, the system will crash. I would suggest that you backup your personal files before proceeding.

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

It is real important that you follow my steps, since I suspect that Your system is infected with a nasty variant of [You must be registered and logged in to see this link.], a polymorphic [You must be registered and logged in to see this link.] with [You must be registered and logged in to see this link.] functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. [You must be registered and logged in to see this link.] is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

As an alternate scan, please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
Click [You must be registered and logged in to see this link.] to download Dr.Web CureIt and save it to your desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:

  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with the Online Eset Online Scanlog.


Kind Regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Mon Apr 05, 2010 11:43 pm

Thank you for the info. I will get the files backed up and run the scans. It will probably take a day or so to do, but I will post once I have done the above steps.

Thank you again.
Linda

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Tue Apr 06, 2010 12:02 am

No problem.

Post when you are ready!

Good luck

Regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Tue Apr 06, 2010 2:12 pm

Ok, files backed up...

Ran ESET Online Scannner, here is the log. Headed to Dr. Web CureIt now. will post that directly.

thank you again for your help.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cdfc7df9a83361429e87df864964783a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-06 09:56:20
# local_time=2010-04-06 05:56:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=258 16777214 0 2 588597 588597 0 0
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 22401866 22401866 0 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 28682700 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=304164
# found=1
# cleaned=1
# scan_time=18575
D:\downloads\Nero-8.2.8.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Thu Apr 08, 2010 8:41 am

Dr web report log?


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Sun Apr 11, 2010 9:34 pm

Hello,

I've tried to run Dr Web about 6 times. It doesn't find anything in the quick scan. each time on the full scan I come back to the blue screen of death. I check on it while it is running, and runs for at least 6 hours, but I don't know if it is dying at the same point each time or not.

This last time I ran it, it did have a couple of entries in the window showing it found something & I wrote those down. They are:
all.hc-780234503[1].js found in C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\ADNQF8Y4

and

all.hc1337027650[1].js found in
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\K2YHNACJ

and says they are both Probably Script.virus.

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Sun Apr 11, 2010 9:35 pm

I am going to try to run dr web again, just thought I'd go ahead & post that

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Sun Apr 11, 2010 9:56 pm

Please download [You must be registered and logged in to see this link.] and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).


In your next reply, please include the following:
HelpAsst_mebroot_fix Log


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Sun Apr 11, 2010 11:55 pm

here is the log:

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Sun 04/11/2010 at 18:30:35.48

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5824:TCP"=-
"5823:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5824:TCP"=-
"5823:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 04/11/2010 at 19:22:49.18

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8862A710]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5823:TCP"=5823:TCP:*:Enabled:Services
"5824:TCP"=5824:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5823:TCP"=5823:TCP:*:Enabled:Services
"5824:TCP"=5824:TCP:*:Enabled:Services


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 04/11/2010 at 19:52:58.64

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8939F4D0]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5823:TCP"=5823:TCP:*:Enabled:Services
"5824:TCP"=5824:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"5823:TCP"=5823:TCP:*:Enabled:Services
"5824:TCP"=5824:TCP:*:Enabled:Services


~~ EOF ~~

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 12, 2010 12:18 am


  • Download: [You must be registered and logged in to see this link.] to your desktop.
    if you have problems, try this download link:
    [You must be registered and logged in to see this link.]
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.


    Now copy the lines below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT



  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.



  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.



Summary of the logs I will need in your next reply:


  • the report logs of OTL:

    OTL.Txt and Extras.Txt


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Mon Apr 12, 2010 2:15 pm

Hi Yolanda, I edited your post so I can research each line of the logs and I may reply with the other half since the report of OTL is too big. Keep checking your thread until I post a fix.

Here are the logs....

OTL logfile created on: 4/11/2010 10:50:43 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\yo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2956 2956 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 44.38 Gb Free Space | 38.76% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 35.12 Gb Free Space | 30.67% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 31.15 Mb Total Space | 10.02 Mb Free Space | 32.16% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: LINDAS
Current User Name: yo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\yo\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
PRC - C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
PRC - C:\Program Files\PC Tools Firewall Plus\FWService.exe (PC Tools)
PRC - C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\MagicTune Premium\MagicTune.exe (SEC)
PRC - C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe ()
PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)
PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\yo\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd)


========== Win32 Services (SafeList) ==========

SRV - (PavPrSrv) -- File not found
SRV - (getPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (PCToolsFirewallPlus) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe (PC Tools)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (Maxtor Sync Service) -- C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (nTuneService) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (MagicTuneEngine) -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe ()
SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (Adobe Version Cue CS2) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe (Adobe Systems Incorporated)
SRV - (InCDsrvR) InCD Helper (read only) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (InCDsrv) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (Sunbelt Software)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (pctgntdi) -- C:\WINDOWS\system32\drivers\pctgntdi.sys (PC Tools)
DRV - (pctplfw) -- C:\WINDOWS\system32\drivers\pctplfw.sys (PC Tools)
DRV - (PCTAppEvent) -- C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (GVTDrv) -- C:\WINDOWS\system32\drivers\GVTDrv.sys ()
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (ET5Drv) -- C:\WINDOWS\system32\drivers\ET5Drv.sys (Windows (R) 2000 DDK provider)
DRV - (NVR0Dev) -- C:\WINDOWS\nvoclock.sys (NVidia Corp.)
DRV - (SI3112r) -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys (Silicon Image, Inc)
DRV - (SiWinAcc) -- C:\WINDOWS\system32\drivers\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (MXOPSWD) -- C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor Corp.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (Hardlock) -- C:\WINDOWS\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (NCPro) -- C:\WINDOWS\system32\drivers\MTictwl.sys ()
DRV - (MagicTune) -- C:\WINDOWS\system32\drivers\MTictwl.sys ()
DRV - (CTHWIUT.DLL) -- C:\WINDOWS\system32\CTHWIUT.DLL (Creative Technology Ltd.)
DRV - (CT20XUT.DLL) -- C:\WINDOWS\system32\CT20XUT.DLL (Creative Technology Ltd.)
DRV - (CTEXFIFX.DLL) -- C:\WINDOWS\system32\CTEXFIFX.dll (Creative Technology Ltd.)
DRV - (CTSBLFX.DLL) -- C:\WINDOWS\system32\ctsblfx.dll (Creative Technology Ltd)
DRV - (CTEAPSFX.DLL) -- C:\WINDOWS\system32\cteapsfx.dll (Creative Technology Ltd)
DRV - (CTAUDFX.DLL) -- C:\WINDOWS\system32\ctaudfx.dll (Creative Technology Ltd)
DRV - (COMMONFX.DLL) -- C:\WINDOWS\system32\commonfx.dll (Creative Technology Ltd)
DRV - (CTEDSPSY.DLL) -- C:\WINDOWS\system32\CTEDSPSY.DLL (Creative Technology Ltd)
DRV - (CTEDSPIO.DLL) -- C:\WINDOWS\system32\CTEDSPIO.DLL (Creative Technology Ltd)
DRV - (CTEDSPFX.DLL) -- C:\WINDOWS\system32\CTEDSPFX.DLL (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (hap17v2k) -- C:\WINDOWS\system32\drivers\haP17v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\system32\drivers\haP16v2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (iteatapi) -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Ahead Software AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDpass.sys (Ahead Software AG)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDrm.sys (Ahead Software AG)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (CYGF32X) -- C:\WINDOWS\system32\drivers\CygF32x.sys (Cygnal Integrated Products)
DRV - (si3112) -- C:\WINDOWS\system32\drivers\si3112.sys (Silicon Image, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/15 14:58:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: c:\program files\real\realplayer\browserrecord\firefox\ext [2009/09/28 21:43:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/04/04 20:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/15 11:28:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 16:02:45 | 000,000,000 | ---D | M]

[2009/10/15 11:28:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions
[2009/10/15 11:28:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/12 21:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/11 21:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions
[2009/10/15 11:31:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/20 23:20:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/15 11:28:09 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/24 16:15:25 | 000,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/08/24 16:15:26 | 000,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/08/24 16:15:27 | 000,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2009/12/21 18:34:06 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/03/22 15:52:24 | 000,032,576 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
[2009/08/24 14:45:46 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 14:45:46 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/02/23 04:45:06 | 000,001,375 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/08/24 14:45:46 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 14:45:46 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 14:45:46 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 14:45:46 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 14:45:46 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/04/06 12:53:02 | 000,000,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\yo\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} [You must be registered and logged in to see this link.] (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [You must be registered and logged in to see this link.] (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} [You must be registered and logged in to see this link.] (PogoWebLauncher Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} [You must be registered and logged in to see this link.] (SentinelProxy Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [You must be registered and logged in to see this link.] (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} [You must be registered and logged in to see this link.] (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [You must be registered and logged in to see this link.] (McFreeScan Class)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avldr: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/12 15:14:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\┤˛┐¬(&O)\command - "" = newumsg.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found


Last edited by Net_Surfer on Mon Apr 12, 2010 6:06 pm; edited 1 time in total (Reason for editing : Pasted the log to easy the research)

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 12, 2010 6:07 pm

========== Files/Folders - Created Within 30 Days ==========

[2010/04/11 21:55:04 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/04/11 18:33:20 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\yo\mbr.log
[2010/04/11 18:23:34 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/04/06 16:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/04/06 10:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\DoctorWeb
[2010/04/06 00:35:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/05 17:46:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/04/05 17:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\Avira
[2010/04/05 17:27:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\PCToolsFirewallPlus
[2010/04/05 17:23:18 | 000,070,664 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.sys
[2010/04/05 17:23:18 | 000,032,680 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-DNS.sys
[2010/04/05 17:23:15 | 000,115,216 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplfw.sys
[2010/04/05 17:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010/04/05 17:19:00 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/04/05 17:18:53 | 000,217,032 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/04/05 17:18:53 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/04/05 17:18:47 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\PC Tools
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/04/05 17:08:37 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/05 17:08:35 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/05 17:08:35 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/05 17:08:35 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/05 17:08:34 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/05 17:08:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/05 16:42:40 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/04/05 16:37:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/04/05 16:02:53 | 000,000,000 | --SD | C] -- C:\commy29599c
[2010/04/05 15:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WEBREG
[2010/04/05 15:58:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\HP
[2010/04/05 15:23:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/05 15:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 15:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/05 15:23:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/04 21:52:35 | 000,118,272 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hpz3l696.dll
[2010/04/04 21:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\HPAppData
[2010/04/04 20:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Local Settings\Application Data\ArcSoft
[2010/04/04 20:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2010/04/04 20:35:29 | 000,000,000 | ---D | C] -- C:\Program Files\ArcSoft
[2010/04/04 20:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2010/04/04 20:35:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\ArcSoft
[2010/04/04 20:33:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
[2010/04/04 20:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP
[2010/04/04 20:32:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\HP
[2010/04/04 19:54:54 | 000,372,736 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hppldcoi.dll
[2010/04/04 19:54:54 | 000,309,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\difxapi.dll
[2010/04/04 19:54:52 | 000,271,704 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzids01.dll
[2010/04/04 19:54:40 | 000,000,000 | ---D | C] -- C:\Program Files\HP
[2010/04/04 19:52:14 | 000,003,993 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/04/04 16:11:51 | 000,000,000 | --SD | C] -- C:\commy
[2010/04/04 15:57:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/04/04 15:57:41 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/04/04 04:54:36 | 000,052,608 | R--- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus_2.sys
[2010/04/04 04:51:56 | 000,000,000 | ---D | C] -- C:\cmdcons
[2010/04/04 04:51:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 04:51:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 04:51:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 04:51:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 04:50:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 04:50:55 | 000,000,000 | --SD | C] -- C:\Combo-Fix
[2010/04/04 04:49:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/04 03:36:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/04 03:36:15 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/04 03:36:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 02:11:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\My Documents\Downloads
[2010/03/24 09:38:26 | 000,199,432 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\neti1639.sys
[2010/03/20 19:24:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Backup
[2010/03/20 19:23:53 | 000,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2010/03/19 22:14:02 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/03/19 11:30:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2010/03/19 10:52:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/03/19 10:05:33 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/03/09 20:04:42 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\yo\Application Data\netstat.bat
[2010/02/08 18:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/08 17:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/08 17:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/02/08 17:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/04 20:23:07 | 000,054,093 | ---- | C] () -- C:\Program Files\EULA.eng
[2010/01/29 20:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/14 13:36:11 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\housecall.guid.cache
[2010/01/13 12:53:49 | 001,605,658 | -H-- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\IconCache.db
[2009/11/12 11:34:32 | 000,000,063 | ---- | C] () -- C:\Documents and Settings\yo\jagex_runescape_preferences2.dat
[2009/06/20 14:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/06/18 11:02:46 | 000,061,224 | ---- | C] () -- C:\Documents and Settings\yo\GoToAssistDownloadHelper.exe
[2009/04/15 05:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2009/04/07 16:05:29 | 000,049,152 | ---- | C] () -- C:\Documents and Settings\yo\PNPrint3.exe
[2008/12/22 16:09:41 | 013,631,488 | ---- | C] () -- C:\Documents and Settings\yo\ntuser.dat
[2008/10/22 18:49:34 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\yo\default.pls
[2008/09/29 12:50:33 | 000,009,638 | ---- | C] () -- C:\Documents and Settings\yo\TraceLog.txt
[2008/07/12 20:30:37 | 000,000,038 | ---- | C] () -- C:\Documents and Settings\yo\jagex_runescape_preferences.dat
[2008/03/05 09:55:29 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\yo\PUTTY.RND
[2008/01/29 13:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/01/17 20:41:27 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/13 00:12:27 | 000,000,968 | RHS- | C] () -- C:\Documents and Settings\yo\ntuser.pol
[2008/01/12 23:02:56 | 000,205,416 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/01/12 15:33:45 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\yo\ntuser.dat.LOG
[2008/01/12 15:33:45 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\yo\ntuser.ini
[2008/01/12 15:33:45 | 000,000,062 | -HS- | C] () -- C:\Documents and Settings\yo\Application Data\desktop.ini
[2008/01/12 10:03:52 | 000,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/04/09 13:32:58 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2006/06/29 14:58:52 | 000,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 000,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/11 22:37:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 21:55:10 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/04/11 21:50:54 | 013,631,488 | ---- | M] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/04/11 19:49:31 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 19:48:35 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/11 19:48:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 19:48:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 19:24:45 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\yo\ntuser.ini
[2010/04/11 19:24:12 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/04/11 19:24:12 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.BAK
[2010/04/11 18:23:09 | 000,016,023 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\prob.docx
[2010/04/11 18:20:22 | 000,490,008 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/10 10:29:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/10 07:42:56 | 005,687,914 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\Vinyl.eps
[2010/04/09 23:10:20 | 037,038,904 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\65b2mypv.exe
[2010/04/09 22:13:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/09 15:34:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\mbr.exe
[2010/04/08 19:24:38 | 000,012,963 | ---- | M] () -- C:\Documents and Settings\yo\My Documents\Signs for Chippokes Estates.docx
[2010/04/07 22:33:16 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/06 16:31:01 | 000,104,381 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl20.pdf
[2010/04/06 16:12:05 | 000,103,618 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl.pdf
[2010/04/06 12:53:02 | 000,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/05 16:02:06 | 003,907,460 | R--- | M] () -- C:\Documents and Settings\yo\Desktop\commy.exe
[2010/04/05 16:00:39 | 000,152,184 | ---- | M] () -- C:\WINDOWS\hphins29.dat
[2010/04/04 20:37:21 | 000,001,954 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Add a Device - Photosmart B8500 series.lnk
[2010/04/04 20:34:48 | 000,001,930 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shop for HP Supplies.lnk
[2010/04/04 20:34:36 | 000,001,870 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 3.5.lnk
[2010/04/04 20:33:46 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010/04/04 20:33:28 | 000,001,018 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/04/04 19:50:51 | 198,219,864 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\PS_BSIZE_04_B8500_NonNet_Full_Win_enu_120_217.exe
[2010/04/04 13:14:18 | 000,003,188 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\Easter.nra
[2010/04/04 04:52:06 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/04 03:36:21 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 16:01:59 | 000,008,627 | ---- | M] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/24 11:09:52 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/03/24 11:09:52 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/03/24 09:46:57 | 000,000,691 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/24 09:41:54 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/24 09:41:54 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/24 09:41:52 | 000,513,516 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/23 14:13:45 | 001,842,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/22 12:50:22 | 000,205,416 | ---- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/20 11:12:40 | 000,067,584 | ---- | M] () -- C:\Documents and Settings\yo\My Documents\Antony E.doc
[2010/03/15 19:21:04 | 000,000,036 | -H-- | M] () -- C:\WINDOWS\System32\f9t.dat
[2010/03/15 17:15:00 | 000,559,862 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\PhotoBrent.jpg
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 18:20:21 | 000,490,008 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/10 07:42:48 | 005,687,914 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\Vinyl.eps
[2010/04/09 23:10:19 | 037,038,904 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\65b2mypv.exe
[2010/04/09 15:34:40 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\mbr.exe
[2010/04/07 22:33:16 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/06 16:31:01 | 000,104,381 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl20.pdf
[2010/04/06 16:12:05 | 000,103,618 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl.pdf
[2010/04/06 16:09:30 | 000,012,963 | ---- | C] () -- C:\Documents and Settings\yo\My Documents\Signs for Chippokes Estates.docx
[2010/04/05 17:23:18 | 000,007,435 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.cat
[2010/04/05 17:23:18 | 000,007,399 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-DNS.cat
[2010/04/05 17:23:15 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplfw.cat
[2010/04/05 17:19:00 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/04/05 17:18:53 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/04/05 17:18:53 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/04/05 17:18:47 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/04/05 16:02:04 | 003,907,460 | R--- | C] () -- C:\Documents and Settings\yo\Desktop\commy.exe
[2010/04/04 20:37:29 | 000,001,060 | ---- | C] () -- C:\WINDOWS\hphmdl29.dat.temp
[2010/04/04 20:37:21 | 000,001,954 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Add a Device - Photosmart B8500 series.lnk
[2010/04/04 20:34:48 | 000,001,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shop for HP Supplies.lnk
[2010/04/04 20:34:36 | 000,001,870 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 3.5.lnk
[2010/04/04 20:33:46 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010/04/04 20:33:28 | 000,001,018 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/04/04 19:52:14 | 000,152,184 | ---- | C] () -- C:\WINDOWS\hphins29.dat
[2010/04/04 19:52:14 | 000,001,060 | ---- | C] () -- C:\WINDOWS\hphmdl29.dat
[2010/04/04 19:50:44 | 198,219,864 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\PS_BSIZE_04_B8500_NonNet_Full_Win_enu_120_217.exe
[2010/04/04 13:14:18 | 000,003,188 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\Easter.nra
[2010/04/04 12:03:36 | 000,016,023 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\prob.docx
[2010/04/04 04:52:06 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/04 04:52:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/04 04:51:10 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 04:51:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 04:51:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 04:51:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 04:51:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/04 03:36:21 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/24 12:17:13 | 000,008,627 | ---- | C] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2010/03/15 17:14:59 | 000,559,862 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\PhotoBrent.jpg
[2009/09/28 21:44:10 | 000,000,038 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/02/13 23:28:05 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/07/01 14:46:07 | 000,000,899 | ---- | C] () -- C:\WINDOWS\CadraViewExp.ini
[2008/06/29 09:39:31 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2008/05/09 16:42:24 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/24 00:20:00 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/02/01 21:03:21 | 000,025,339 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/01/14 13:56:19 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS61.DLL
[2008/01/14 12:32:14 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/01/13 19:29:15 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/01/13 19:29:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/01/13 19:29:15 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/01/13 13:33:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/12 22:24:48 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2008/01/12 20:24:20 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll
[2008/01/12 15:58:54 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/03/09 03:12:32 | 000,027,648 | -HS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/03/06 05:14:48 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/03/06 05:14:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/01/25 13:31:36 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/07/25 14:57:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL

========== LOP Check ==========

[2009/08/05 23:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/01/27 14:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery
[2010/03/20 19:24:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Backup
[2008/06/02 14:46:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/12/01 01:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/08/02 16:40:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2008/12/15 11:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eBay
[2010/02/21 08:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2008/06/02 19:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2008/01/12 21:51:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/07/12 23:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2008/12/23 17:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/02/23 12:30:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/02/23 15:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2008/08/22 11:19:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/04/11 19:55:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/04 16:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/15 11:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WholeSecurity
[2009/09/03 13:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
[2008/01/14 13:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
[2008/08/14 11:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\1&1
[2008/09/29 02:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\3M
[2009/08/05 23:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\acccore
[2009/12/25 17:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Alien Skin
[2008/12/15 11:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\eBay
[2010/04/05 22:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Facebook
[2008/06/02 19:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Flood Light Games
[2008/11/22 15:14:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\GetRightToGo
[2008/06/29 22:24:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\GrabPro
[2009/01/16 19:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\ICAClient
[2010/04/04 13:17:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\LimeWire
[2010/04/05 22:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\mjusbsp
[2008/04/13 13:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Opera
[2008/06/30 12:09:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Orbit
[2010/04/05 17:34:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\PCToolsFirewallPlus
[2009/02/01 23:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Pogo Games
[2008/12/23 17:31:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Runaware
[2008/04/27 16:48:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Simple Star
[2008/10/29 12:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Snapfish
[2008/01/14 13:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Stamps.com Internet Postage
[2010/02/03 08:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Windows Desktop Search
[2008/12/14 20:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Windows Search
[2008/06/29 09:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\YouSendIt
[2010/04/09 22:13:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) MD5=F45FDCB8D45439459A6B738AEF45AA94 -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) MD5=F45FDCB8D45439459A6B738AEF45AA94 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07348C09
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D
< End of report >

< MD5 for: [2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA CORPORATION) >
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\nvatabus.sys

< MD5 for: [2004/08/04 01:59:42 | 000,095,360 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: [2004/08/04 02:07:41 | 000,042,368 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: [2004/08/04 03:56:42 | 000,055,808 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: [2004/08/04 03:56:44 | 000,180,224 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: [2004/08/04 03:56:44 | 000,407,040 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< MD5 for: AGP440.SYS >
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 12, 2010 7:14 pm

Hello again Yolinda, Honored

While I research your logs I need you to fix some issues:

you have old versions of Java and adobe also I need you to upload some files to jotti so we can verify if the Virut virus is in your system.

please follow my next set of steps:


Step 1. Update Software

Going over your logs I noticed that you are using an old version of Mozilla Firefox browser, You need to update to the latest version: 3.6.3

Click on the help tab on top of your firefox browser page and select: "Check for Updates"

Older versions contain holes that hackers can use to manipulate your machine.

Step 2. Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Step 3.* JavaRa and Java update.

Your Java program is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
Download and Run JavaRA

Please download [You must be registered and logged in to see this link.] and unzip it to your desktop.

  • Double-click on JavaRa.exe to start.
  • Use the drop down box to choose your language and click Select.
  • Select "Remove Older Versions".
  • Click Yes when asked "This will remove all older versions of the Java JRE...Are you sure you want to proceed?"
  • Click Ok when search and removal of old versions has completed.
  • A notice will appear indicating "Finished searching for all old versions...A logfile has been created...called JavaRa.log...
    JavaRa will now open its logfile.
    "
  • Click Ok and notepad will open with the log results of what was found and removed.
  • View the logfile and close notepad.
  • A copy of JavaRa.log will automatically be saved to your primary hard drive (usually C\:JavaRa.log).
  • Return to JavaRa and click the button for Additonal Tasks.
  • Select these Tasks:

    • Remove Useless JRE Files
    • Remove Startup Entry
    • Remove JavaRa Logfile (optional)

  • Click Go and then Ok when prompted "Finished searching for useless JRE files.
  • Click Ok again when prompted "Finished searching for JRE startup entries.
  • Close the Additional Tasks window, exit JavaRa and reboot your computer.

Step 4. Then download the latest version of [You must be registered and logged in to see this link.] and save it to your desktop.


  • Look for "JDK 6 Update 19 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • From your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
-- The [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Step 5

To verify for some signs of VIRUT, we need to send some files to Jotti.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

[You must be registered and logged in to see this link.]

Please click this link-->[You must be registered and logged in to see this link.]

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: [You must be registered and logged in to see this link.]

Please reply back with the report log of Jotti or Virus Total.

Kind regards
Net_Surfer

(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Mon Apr 12, 2010 8:56 pm

Hi Net_Surfer,

I updated all the programs as instructed and scanned the files you requested with Jotti. Each file came back with"0 out of 20 scanners reported malware."

I am not getting the redirects any more for paypal and ebay, so maybe something we did got rid of it?

I have had this happen before where I can log on to paypal or ebay for a day or so, then the redirect comes back.... do you want me to repost if that happens?

Thank you,
yolinda

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Mon Apr 12, 2010 9:57 pm

Hello again Yolinda. Honored

Glad to hear that the jotti report log came back clean. Yikes

Please carefully follow my next set of steps:

==============================
P2P (File Sharing) Warning!

P2P file sharing: [You must be registered and logged in to see this link.]

Going over your logs I noticed that you have LimeWire 5.2.13 installed.

Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

There are some very good reasons for this, and they are for your protection:


From a security standpoint, p2p forms a direct connection into your computer and circumvents or by passes most security, Anti-Malware and firewall software or hardware.

Any type of security on these programs is poor at best and non existent on some, this could lead to Malware being downloaded into your computer without your knowledge.

Additionally, in cases where the program has not been configured correctly, a lot more than your music files have finished up being shared with others.

Passwords, PIN numbers, bank accounts, and other personal details have been harvested by the unscrupulous for their own gain at your expense.

Have a read of the below article to see where that happened:

[You must be registered and logged in to see this link.]

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Programs and Features if Vista or within Add or remove programs in XP.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.


Step 1. Let's fix some issues with OTL by doing the following:

Double click on the Icon at your desktop to run it.
(Vista users right click and run as an Admin.)
Copy the lines in the codebox below. (make sure that :Otl is on the first line ) just highlight everything in the code box (starting with :Otl ) and copy and paste it into the 'Custom scan/fix' box on OTL.
Code:
:OTL
SRV - (PavPrSrv) -- File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKCU..\Run: [Aim6] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab  (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab  (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5924/mcfscan.cab  (McFreeScan Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\msdaipp - No CLSID value found
O20 - Winlogon\Notify\avldr: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/12 15:14:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\┤˛┐¬(&O)\command - "" = newumsg.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07348C09
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D


:Commands
[PURITY]
[RESETHOSTS]
[EMPTYTEMP]
[EMPTYFLASH]
[REBOOT]

  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.



  • Click the red Run Fix button.


  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.


Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

[i]if you lose the report, there will be a copy here
:
C:\_OTL\MovedFiles

Step 2. Malwarebytes' Anti-Malware

* Note: You already have Malwarebytes' Anti-Malware, just update first then run it.

  • Double Click mbam icon on your desktop to run it
  • Click on the Update tab and update the program.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform a Full system Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Summary of the logs I will need in your next reply:


  • The OTL report log.
  • MBAM log.

How are things your end Yolinda?


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer

(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Tue Apr 13, 2010 1:03 pm

Hi Net_Surfer...

Well, redirect is back again... so that didn't last long Smile

Malwarebytes keeps crashing doing the scan, but OTL worked fine. My husband also found a log he wanted me to send you... I will post that below this OTL log... THANK YOU...

All processes killed
========== OTL ==========
Service PavPrSrv stopped successfully!
Service PavPrSrv deleted successfully!
File File not found not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
C:\WINDOWS\Downloaded Program Files\mcfscan.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ not found.
File Animation Java Classes [You must be registered and logged in to see this link.] not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java [You must be registered and logged in to see this link.] not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
File Protocol\Handler\ipp - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
File Protocol\Handler\msdaipp - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\AUTOEXEC.BAT moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
C:\WINDOWS\system32\shell32.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
File newumsg.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:07348C09 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: HelpAssistant
->Temp folder emptied: 744188382 bytes
->Temporary Internet Files folder emptied: 262957181 bytes
->Java cache emptied: 85708718 bytes
->FireFox cache emptied: 29277622 bytes
->Flash cache emptied: 367974 bytes

User: HelpAssistant.LINDAS
->Temp folder emptied: 701914246 bytes
->Temporary Internet Files folder emptied: 64191626 bytes
->Java cache emptied: 85977201 bytes
->FireFox cache emptied: 3739884 bytes
->Flash cache emptied: 367922 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 406898 bytes
->Flash cache emptied: 621 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 155233244 bytes

User: yo
->Temp folder emptied: 7904027761 bytes
->Temporary Internet Files folder emptied: 16269248 bytes
->Java cache emptied: 374257987 bytes
->FireFox cache emptied: 41701081 bytes
->Flash cache emptied: 367922 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2672276 bytes
%systemroot%\System32 .tmp files removed: 2932753 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 58686300 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23901598 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 319102562 bytes

Total Files Cleaned = 10,374.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: HelpAssistant
->Flash cache emptied: 0 bytes

User: HelpAssistant.LINDAS
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: yo
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.1.1 log created on 04122010_181002

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Tue Apr 13, 2010 1:17 pm

Here are the files my husband wanted me to send that he found in C:\HelpAsst_backup

First is StandardGOPList.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3703:TCP"="3703:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"3704:TCP"="3704:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"50900:TCP"="50900:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"50901:TCP"="50901:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"65533:TCP"="65533:TCP:*:Enabled:Services"
"52344:TCP"="52344:TCP:*:Enabled:Services"
"5824:TCP"="5824:TCP:*:Enabled:Services"
"5823:TCP"="5823:TCP:*:Enabled:Services"

Next is S-1-5-21-1844237615-1409082233-725345543-1000.reg

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\s-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,\
74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,\
00,67,00,73,00,5c,00,48,00,65,00,6c,00,70,00,41,00,73,00,73,00,69,00,73,00,\
74,00,61,00,6e,00,74,00,00,00
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,2f,d5,ec,6d,79,e3,fc,53,07,e5,3b,\
2b,e8,03,00,00
"Flags"=dword:00000001
"State"=dword:00000100
"CentralProfile"=""
"ProfileLoadTimeLow"=dword:20b45ffe
"ProfileLoadTimeHigh"=dword:01cad9bd
"RefCount"=dword:00000000

And Last is DomainGOPList.reg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"65533:TCP"="65533:TCP:*:Enabled:Services"
"52344:TCP"="52344:TCP:*:Enabled:Services"
"5824:TCP"="5824:TCP:*:Enabled:Services"
"5823:TCP"="5823:TCP:*:Enabled:Services"

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Tue Apr 13, 2010 7:58 pm

Hello again Yolinda, Honored

Since you can not get MBAM to scan, then I need you to run GooredFix tool, SuperAntispyware scan and a rootkit scan.

Please read and take a note:


Step 1. Please download >>> GooredFix <<< from one of the locations below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Let me know if you are still be redirected after that.

Step 2. SUPERAntiSpyware, NOTE: SAS may take a long time to scan

Please download and scan with [You must be registered and logged in to see this link.]

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from [You must be registered and logged in to see this link.] Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.

  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First

Reboot your computer in [You must be registered and logged in to see this link.] using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.

  • Click Close to exit the program.

Note: .. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Step 3. We need to Scan for Rootkits.

Credit to Quietman for this speech canned.
The speed and ability to complete a scan depends on a variety of factors.

  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • [You must be registered and logged in to see this link.].
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • [You must be registered and logged in to see this link.] your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator ([You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, [You must be registered and logged in to see this link.] of legitimate file, cause unexpected crashes, [You must be registered and logged in to see this link.], and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.

Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.

Step 4. * Disable CD-ROM Emulation Software.

DeFogger - Disable


  1. Please download [You must be registered and logged in to see this link.] to your desktop.

    Double click DeFogger to run the tool.

    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Step 5. * Rootkit Scan with Gmer.

Please download GMER from one of the following locations and save it to your desktop:

  • [You must be registered and logged in to see this link.]
    This version will download a randomly named file (Recommended)
  • [You must be registered and logged in to see this link.]
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily [You must be registered and logged in to see this link.] so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.



  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in [You must be registered and logged in to see this link.].


Some ARK scanners have settings which you can adjust if the scan hangs or freezes while others do not. If that's the case and you still cannot complete a scan, then try another ARK.
Summary of the logs I will need in your next reply:


  • The Gooredfix report log.
  • SuperAntispyware report log.
  • Gmer rootkit report log.

How are things your end Yolinda?


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer

(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Wed Apr 14, 2010 1:58 pm

Hi Net_Surfer,

I have to re-run Gmer, I forgot to hit the save button before I closed it, but here are the logs from the other two scans... will have gmer later.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 17:26 on 13/04/2010 (yo)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:28 15/10/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [20:13 12/04/2010]

C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [15:31 15/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:09 15/08/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="c:\program files\real\realplayer\browserrecord\firefox\ext" [01:43 29/09/2009]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [00:34 05/04/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:12 12/04/2010]

-=E.O.F=-


SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 04/13/2010 at 08:54 PM

Application Version : 4.35.1002

Core Rules Database Version : 4802
Trace Rules Database Version: 2614

Scan type : Complete Scan
Total Scan Time : 03:08:50

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 7876
Registry threats detected : 10
File items scanned : 258345
File threats detected : 403

Adware.Gamevance
HKU\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

Adware.Tracking Cookie
C:\Documents and Settings\yo\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\yo\Cookies\yo@2o7[2].txt
C:\Documents and Settings\yo\Cookies\yo@readersdigest.122.2o7[1].txt
C:\Documents and Settings\yo\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@1.sharkadnetwork[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.allvoices[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.cozycot[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.zanox[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad1.clickhype[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adecn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.active[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.adap[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.adultswim[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.associatedcontent[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.associatedcontent[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.audxch[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.aws.sitepoint[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.belointeractive[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.belointeractive[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.biglots[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.cnn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.foodbuzz[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.funadvice[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.glispa[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.meredithads[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.nexstardigital[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.ogdenpubs[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.oneplace[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.oneplace[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pgatour[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pgatour[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.somd[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.starfields[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.supplyframe[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.supplyframe[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.techguy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.techguy[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.widgetbucks[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads1.ag[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adserver.adtechus[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adstats.cdfreaks[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adtrack.tlsolutions[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adultswim[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@aff.primaryads[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@banner4sale[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@bannerstandpros[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@bs.serving-sys[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@burstbeacon[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@burstbeacon[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cct.clickable[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cdn4.specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cdn4.specificclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@centralmediaserver[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@chitika[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@chitika[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.mediadome[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click2go[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickaider[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickintext[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickiq[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clicksor[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clicktorrent[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coedmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@collective-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.cnw[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.inkfrog[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.inkfrog[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.marketplaceadvisor.channeladvisor[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.rewardsnetwork[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coxhsi.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coxhsi.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dc.tremormedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dc.tremormedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@decho.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@draftfcb.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@e-2dj6wjny-1iajad.stats.esomniture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ecnext.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@emailfinder[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@embed.trafficland[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@epilot.hamptonroads[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ettrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ext-us.bestofmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@farecastcom.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@find.t-mobile[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@findlaw[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@google.lucidmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@gotquestions[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@healthinsurancefinders[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@healthinsurancefinders[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@hookedmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@insightexpressai[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@jra.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kaspersky.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kaspersky.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kontera[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@link.mercent[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@lockedonmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@lockedonmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.causes[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.legacy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.medhelp[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media303[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediafire[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediafire[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediapromoter[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mmaadnet.ad-control-panel[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mogo-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@myroitracking[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@myroitracking[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@nextag[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@nitropayouts.directtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@optimize.indieclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@overture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@peoplefinders[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pickenscountyscbeekeepers[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@popcapgames.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@popcapgames.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@precisionclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pview.findlaw[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@questionmarket[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@questionmarket[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@retractable-banner-stands[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@retractable-banner-stands[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@roi.clicklab[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@rotator.adjuggler[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ru4[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@s.clickability[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@samsclub.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@sdctrack.thomasnet[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@serving-sys[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@signbanners[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@snap9.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stat.dealtime[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.crayola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.gamestop[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.gamestop[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.zmags[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@super.kitnmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@teenmania[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@theaccountspayablenetwork[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tns-counter[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@track.bestbuy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tracking.mivhydra[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@traffic.prod.cobaltgroup[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@trafficmp[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tribalfusion[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tribalfusion[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@triplediscountdisplays[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@upclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@usatoday1.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@user-activity-tracking[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@usnews.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@video.izv.user.madbanner[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vinylbannersandsigns[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@virginmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vpmc.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vpmc.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@web4.realtracker[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant\Cookies\yo@yellowpages.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@zanox[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@a1.interclick[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.wsod[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adbrite[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adinterax[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adinterax[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.oneplace[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.pgatour[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.pointroll[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@azjmp[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@bs.serving-sys[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cb.adbureau[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cb.adbureau[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cdn4.specificclick[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@centralmediaserver[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@chitika[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.circuitcity-online[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.circuitcity-online[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.compusaonline[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@coxhsi.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@decho.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@eyewonder[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@farecastcom.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@healthinsurancefinders[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@insightexpressai[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@interclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@invitemedia[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@kaspersky.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@media6degrees[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@paypal.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@paypal.112.2o7[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pointroll[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pointroll[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@popcapgames.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pro-market[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@questionmarket[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@readersdigest.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@richmedia.yahoo[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@richmedia.yahoo[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ru4[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@serving-sys[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@specificclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@specificmedia[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@stats.paypal[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@stats.paypal[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@trafficmp[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@usnews.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@vpmc.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@web4.realtracker[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@[You must be registered and logged in to see this link.]
C:\Documents and Settings\yo\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\yo\Cookies\yo@azjmp[2].txt
C:\Documents and Settings\yo\Cookies\yo@chitika[1].txt
C:\Documents and Settings\yo\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\yo\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\yo\Cookies\yo@interclick[1].txt
C:\Documents and Settings\yo\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\yo\Cookies\yo@revsci[1].txt
C:\Documents and Settings\yo\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\yo\Cookies\yo@trafficmp[2].txt

Adware.MyWebSearch/FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Wed Apr 14, 2010 4:33 pm

Hello Yolinda,

when you run GMER ensure that is with sections option enabled.


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on Wed Apr 14, 2010 4:48 pm

I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Wed Apr 14, 2010 5:16 pm

[You must be registered and logged in to see this link.] wrote:I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon
Hi Yolinda.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    [You must be registered and logged in to see this link.]
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to run a reg file

1. Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
Code:
Windows Registry Editor Version 5.00
;
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"legalnoticecaption"=-
"legalnoticetext"=-
"legalnoticecaption"=""
"legalnoticetext"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=-
"LegalNoticeText"=-
"system"=-
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"system"=""
;
2. Click File, then Save As... .
3. Click Desktop on the left.
4. Under the Save as type dropdown, select All Files.
5. In the box File Name, input fix.reg
6. Hit Ok. It should look like this --->
7. Double click fix.reg. A message box will pop up asking whether you want to merge the file with the registry. Click "yes". Once complete, click "ok"
After you have done all of that Reboot your computer and let me know if you still have those little windows pop ups.

Regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Status :
Online
Offline

Posts : 57
Joined : 2010-03-28
Gender : Male
OS : xp sp3, Vista, Win7
Points : 25155
# Likes : 0

View user profile

Back to top Go down

sophos log

Post by yolinda on Fri Apr 16, 2010 7:53 pm

Hi Net_Surfer,

I tried to run GMER several times, it would run for 8+ hours, then sometime after that the computer either rebooted or shut down, so I ran Sophos. It did not create a log file that I found, but I did a sreen shot of the results and I am uploading that. I will try to run GMER again this evening.

yolinda
Intermediate
Intermediate

Status :
Online
Offline

Posts : 72
Joined : 2010-04-04
Gender : Female
OS : Windows XP
Points : 25408
# Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on Fri Apr 16, 2010 8:25 pm

See if you can run Gmer in safe mode and ensure that SECTIONS option is checked before you run it.

Can you update me in how your computer is acting?

do you still have the same problems?

I need you to update me when you reply back in how your computer is reacting each step of the way, I need the information so I can think of what tool to use to fix your problem.

You need to update your system.

Hackers are exploiting some new holes on adobe and java and there is new version for you to download again. So please update java and adobe you can read more about this here:


[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Please follow my next set of steps:

Step 1. * TFC (Temp File Cleaner)[/size]
Lets clean up the temp files and make sure there are not any other leftovers.

Download: [You must be registered and logged in to see this link.] to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).

  • Close any open windows.

  • Double click the TFC icon to run the program

  • TFC will close all open programs itself in order to run,

  • Click the Start button to begin the process.

  • Allow TFC to run uninterrupted.

  • The program should not take long to finish it's job

  • Once its finished it should automatically reboot your machine,

  • if it doesn't, manually reboot to ensure a complete clean
NOTE:
_It's normal after running TFC cleaner that the PC will be slower to boot the first time.

_TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


Step 2* FREE ESET Online Virus Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

You can use either Internet Explorer or Mozilla FireFox for this scan.

  1. Please go [You must be registered and logged in to see this link.] then click on: button.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. the logfile will be located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Include the contents of this report in your next reply.
    Note: If Eset finds not bad files it will NOT produce a log. This is normal.
  • Push the button.
  • Push
  • Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "[You must be registered and logged in to see this link.]" from the context menu.)

    You can refer to this animation by: neomage
    **Note**
    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs

    • Turn off the real time scanner of any existing anti-virus program while performing the online scan.

    Please reply back with Eset Online scan and Gmer report logs


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 57
    Joined : 2010-03-28
    Gender : Male
    OS : xp sp3, Vista, Win7
    Points : 25155
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Sat Apr 17, 2010 3:16 pm

    Hi Net_Surfer,

    Well, the good news is the windows at start up are gone now.
    Ran TFC and it cleared out all the temporary files that were still lurking on the computer..... Updated Adobe and Java....

    The bad news is I ran GMER in safe mode, it ran for over 12 hours. I went to save the log and got an error that said "Windows was unable to save the data for the file \Device\HarddiskVolume1\Windows\System32. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere." Then the computer completly froze. Could not even ctrl-alt-delete. Had to reboot. Pretty frustrating, the computer almost became a flying object....

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Sat Apr 17, 2010 3:47 pm

    ebay and paypal redirects are back...

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Est log

    Post by yolinda on Sun Apr 18, 2010 3:57 am

    Hello...

    Here is the EST log.... going to try GMER again, do I need all the boxes on the right checked? or just sections? Thank you

    C:\Documents and Settings\HelpAssistant\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
    C:\Documents and Settings\HelpAssistant.LINDAS\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
    C:\Documents and Settings\yo\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    GMER log

    Post by yolinda on Sun Apr 18, 2010 4:45 pm

    Hi Net_Surfer,

    Good news! I finally got GMER to run and give me a log!!! I ran it with just the System, Sections and Services boxes checked, so if you need me to run it again, please let me know which options you need me to check. I think having everything checked was too much info and too long of a scan, but I can do separate scans with different options checked if you need me to. Here is the log:

    GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-18 12:13:32
    Windows 5.1.2600 Service Pack 3
    Running: urm8osfb.exe; Driver: C:\DOCUME~1\yo\LOCALS~1\Temp\uwtdapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT AF0E8B0E ZwCreateKey
    SSDT AF0E8B04 ZwCreateThread
    SSDT AF0E8B13 ZwDeleteKey
    SSDT AF0E8B1D ZwDeleteValueKey
    SSDT AF0E8B22 ZwLoadKey
    SSDT AF0E8AF0 ZwOpenProcess
    SSDT AF0E8AF5 ZwOpenThread
    SSDT AF0E8B2C ZwReplaceKey
    SSDT AF0E8B27 ZwRestoreKey
    SSDT AF0E8B18 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8E8D380, 0x346307, 0xE8000020]
    .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA827A400, 0x87EE2, 0xE8000020]
    .protect    hardlockentry point in ".protect    hardlockentry point in ".protect    hardlockentry point in ".p" section [0xA831E620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect    hardlockentry point in ".protect    hardlockentry point in ".p" section [0xA831E620]
    .protect    hardlockunknown last code section [0xA831E400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA831E400, 0x5126, 0xE0000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E52862
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E526EE
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E527E0
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E52726
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E5275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 029B2862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!send 71AB4C27 5 Bytes JMP 029B26EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 029B27E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!recv 71AB676F 5 Bytes JMP 029B2726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 029B275E
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01CF2862
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01CF26EE
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01CF27E0
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01CF2726
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01CF275E
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E82862
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E826EE
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E827E0
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E82726
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E8275E
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01992862
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019926EE
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019927E0
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01992726
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199275E
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F02862
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F026EE
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F027E0
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F02726
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F0275E
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01542862
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015426EE
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015427E0
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01542726
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0154275E
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01022862
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010226EE
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010227E0
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01022726
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0102275E
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011E2862
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011E26EE
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011E27E0
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011E2726
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011E275E
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01292862
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012926EE
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012927E0
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01292726
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0129275E
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F52862
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F526EE
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F527E0
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F52726
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F5275E
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010C2862
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010C26EE
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010C27E0
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010C2726
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010C275E
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D52862
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D526EE
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D527E0
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D52726
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D5275E
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012E2862
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012E26EE
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012E27E0
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012E2726
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012E275E
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01982862
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019826EE
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019827E0
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01982726
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0198275E
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00992862
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009926EE
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009927E0
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00992726
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0099275E
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01202862
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012026EE
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012027E0
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01202726
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0120275E
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00972862
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009726EE
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009727E0
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00972726
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0097275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01E62862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E626EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01E627E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01E62726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E6275E

    ---- EOF - GMER 1.0.15 ----

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Net_Surfer on Mon Apr 19, 2010 12:20 pm

    Hi Yolinda,

    Please right click on the combofix icon on your desktop and select delete.

    Then use the same steps that I gave you before and download it again and run it.......After that paste the log here.


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 57
    Joined : 2010-03-28
    Gender : Male
    OS : xp sp3, Vista, Win7
    Points : 25155
    # Likes : 0

    View user profile

    Back to top Go down

    ComboFix Log

    Post by yolinda on Mon Apr 19, 2010 3:31 pm

    Hi Net_Surfer,

    Great news.... ComboFix ran with no problems this time! I did accidentally forget to rename it and ran it first just from the download, but then deleted that version and downloaded it again with the "commy" rename and ran with your command line. I don't know if that would affect the scan you wanted, so I wanted to let you know just in case. I do have the log from the first scan also if you need me to post it.

    Here is the log from the second scan, run as you instructed:

    ComboFix 10-04-18.04 - yo 04/19/2010 9:33.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1066 [GMT -4:00]
    Running from: c:\documents and settings\yo\desktop\commy.exe
    Command switches used :: /stepdel
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
    2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
    2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
    2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
    2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
    2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
    2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
    2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
    2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
    2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
    2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
    2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
    2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
    2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
    2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
    2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
    2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
    2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
    2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
    2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
    2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
    2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
    2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
    2010-04-05 01:04 . 2010-04-19 13:23 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
    2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
    2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
    2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
    2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
    2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
    2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
    2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
    2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
    2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
    2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
    2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
    2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
    2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
    2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
    2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
    2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
    2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
    2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
    2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
    2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
    2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
    2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
    2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
    2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
    2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
    2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
    .

    ((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_900.dat
    + 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_88c.dat
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
    + 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_144.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\yo\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
    2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
    2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
    2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
    2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "rpcapd"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "MyWebSearchService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5823:TCP"= 5823:TCP:Services
    "5824:TCP"= 5824:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "4603:TCP"= 4603:TCP:Services
    "7706:TCP"= 7706:TCP:Services
    "6699:TCP"= 6699:TCP:Services
    "6698:TCP"= 6698:TCP:Services
    "7478:TCP"= 7478:TCP:Services
    "7479:TCP"= 7479:TCP:Services
    "7589:TCP"= 7589:TCP:Services
    "7590:TCP"= 7590:TCP:Services

    R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
    S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
    S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
    S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
    S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    mSearch Bar = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
    FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-19 09:46
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x889A9A80]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xf74a0852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885bf8f0
    PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
    SendHandler -> NDIS.sys @ 0xf795a87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\63.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
    "D-Code"="9943096400"
    "U-Code"="Demo"
    "S-Code"="4973197477"
    "C-Code"="2108728324272124"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1140)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-04-19 09:50:19
    ComboFix-quarantined-files.txt 2010-04-19 13:50
    ComboFix2.txt 2010-04-19 13:18

    Pre-Run: 60,579,667,968 bytes free
    Post-Run: 60,522,254,336 bytes free

    - - End Of File - - 1B7DDBC1094B96DDD95E45032EE48372

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Net_Surfer on Mon Apr 19, 2010 6:46 pm

    Hi Yolinda,

    Please post the report log of the first scan with Combofix.

    Thank you
    Net_Surfer


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 57
    Joined : 2010-03-28
    Gender : Male
    OS : xp sp3, Vista, Win7
    Points : 25155
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Mon Apr 19, 2010 6:49 pm

    Here is the first scan....

    By the way, I am still getting the ebay & paypal redirects...


    ComboFix 10-04-18.04 - yo 04/19/2010 8:59.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1069 [GMT -4:00]
    Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\yo\Recent\Thumbs.db
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
    2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
    2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
    2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
    2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
    2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
    2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
    2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
    2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
    2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
    2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
    2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
    2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
    2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
    2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
    2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
    2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
    2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
    2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
    2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
    2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
    2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
    2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
    2010-04-05 01:04 . 2010-04-19 12:52 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
    2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
    2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
    2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
    2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
    2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
    2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
    2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
    2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
    2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
    2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
    2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
    2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
    2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
    2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
    2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
    2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
    2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
    2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
    2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
    2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
    2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
    2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
    2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
    2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
    2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
    2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\yo\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
    2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
    2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
    2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
    2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "rpcapd"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "MyWebSearchService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5823:TCP"= 5823:TCP:Services
    "5824:TCP"= 5824:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "4603:TCP"= 4603:TCP:Services
    "7706:TCP"= 7706:TCP:Services
    "6699:TCP"= 6699:TCP:Services
    "6698:TCP"= 6698:TCP:Services
    "7478:TCP"= 7478:TCP:Services
    "7479:TCP"= 7479:TCP:Services

    R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
    S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
    S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
    S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
    S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    mSearch Bar = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
    FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-ActiveScan 2.0 - c:\program files\Panda Security\ActiveScan 2.0\as2uninst.exe
    AddRemove-Hard Disk Low Level Format Tool_is1 - a:\hddguru llf tool\unins000.exe
    AddRemove-ophcrack - c:\program files\ophcrack\uninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-19 09:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894163A8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xf74a0852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885958f0
    PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
    SendHandler -> NDIS.sys @ 0xf795a87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\63.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
    "D-Code"="9943096400"
    "U-Code"="Demo"
    "S-Code"="4973197477"
    "C-Code"="2108728324272124"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1140)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-04-19 09:18:02
    ComboFix-quarantined-files.txt 2010-04-19 13:18

    Pre-Run: 60,639,612,928 bytes free
    Post-Run: 60,608,466,944 bytes free

    - - End Of File - - 055EEEC8B7C7732A5AAE5ADD37CB1F3E

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    eset log

    Post by yolinda on Tue Apr 20, 2010 7:13 pm

    Hi Net_Surfer,

    I went ahead and did another ESET scan, and this is the result:

    C:\Program Files\AIM6\services\softwareUpdate\ver2_14_16_3\aolsetup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


    Also, the ebay/paypal redirect seems to be gone for now, but I am not able to log on to ebay. When I try to, I get a message that says I am not allowing cookies, so I can't log on. I checked my cookie settings, and changed them to always allow, but still get the message. I tried ebay tech support, and after going thru checking the privacy and security settings on IE8 with them, they said that there may be a virus on my system that has put a setting somewhere that is making this message appear so I can't log on. If I try to log on to ebay.ca, I have no problems. (of course, I can't list items, etc through the .ca site, but this at least shows I can log on & cookies are fine, it is something with the ebay.com site/url). I thought this info might help you identify whatever critter is lurking on my system.

    I did try to run Dr WebCurit again, and after many hours of running, I came back to a computer with the blue screen.

    Not trying to jump the gun on you, just thougth I'd go ahead and try to rerun these scans you had requested previously while you were working on the log... I just need to get this system clean so I can transfer all my files/data to a new system and not worry about transferring this virus to the new pc.

    I do appreciate all your time/patience and help on this.

    Thank you,
    yolinda

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Wed Apr 21, 2010 5:27 am

    GMER

    Note about this tool:
    • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
    • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
    • No matter what is in the log, please post all the information/contents of the log.


    Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Wed Apr 21, 2010 4:38 pm

    Gmer crashed... blue screen of death...
    Stop: 0X000000C5 (0X00000004, 0X000000002, 0X00000001, 0X8054BBB4)

    I got Gmer to run before by unchecking everything except System, Sections and Services boxes. Do you want me to try that again? Which boxes have to be checked?

    Thanks

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Thu Apr 22, 2010 1:19 am

    Let's try this, and see if we can work around it.

    Launch GMER and in the right panel, untick all except the following:
    • Modules
    • Processes
    • Libraries
    • Services
    • Show All
    Then click the scan button & show me the log it produces.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Thu Apr 22, 2010 2:26 am

    That scan was very fast.... less than a minute...

    The log is very long, so I'm uploading the file.

    Thank you for your help!

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Thu Apr 22, 2010 3:19 am

    That did not give the info I was hoping for. Let's try to run this:

    Please download [You must be registered and logged in to see this link.] by DragonMaster Jay and save it to your Desktop.
    • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
    • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
    • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in. Please do not upload it.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Thu Apr 22, 2010 3:49 am

    ok, here it is...

    SpiderKill by DragonMaster Jay ( Oct 2009 )


    Microsoft Windows XP [Version 5.1.2600]

    ********************Drivers list********************


    Volume in drive C has no label.
    Volume Serial Number is 8C30-4B1B

    Directory of C:\Windows\System32\Drivers

    04/19/2010 09:42 AM .
    04/19/2010 09:42 AM ..
    04/13/2008 02:46 PM 53,376 1394bus.sys
    04/13/2008 02:46 PM 48,128 61883.sys
    04/13/2008 02:36 PM 187,776 acpi.sys
    08/29/2002 08:00 AM 11,648 acpiec.sys
    04/13/2008 08:11 PM 4,255 adv01nt5.dll
    04/13/2008 08:11 PM 3,967 adv02nt5.dll
    04/13/2008 08:11 PM 3,615 adv05nt5.dll
    04/13/2008 08:11 PM 3,647 adv07nt5.dll
    04/13/2008 08:11 PM 3,135 adv08nt5.dll
    04/13/2008 08:11 PM 3,711 adv09nt5.dll
    04/13/2008 08:11 PM 3,775 adv11nt5.dll
    04/13/2008 12:39 PM 142,592 aec.sys
    08/14/2008 06:04 AM 138,496 afd.sys
    04/13/2008 02:36 PM 42,368 agp440.sys
    04/13/2008 02:36 PM 44,928 agpcpq.sys
    04/13/2008 02:36 PM 42,752 alim1541.sys
    04/13/2008 02:36 PM 43,008 amdagp.sys
    04/13/2008 02:31 PM 37,376 amdk6.sys
    04/13/2008 02:31 PM 37,760 amdk7.sys
    11/29/2006 01:46 AM 28,224 APLMp50.sys
    04/13/2008 02:51 PM 60,800 arp1394.sys
    03/29/2000 10:17 AM 5,824 ASUSHWIO.SYS
    04/13/2008 02:57 PM 14,336 asyncmac.sys
    04/13/2008 02:40 PM 96,512 atapi.sys
    08/04/2004 01:29 AM 56,623 ati1btxx.sys
    08/04/2004 01:29 AM 11,615 ati1mdxx.sys
    08/04/2004 01:29 AM 12,047 ati1pdxx.sys
    08/04/2004 01:29 AM 30,671 ati1raxx.sys
    08/04/2004 01:29 AM 63,663 ati1rvxx.sys
    08/04/2004 01:29 AM 26,367 ati1snxx.sys
    08/04/2004 01:29 AM 21,343 ati1ttxx.sys
    08/04/2004 01:29 AM 36,463 ati1tuxx.sys
    08/04/2004 01:29 AM 29,455 ati1xbxx.sys
    08/04/2004 01:29 AM 34,735 ati1xsxx.sys
    08/04/2004 01:29 AM 327,040 ati2mtaa.sys
    08/04/2004 01:29 AM 701,440 ati2mtag.sys
    08/04/2004 01:29 AM 57,856 atinbtxx.sys
    08/04/2004 01:29 AM 13,824 atinmdxx.sys
    08/04/2004 01:29 AM 14,336 atinpdxx.sys
    08/04/2004 01:29 AM 52,224 atinraxx.sys
    08/04/2004 01:29 AM 104,960 atinrvxx.sys
    08/04/2004 01:29 AM 28,672 atinsnxx.sys
    08/04/2004 01:29 AM 13,824 atinttxx.sys
    08/04/2004 01:29 AM 73,216 atintuxx.sys
    08/04/2004 01:29 AM 31,744 atinxbxx.sys
    08/04/2004 01:29 AM 63,488 atinxsxx.sys
    07/17/2004 02:36 PM 64,352 ativmc20.cod
    04/13/2008 02:51 PM 59,904 atmarpc.sys
    08/29/2002 08:00 AM 31,360 atmepvc.sys
    04/13/2008 02:51 PM 55,808 atmlane.sys
    08/29/2002 08:00 AM 352,256 atmuni.sys
    04/13/2008 08:11 PM 21,183 atv01nt5.dll
    04/13/2008 08:11 PM 11,359 atv02nt5.dll
    04/13/2008 08:11 PM 25,471 atv04nt5.dll
    04/13/2008 08:11 PM 14,143 atv06nt5.dll
    04/13/2008 08:11 PM 17,279 atv10nt5.dll
    08/17/2001 09:59 AM 3,072 audstub.sys
    04/13/2008 02:46 PM 38,912 avc.sys
    05/11/2009 11:49 AM 45,416 avgntdd.sys
    02/16/2010 01:24 PM 60,936 avgntflt.sys
    05/11/2009 11:49 AM 22,360 avgntmgr.sys
    03/01/2010 09:05 AM 124,784 avipbb.sys
    08/29/2002 08:00 AM 4,224 beep.sys
    04/13/2008 02:53 PM 71,552 bridge.sys
    04/13/2008 02:46 PM 17,024 bthenum.sys
    04/13/2008 02:46 PM 37,888 bthmodem.sys
    04/13/2008 02:51 PM 101,120 bthpan.sys
    06/13/2008 07:05 AM 272,128 bthport.sys
    04/13/2008 02:46 PM 36,480 bthprint.sys
    04/13/2008 02:46 PM 18,944 bthusb.sys
    08/29/2002 08:00 AM 13,952 cbidf2k.sys
    04/13/2008 02:46 PM 17,024 CCDECODE.sys
    08/29/2002 08:00 AM 18,688 cdaudio.sys
    04/13/2008 03:14 PM 63,744 cdfs.sys
    04/13/2008 02:40 PM 62,976 cdrom.sys
    04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
    08/29/2002 08:00 AM 262,528 cinemst2.sys
    04/13/2008 03:16 PM 49,536 classpnp.sys
    08/29/2002 08:00 AM 11,776 cpqdap01.sys
    04/13/2008 02:31 PM 36,736 crusoe.sys
    06/08/2005 02:08 PM 1,359,744 CT0531FL.SYS
    08/11/2006 03:45 PM 502,272 ctac32k.sys
    08/11/2006 03:45 PM 499,584 ctaud2k.sys
    11/10/2005 06:06 PM 340,704 ctdvda2k.sys
    12/30/2002 11:53 AM 12,160 CTGAME.SYS
    09/06/2005 03:02 PM 1,365,888 CTMMFILT.SYS
    08/11/2006 03:45 PM 116,224 ctoss2k.sys
    08/11/2006 03:45 PM 7,168 ctprxy2k.sys
    08/11/2006 03:45 PM 143,872 ctsfm2k.sys
    01/18/2007 04:28 PM 5,275 CVirtA.sys
    10/26/2007 02:27 PM 306,300 CVPNDRVA.sys
    07/18/2004 01:55 AM 129,045 cxthsfs2.cty
    01/12/2004 10:20 AM 9,600 CygF32x.sys
    01/12/2004 10:20 AM 16,000 CygLib.sys
    01/12/2008 09:58 AM disdn
    04/13/2008 02:40 PM 36,352 disk.sys
    04/13/2008 02:40 PM 14,208 diskdump.sys
    04/13/2008 02:44 PM 799,744 dmboot.sys
    04/13/2008 02:44 PM 153,344 dmio.sys
    08/29/2002 08:00 AM 5,888 dmload.sys
    04/13/2008 02:45 PM 52,864 dmusic.sys
    01/31/2007 01:45 PM 127,376 dne2000.sys
    04/13/2008 03:45 PM 60,160 drmk.sys
    04/13/2008 02:45 PM 2,944 drmkaud.sys
    08/29/2002 08:00 AM 10,496 dxapi.sys
    04/13/2008 02:38 PM 71,168 dxg.sys
    08/29/2002 08:00 AM 3,328 dxgthk.sys
    08/11/2006 03:45 PM 78,336 emupia2k.sys
    08/17/2001 09:46 AM 6,400 enum1394.sys
    10/11/2007 12:10 PM 30,008 ET5Drv.sys
    04/12/2010 06:10 PM etc
    04/13/2008 03:14 PM 143,744 fastfat.sys
    04/13/2008 02:40 PM 27,392 fdc.sys
    04/13/2008 02:33 PM 44,544 fips.sys
    04/13/2008 02:40 PM 20,480 flpydisk.sys
    04/13/2008 02:32 PM 129,792 fltmgr.sys
    08/29/2002 08:00 AM 12,160 fsvga.sys
    08/29/2002 08:00 AM 7,936 fs_rec.sys
    08/29/2002 08:00 AM 125,056 ftdisk.sys
    04/13/2008 02:36 PM 46,464 gagp30kx.sys
    04/13/2008 02:45 PM 10,624 gameenum.sys
    04/17/2008 01:12 PM 15,464 GEARAspiWDM.sys
    08/29/2002 08:00 AM 3,440,660 gm.dls
    08/29/2002 08:00 AM 646 gmreadme.txt
    01/23/2009 02:41 AM 24,944 GVTDrv.sys
    08/11/2006 03:45 PM 766,976 ha10kx2k.sys
    08/11/2006 03:45 PM 1,110,016 ha20x2k.sys
    08/11/2006 03:45 PM 154,112 haP16v2k.sys
    08/11/2006 03:45 PM 180,224 haP17v2k.sys
    11/22/2006 11:01 AM 693,760 hardlock.sys
    04/13/2008 12:36 PM 144,384 hdaudbus.sys
    04/13/2008 02:46 PM 25,600 hidbth.sys
    04/13/2008 02:45 PM 36,864 hidclass.sys
    04/13/2008 02:45 PM 19,200 hidir.sys
    04/13/2008 02:45 PM 24,960 hidparse.sys
    04/13/2008 09:11 PM 21,504 hidserv.dll
    04/13/2008 02:45 PM 10,368 hidusb.sys
    10/30/2008 05:08 PM 49,920 HPZid412.sys
    10/30/2008 05:08 PM 16,496 HPZipr12.sys
    10/30/2008 05:08 PM 21,568 HPZius12.sys
    08/04/2004 01:41 AM 220,032 hsfbs2s2.sys
    08/04/2004 01:41 AM 685,056 hsfcxts2.sys
    08/04/2004 01:41 AM 1,041,536 hsfdpsp2.sys
    10/20/2009 12:20 PM 265,728 http.sys
    04/13/2008 04:18 PM 52,480 i8042prt.sys
    04/13/2008 02:40 PM 42,112 imapi.sys
    11/26/2004 01:36 PM 98,176 InCDfs.sys
    11/26/2004 01:36 PM 28,928 InCDpass.sys
    11/26/2004 01:36 PM 7,808 InCDrec.sys
    11/26/2004 08:36 AM 27,648 InCDrm.sys
    04/13/2008 02:31 PM 36,352 intelppm.sys
    04/13/2008 02:53 PM 36,608 ip6fw.sys
    08/29/2002 08:00 AM 32,896 ipfltdrv.sys
    04/13/2008 02:57 PM 20,864 ipinip.sys
    04/13/2008 02:57 PM 152,832 ipnat.sys
    04/13/2008 03:19 PM 75,264 ipsec.sys
    04/13/2008 02:45 PM 46,592 irbus.sys
    04/13/2008 02:54 PM 11,264 irenum.sys
    04/13/2008 02:36 PM 37,248 isapnp.sys
    10/28/2005 05:11 PM 27,648 iteatapi.sys
    04/13/2008 02:39 PM 24,576 kbdclass.sys
    04/13/2008 02:39 PM 14,592 kbdhid.sys
    02/23/2010 01:10 PM 1,752 kgpcpy.cfg
    09/14/2009 03:42 PM 32,272 klim5.sys
    04/13/2008 02:45 PM 172,416 kmixer.sys
    04/13/2008 04:16 PM 141,056 ks.sys
    06/24/2009 07:18 AM 92,928 ksecdd.sys
    03/30/2010 12:45 AM 20,824 mbam.sys
    03/30/2010 12:46 AM 38,224 mbamswissarmy.sys
    08/29/2002 08:00 AM 7,680 mcd.sys
    08/04/2004 01:41 AM 11,868 mdmxsdk.sys
    04/13/2008 02:36 PM 63,744 mf.sys
    08/29/2002 08:00 AM 4,224 mnmdd.sys
    04/13/2008 03:00 PM 30,080 modem.sys
    04/13/2008 03:39 PM 23,040 mouclass.sys
    08/29/2002 08:00 AM 12,160 mouhid.sys
    04/13/2008 02:39 PM 42,368 mountmgr.sys
    04/13/2008 02:39 PM 92,544 mqac.sys
    04/13/2008 02:32 PM 180,608 mrxdav.sys
    02/24/2010 09:11 AM 455,680 mrxsmb.sys
    04/13/2008 02:46 PM 51,200 msdv.sys
    04/13/2008 02:32 PM 19,072 msfs.sys
    04/13/2008 02:56 PM 35,072 msgpc.sys
    04/13/2008 02:39 PM 7,552 mskssrv.sys
    08/17/2001 03:00 PM 2,944 msmpu401.sys
    04/13/2008 02:39 PM 5,376 mspclock.sys
    04/13/2008 02:39 PM 4,992 mspqm.sys
    04/13/2008 02:36 PM 15,488 mssmbios.sys
    04/13/2008 02:39 PM 5,504 MSTEE.sys
    08/28/2006 06:12 PM 13,312 MTictwl.sys
    08/04/2004 01:41 AM 126,686 mtlmnt5.sys
    08/04/2004 01:41 AM 1,309,184 mtlstrm.sys
    08/04/2004 01:29 AM 452,736 mtxparhm.sys
    04/13/2008 03:17 PM 105,344 mup.sys
    04/13/2008 02:43 PM 12,672 mutohpen.sys
    05/03/2007 01:37 PM 22,152 mxopswd.sys
    04/13/2008 02:46 PM 85,248 NABTSFEC.sys
    04/13/2008 03:20 PM 182,656 ndis.sys
    04/13/2008 02:46 PM 10,880 NdisIP.sys
    04/13/2008 02:57 PM 10,112 ndistapi.sys
    04/13/2008 02:55 PM 14,592 ndisuio.sys
    04/13/2008 03:20 PM 91,520 ndiswan.sys
    04/13/2008 02:57 PM 40,576 ndproxy.sys
    04/13/2008 02:56 PM 34,688 netbios.sys
    04/13/2008 03:21 PM 162,816 netbt.sys
    09/09/2009 10:29 AM 199,432 neti1639.sys
    04/15/2002 10:11 PM 67,866 netwlan5.img
    04/13/2008 02:51 PM 61,824 nic1394.sys
    08/29/2002 08:00 AM 12,032 nikedrv.sys
    04/13/2008 02:53 PM 40,320 nmnt.sys
    01/25/2007 01:31 PM 42,000 npf.sys
    04/13/2008 02:32 PM 30,848 npfs.sys
    04/13/2008 03:15 PM 574,976 ntfs.sys
    08/04/2004 01:41 AM 180,360 ntmtlfax.sys
    05/09/2009 02:14 AM 14,736 nuidfltr.sys
    08/29/2002 08:00 AM 2,944 null.sys
    12/05/2007 02:41 AM 7,435,392 nv4_mini.sys
    05/25/2004 04:58 PM 396,032 nvapu.sys
    05/25/2004 04:58 PM 66,688 nvarm.sys
    04/21/2003 03:18 PM 52,608 nvatabus.sys
    04/21/2003 03:18 PM 52,608 nvatabus_2.sys
    05/25/2004 04:58 PM 48,640 nvax.sys
    05/25/2004 04:58 PM 962,560 nvmcp.sys
    03/19/2003 04:51 PM 18,688 nv_agp.SYS
    08/29/2002 08:00 AM 12,416 nwlnkflt.sys
    08/29/2002 08:00 AM 32,512 nwlnkfwd.sys
    04/13/2008 02:56 PM 88,320 nwlnkipx.sys
    08/29/2002 08:00 AM 63,232 nwlnknb.sys
    08/29/2002 08:00 AM 55,936 nwlnkspx.sys
    04/13/2008 02:34 PM 163,584 nwrdr.sys
    04/13/2008 02:46 PM 61,696 ohci1394.sys
    08/29/2002 08:00 AM 3,456 oprghdlr.sys
    04/13/2008 02:31 PM 42,752 p3.sys
    04/13/2008 02:40 PM 80,128 parport.sys
    04/13/2008 02:40 PM 19,712 partmgr.sys
    08/29/2002 08:00 AM 6,784 parvdm.sys
    04/13/2008 02:36 PM 68,224 pci.sys
    08/17/2001 02:51 PM 3,328 pciide.sys
    04/13/2008 02:40 PM 24,960 pciidex.sys
    04/13/2008 02:36 PM 120,192 pcmcia.sys
    08/11/2006 03:56 PM 8,192 pfmodnt.sys
    06/01/2009 02:51 PM 27,792 point32.sys
    04/13/2008 04:19 PM 146,048 portcls.sys
    04/13/2008 02:31 PM 35,840 processr.sys
    04/13/2008 02:56 PM 69,120 psched.sys
    08/29/2002 08:00 AM 17,792 ptilink.sys
    08/29/2002 08:00 AM 8,832 rasacd.sys
    04/13/2008 03:19 PM 51,328 rasl2tp.sys
    04/13/2008 02:57 PM 41,472 raspppoe.sys
    04/13/2008 03:19 PM 48,384 raspptp.sys
    08/29/2002 08:00 AM 16,512 raspti.sys
    08/29/2002 08:00 AM 34,432 rawwan.sys
    04/13/2008 03:28 PM 175,744 rdbss.sys
    08/29/2002 08:00 AM 4,224 rdpcdd.sys
    04/13/2008 02:32 PM 196,224 rdpdr.sys
    04/13/2008 08:13 PM 139,656 rdpwd.sys
    08/04/2004 01:41 AM 13,776 recagent.sys
    04/13/2008 02:40 PM 57,600 redbook.sys
    04/13/2008 02:46 PM 59,136 rfcomm.sys
    08/29/2002 08:00 AM 12,032 rio8drv.sys
    08/29/2002 08:00 AM 12,032 riodrv.sys
    05/08/2008 10:02 AM 203,136 rmcast.sys
    04/13/2008 02:56 PM 30,592 rndismp.sys
    04/13/2008 02:56 PM 30,592 rndismpx.sys
    08/29/2002 08:00 AM 5,888 rootmdm.sys
    07/16/2004 03:19 PM 70,400 Rtlnicxp.sys
    11/20/2007 12:09 PM 104,320 Rtnicxp.sys
    08/04/2004 01:29 AM 166,912 s3gnbm.sys
    03/09/2010 11:13 PM 95,024 SBREDrv.sys
    04/13/2008 02:40 PM 96,384 scsiport.sys
    04/13/2008 02:36 PM 79,232 sdbus.sys
    11/13/2007 06:25 AM 20,480 secdrv.sys
    04/13/2008 02:40 PM 15,744 serenum.sys
    04/13/2008 03:15 PM 64,512 serial.sys
    04/13/2008 02:40 PM 11,904 sffdisk.sys
    04/13/2008 02:40 PM 10,240 sffp_mmc.sys
    04/13/2008 02:40 PM 11,008 sffp_sd.sys
    04/13/2008 02:40 PM 11,392 sfloppy.sys
    09/04/2003 08:45 AM 55,144 si3112.svs
    09/04/2003 08:45 AM 55,144 si3112.sys
    08/29/2007 04:04 AM 116,264 SI3112r.sys
    04/13/2008 08:12 PM 3,901 siint5.dll
    04/13/2008 02:36 PM 40,960 sisagp.sys
    08/29/2007 04:04 AM 19,240 SiWinAcc.sys
    04/13/2008 02:46 PM 11,136 SLIP.sys
    08/04/2004 01:41 AM 129,535 slnt7554.sys
    08/04/2004 01:41 AM 404,990 slntamr.sys
    08/04/2004 01:41 AM 95,424 slnthal.sys
    08/04/2004 01:41 AM 13,240 slwdmsup.sys
    04/13/2008 02:36 PM 5,888 smbali.sys
    08/29/2002 08:00 AM 14,592 smclib.sys
    04/13/2008 02:46 PM 25,344 sonydcam.sys
    04/13/2008 02:45 PM 6,272 splitter.sys
    04/13/2008 02:36 PM 73,472 sr.sys
    12/31/2009 12:50 PM 353,792 srv.sys
    05/11/2009 09:12 AM 28,520 ssmdrv.sys
    04/13/2008 03:45 PM 49,408 stream.sys
    04/13/2008 02:46 PM 15,232 StreamIP.sys
    04/13/2008 02:39 PM 4,352 swenum.sys
    04/13/2008 02:45 PM 56,576 swmidi.sys
    04/13/2008 03:15 PM 60,800 sysaudio.sys
    04/13/2008 02:40 PM 14,976 tape.sys
    06/20/2008 07:51 AM 361,600 tcpip.sys
    02/11/2010 08:02 AM 226,880 tcpip6.sys
    04/13/2008 03:00 PM 19,072 tdi.sys
    04/13/2008 08:13 PM 12,040 tdpipe.sys
    04/13/2008 08:13 PM 21,896 tdtcp.sys
    04/13/2008 08:13 PM 40,840 termdd.sys
    05/07/2009 03:04 AM 157,712 tmcomm.sys
    08/29/2002 08:00 AM 51,712 tosdvd.sys
    08/29/2002 08:00 AM 21,376 tsbvcap.sys
    04/13/2008 02:56 PM 12,288 tunmp.sys
    04/13/2008 02:36 PM 44,672 uagp35.sys
    04/13/2008 02:32 PM 66,048 udfs.sys
    11/23/2008 01:22 PM UMDF
    04/13/2008 02:39 PM 384,768 update.sys
    04/13/2008 02:56 PM 12,800 usb8023.sys
    04/13/2008 02:56 PM 12,800 usb8023x.sys
    04/13/2008 03:45 PM 60,032 USBAUDIO.sys
    04/13/2008 02:45 PM 25,600 usbcamd.sys
    04/13/2008 02:45 PM 25,728 usbcamd2.sys
    04/13/2008 02:45 PM 32,128 usbccgp.sys
    08/29/2002 08:00 AM 4,736 usbd.sys
    04/13/2008 02:45 PM 30,208 usbehci.sys
    04/13/2008 02:45 PM 59,520 usbhub.sys
    04/13/2008 02:45 PM 15,872 usbintel.sys
    04/13/2008 02:45 PM 17,152 usbohci.sys
    04/13/2008 02:45 PM 143,872 usbport.sys
    04/13/2008 02:47 PM 25,856 usbprint.sys
    04/13/2008 03:45 PM 15,104 usbscan.sys
    04/13/2008 02:45 PM 26,368 usbstor.sys
    04/13/2008 02:46 PM 121,984 usbvideo.sys
    04/13/2008 08:12 PM 11,325 vchnt5.dll
    08/29/2002 08:00 AM 58,112 vdmindvd.sys
    04/13/2008 02:44 PM 20,992 vga.sys
    04/13/2008 02:36 PM 42,240 viaagp.sys
    04/13/2008 02:44 PM 81,664 videoprt.sys
    04/13/2008 02:41 PM 52,352 volsnap.sys
    04/13/2008 02:43 PM 14,208 wacompen.sys
    08/04/2004 01:29 AM 11,807 wadv07nt.sys
    08/04/2004 01:29 AM 11,295 wadv08nt.sys
    08/04/2004 01:29 AM 11,871 wadv09nt.sys
    08/04/2004 01:29 AM 11,935 wadv11nt.sys
    04/13/2008 02:57 PM 34,560 wanarp.sys
    08/04/2004 01:29 AM 22,271 watv06nt.sys
    08/04/2004 01:29 AM 25,471 watv10nt.sys
    11/02/2006 08:22 AM 492,000 wdf01000.sys
    11/02/2006 08:22 AM 32,224 wdfldr.sys
    04/13/2008 03:17 PM 83,072 wdmaud.sys
    08/29/2002 08:00 AM 4,352 wmilib.sys
    10/18/2006 08:00 PM 38,528 wpdusb.sys
    08/29/2002 08:00 AM 12,032 ws2ifsl.sys
    04/13/2008 02:46 PM 19,200 WSTCODEC.SYS
    09/28/2006 06:55 PM 77,568 WudfPf.sys
    09/28/2006 07:00 PM 82,944 WudfRd.sys
    352 File(s) 44,020,948 bytes

    Directory of C:\Windows\System32\Drivers\disdn

    01/12/2008 09:58 AM .
    01/12/2008 09:58 AM ..
    0 File(s) 0 bytes

    Directory of C:\Windows\System32\Drivers\etc

    04/12/2010 06:10 PM .
    04/12/2010 06:10 PM ..
    04/12/2010 06:10 PM 98 Hosts
    08/29/2002 08:00 AM 734 hosts.20100309-193033.backup
    08/29/2002 08:00 AM 3,683 lmhosts.sam
    08/29/2002 08:00 AM 407 networks
    08/29/2002 08:00 AM 799 protocol
    08/29/2002 08:00 AM 7,116 services
    6 File(s) 12,837 bytes

    Directory of C:\Windows\System32\Drivers\UMDF

    11/23/2008 01:22 PM .
    11/23/2008 01:22 PM ..
    10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
    1 File(s) 671,232 bytes

    Total Files Listed:
    359 File(s) 44,705,017 bytes
    11 Dir(s) 60,875,743,232 bytes free


    ***********************Hidden Drivers********************
    Volume in drive C has no label.
    Volume Serial Number is 8C30-4B1B

    Directory of C:\Windows\System32\Drivers

    01/13/2008 12:07 AM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
    01/13/2008 12:07 AM 0 Msft_Kernel_NuidFltr_01005.Wdf
    2 File(s) 0 bytes
    0 Dir(s) 60,875,755,520 bytes free


    *********************Processes*******************


    PROCESS PID PRIO PATH
    smss.exe 1064 Normal C:\WINDOWS\System32\smss.exe
    csrss.exe 1116 Normal C:\WINDOWS\system32\csrss.exe
    winlogon.exe 1144 High C:\WINDOWS\system32\winlogon.exe
    services.exe 1188 Normal C:\WINDOWS\system32\services.exe
    lsass.exe 1200 Normal C:\WINDOWS\system32\lsass.exe
    svchost.exe 1372 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1472 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1596 Normal C:\WINDOWS\System32\svchost.exe
    InCDsrv.exe 1624 Normal C:\Program Files\Ahead\InCD\InCDsrv.exe
    svchost.exe 1776 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1892 Normal C:\WINDOWS\System32\svchost.exe
    svchost.exe 252 Normal C:\WINDOWS\system32\svchost.exe
    Explorer.EXE 428 Normal C:\WINDOWS\Explorer.EXE
    spoolsv.exe 568 Normal C:\WINDOWS\system32\spoolsv.exe
    sched.exe 628 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe 732 Normal C:\WINDOWS\System32\svchost.exe
    CTHELPER.EXE 1556 Normal C:\WINDOWS\CTHELPER.EXE
    SearchProtection.exe 1584 Normal C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    ipoint.exe 1612 Normal C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    itype.exe 1652 Normal C:\Program Files\Microsoft IntelliType Pro\itype.exe
    HPWuSchd2.exe 1924 Normal C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    avgnt.exe 1960 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    jusched.exe 1976 Normal C:\Program Files\Common Files\Java\Java Update\jusched.exe
    GoogleToolbarNotifier.exe 1988 Normal C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    ctfmon.exe 144 Normal C:\WINDOWS\system32\ctfmon.exe
    hpqtra08.exe 260 Normal C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    WindowsSearch.exe 300 Normal C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    ACService.exe 960 Normal C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    avguard.exe 944 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    cvpnd.exe 1088 Normal C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    DkService.exe 1100 Below Normal C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    dpupdchk.exe 2080 Normal C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    svchost.exe 2176 Normal C:\WINDOWS\system32\svchost.exe
    jqs.exe 2208 Idle C:\Program Files\Java\jre6\bin\jqs.exe
    avshadow.exe 2220 Normal C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    MagicTuneEngine.exe 2248 Normal C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
    SyncServices.exe 2356 Normal C:\Program Files\Maxtor\Sync\SyncServices.exe
    svchost.exe 2468 Normal C:\WINDOWS\System32\svchost.exe
    nTuneService.exe 2792 Normal C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    nvsvc32.exe 2856 Normal C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe 2904 Normal C:\WINDOWS\System32\svchost.exe
    snmp.exe 3068 Normal C:\WINDOWS\System32\snmp.exe
    svchost.exe 3276 Normal C:\WINDOWS\System32\svchost.exe
    YahooAUService.exe 3372 Normal C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    SearchIndexer.exe 3996 Normal C:\WINDOWS\system32\SearchIndexer.exe
    MagicTune.exe 2300 Normal C:\Program Files\MagicTune Premium\MagicTune.exe
    alg.exe 2876 Normal C:\WINDOWS\System32\alg.exe
    hpqSTE08.exe 700 Normal C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    hpqbam08.exe 1684 Normal C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    hpqgpc01.exe 2708 Normal C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    FNPLicensingService.exe 4716 Normal C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    AcroTray.exe 5568 Normal C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
    cmd.exe 5120 Normal C:\WINDOWS\system32\cmd.exe
    processes.exe 5536 Normal C:\Documents and Settings\yo\Desktop\SpiderKill\SpiderKill\processes.exe


    Module information for 'Explorer.EXE'(428)
    MODULE BASE SIZE PATH
    Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
    ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
    kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
    ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
    RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
    Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
    BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
    GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
    USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
    msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
    ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
    SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
    SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
    CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
    MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
    CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
    NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
    VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
    WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
    Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
    urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
    iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
    WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
    SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
    UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
    ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
    AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
    WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
    MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
    USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
    IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
    comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
    comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
    msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
    appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
    CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
    COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
    GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
    GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
    MSVCR80.dll dc0000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft« C Runtime Library
    GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
    ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
    rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
    MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
    cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
    CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
    themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
    xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
    actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
    SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
    GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
    msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
    LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
    ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
    ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
    WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
    SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
    msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
    ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Explorer
    MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
    msvcp60.dll 76080000 413696 C:\WINDOWS\System32\msvcp60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
    NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
    credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
    dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
    rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
    dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
    OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
    WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
    WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
    eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
    eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
    iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
    webcheck.dll 20f0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
    stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
    BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
    POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
    WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
    WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
    mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
    PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
    PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
    GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
    MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
    wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
    midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
    ctagent.dll 1b80000 24576 C:\WINDOWS\system32\ctagent.dll 1, 0, 0, 12 ctagent
    MSNLNamespaceMgr.dll 4050000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
    SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
    MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
    drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft« Lan Manager
    NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
    davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
    SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
    PDFShell.dll 4160000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.3.2.163 PDF Shell Extension
    browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
    gdiplus.dll 4ec50000 1748992 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll 5.2.6001.22319 (vistasp1_ldr.081126-1506) Microsoft GDI+
    DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
    mscms.dll 73b30000 86016 C:\WINDOWS\system32\mscms.dll 5.1.2600.5627 (xpsp_sp3_gdr.080624-1245) Microsoft Color Matching System DLL
    WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
    SnagItShellExtRes.dll 3500000 32768 C:\Program Files\TechSmith\SnagIt 9\SnagItShellExtRes.dll 9.0.0.351 SnagIt Shell Extension Resources DLL
    NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
    CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
    icm32.dll 66e90000 266240 C:\WINDOWS\system32\icm32.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft Color Management Module (CMM)
    printui.dll 74b80000 573440 C:\WINDOWS\system32\printui.dll 5.1.2600.5512 (xpsp.080413-0852) Print UI DLL
    ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
    adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
    AcroIEHelper.dll 990000 65536 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 9.3.2.163 Adobe PDF Helper for Internet Explorer
    msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component



    ******************************************
    EOF

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Thu Apr 22, 2010 4:11 am

    Please do a scan with [You must be registered and logged in to see this link.]

    Click on the Accept button and install any components it needs.

    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    kapersky scan

    Post by yolinda on Thu Apr 22, 2010 2:17 pm

    Hi Dragonmaster_Jay,

    Here are the results of the Kapersky scan:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, April 22, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, April 21, 2010 20:27:33
    Records in database: 3962586
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    H:\

    Scan statistics:
    Objects scanned: 273092
    Threats found: 1
    Infected objects found: 0
    Suspicious objects found: 1
    Scan duration: 06:38:06


    File name / Threat / Threats count
    C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

    Selected area has been scanned.

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Thu Apr 22, 2010 4:26 pm

    Good.

    I think this will be the final check.

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
    Please close all other applications running on your system.

    Please double click GetSystemInfo.exe to open it.

    Click the Settings button.



    Set it to Maximum



    IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    Click Create Report to run it.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

    Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on Thu Apr 22, 2010 4:58 pm

    ok...here is the link:

    [You must be registered and logged in to see this link.]

    yolinda
    Intermediate
    Intermediate

    Status :
    Online
    Offline

    Posts : 72
    Joined : 2010-04-04
    Gender : Female
    OS : Windows XP
    Points : 25408
    # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on Fri Apr 23, 2010 12:12 am

    We need to do some diagnostics.

    1. Please download [You must be registered and logged in to see this link.] by noahdfear.
    • Save it to your desktop.
    • Double-click profiles.exe and post its log when you reply


    2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
    • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
    • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
    • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


    3. In your next reply, please post the following logs for my review:
    • Profiles log (1)
    • Win32kDiag log (2)


    Thanks! Smile


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Administrator
    Administrator

    Status :
    Online
    Offline

    Posts : 13704
    Joined : 2009-09-06
    Gender : Male
    OS : Windows 10 Home & Pro
    Points : 144790
    # Likes : 10

    View user profile

    Back to top Go down

    Page 1 of 3 1, 2, 3  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum