ebay paypal redirect/hijack

Page 1 of 3 1, 2, 3  Next

View previous topic View next topic Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on 14th April 2010, 4:33 pm

Hello Yolinda,

when you run GMER ensure that is with sections option enabled.


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25235
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by yolinda on 14th April 2010, 4:48 pm

I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25488
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on 14th April 2010, 5:16 pm

[You must be registered and logged in to see this link.] wrote:I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon
Hi Yolinda.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    [You must be registered and logged in to see this link.]
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to run a reg file

1. Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
Code:
Windows Registry Editor Version 5.00
;
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"legalnoticecaption"=-
"legalnoticetext"=-
"legalnoticecaption"=""
"legalnoticetext"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=-
"LegalNoticeText"=-
"system"=-
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"system"=""
;
2. Click File, then Save As... .
3. Click Desktop on the left.
4. Under the Save as type dropdown, select All Files.
5. In the box File Name, input fix.reg
6. Hit Ok. It should look like this --->
7. Double click fix.reg. A message box will pop up asking whether you want to merge the file with the registry. Click "yes". Once complete, click "ok"
After you have done all of that Reboot your computer and let me know if you still have those little windows pop ups.

Regards
Net_Surfer
(Gunsmoke)


Obstacles are what you see when you take you eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Net_Surfer
Intermediate
Intermediate

Posts Posts : 57
Joined Joined : 2010-03-28
Gender Gender : Male
OS OS : xp sp3, Vista, Win7
Points Points : 25235
# Likes # Likes : 0

View user profile

Back to top Go down

sophos log

Post by yolinda on 16th April 2010, 7:53 pm

Hi Net_Surfer,

I tried to run GMER several times, it would run for 8+ hours, then sometime after that the computer either rebooted or shut down, so I ran Sophos. It did not create a log file that I found, but I did a sreen shot of the results and I am uploading that. I will try to run GMER again this evening.

yolinda
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-04-04
Gender Gender : Female
OS OS : Windows XP
Protection Protection : Currently using Avira.
Points Points : 25488
# Likes # Likes : 0

View user profile

Back to top Go down

Re: ebay paypal redirect/hijack

Post by Net_Surfer on 16th April 2010, 8:25 pm

See if you can run Gmer in safe mode and ensure that SECTIONS option is checked before you run it.

Can you update me in how your computer is acting?

do you still have the same problems?

I need you to update me when you reply back in how your computer is reacting each step of the way, I need the information so I can think of what tool to use to fix your problem.

You need to update your system.

Hackers are exploiting some new holes on adobe and java and there is new version for you to download again. So please update java and adobe you can read more about this here:


[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]


Please follow my next set of steps:

Step 1. * TFC (Temp File Cleaner)[/size]
Lets clean up the temp files and make sure there are not any other leftovers.

Download: [You must be registered and logged in to see this link.] to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).

  • Close any open windows.

  • Double click the TFC icon to run the program

  • TFC will close all open programs itself in order to run,

  • Click the Start button to begin the process.

  • Allow TFC to run uninterrupted.

  • The program should not take long to finish it's job

  • Once its finished it should automatically reboot your machine,

  • if it doesn't, manually reboot to ensure a complete clean
NOTE:
_It's normal after running TFC cleaner that the PC will be slower to boot the first time.

_TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


Step 2* FREE ESET Online Virus Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

You can use either Internet Explorer or Mozilla FireFox for this scan.

  1. Please go [You must be registered and logged in to see this link.] then click on: button.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. the logfile will be located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Include the contents of this report in your next reply.
    Note: If Eset finds not bad files it will NOT produce a log. This is normal.
  • Push the button.
  • Push
  • Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "[You must be registered and logged in to see this link.]" from the context menu.)

    You can refer to this animation by: neomage
    **Note**
    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs

    • Turn off the real time scanner of any existing anti-virus program while performing the online scan.

    Please reply back with Eset Online scan and Gmer report logs


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Posts Posts : 57
    Joined Joined : 2010-03-28
    Gender Gender : Male
    OS OS : xp sp3, Vista, Win7
    Points Points : 25235
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 17th April 2010, 3:16 pm

    Hi Net_Surfer,

    Well, the good news is the windows at start up are gone now.
    Ran TFC and it cleared out all the temporary files that were still lurking on the computer..... Updated Adobe and Java....

    The bad news is I ran GMER in safe mode, it ran for over 12 hours. I went to save the log and got an error that said "Windows was unable to save the data for the file \Device\HarddiskVolume1\Windows\System32. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere." Then the computer completly froze. Could not even ctrl-alt-delete. Had to reboot. Pretty frustrating, the computer almost became a flying object....

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 17th April 2010, 3:47 pm

    ebay and paypal redirects are back...

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Est log

    Post by yolinda on 18th April 2010, 3:57 am

    Hello...

    Here is the EST log.... going to try GMER again, do I need all the boxes on the right checked? or just sections? Thank you

    C:\Documents and Settings\HelpAssistant\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
    C:\Documents and Settings\HelpAssistant.LINDAS\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
    C:\Documents and Settings\yo\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    GMER log

    Post by yolinda on 18th April 2010, 4:45 pm

    Hi Net_Surfer,

    Good news! I finally got GMER to run and give me a log!!! I ran it with just the System, Sections and Services boxes checked, so if you need me to run it again, please let me know which options you need me to check. I think having everything checked was too much info and too long of a scan, but I can do separate scans with different options checked if you need me to. Here is the log:

    GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-18 12:13:32
    Windows 5.1.2600 Service Pack 3
    Running: urm8osfb.exe; Driver: C:\DOCUME~1\yo\LOCALS~1\Temp\uwtdapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT AF0E8B0E ZwCreateKey
    SSDT AF0E8B04 ZwCreateThread
    SSDT AF0E8B13 ZwDeleteKey
    SSDT AF0E8B1D ZwDeleteValueKey
    SSDT AF0E8B22 ZwLoadKey
    SSDT AF0E8AF0 ZwOpenProcess
    SSDT AF0E8AF5 ZwOpenThread
    SSDT AF0E8B2C ZwReplaceKey
    SSDT AF0E8B27 ZwRestoreKey
    SSDT AF0E8B18 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8E8D380, 0x346307, 0xE8000020]
    .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA827A400, 0x87EE2, 0xE8000020]
    .protectˇˇˇˇhardlockentry point in ".protectˇˇˇˇhardlockentry point in ".protectˇˇˇˇhardlockentry point in ".p" section [0xA831E620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectˇˇˇˇhardlockentry point in ".protectˇˇˇˇhardlockentry point in ".p" section [0xA831E620]
    .protectˇˇˇˇhardlockunknown last code section [0xA831E400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA831E400, 0x5126, 0xE0000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E52862
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E526EE
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E527E0
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E52726
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E5275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 029B2862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!send 71AB4C27 5 Bytes JMP 029B26EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 029B27E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!recv 71AB676F 5 Bytes JMP 029B2726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 029B275E
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01CF2862
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01CF26EE
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01CF27E0
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01CF2726
    .text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01CF275E
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E82862
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E826EE
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E827E0
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E82726
    .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E8275E
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01992862
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019926EE
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019927E0
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01992726
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199275E
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F02862
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F026EE
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F027E0
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F02726
    .text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F0275E
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01542862
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015426EE
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015427E0
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01542726
    .text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0154275E
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01022862
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010226EE
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010227E0
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01022726
    .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0102275E
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011E2862
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011E26EE
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011E27E0
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011E2726
    .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011E275E
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01292862
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012926EE
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012927E0
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01292726
    .text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0129275E
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F52862
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F526EE
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F527E0
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F52726
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F5275E
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010C2862
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010C26EE
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010C27E0
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010C2726
    .text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010C275E
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D52862
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D526EE
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D527E0
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D52726
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D5275E
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012E2862
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012E26EE
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012E27E0
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012E2726
    .text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012E275E
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01982862
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019826EE
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019827E0
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01982726
    .text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0198275E
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00992862
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009926EE
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009927E0
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00992726
    .text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0099275E
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01202862
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012026EE
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012027E0
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01202726
    .text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0120275E
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
    .text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00972862
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009726EE
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009727E0
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00972726
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0097275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01E62862
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E626EE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01E627E0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01E62726
    .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E6275E

    ---- EOF - GMER 1.0.15 ----

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Net_Surfer on 19th April 2010, 12:20 pm

    Hi Yolinda,

    Please right click on the combofix icon on your desktop and select delete.

    Then use the same steps that I gave you before and download it again and run it.......After that paste the log here.


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Posts Posts : 57
    Joined Joined : 2010-03-28
    Gender Gender : Male
    OS OS : xp sp3, Vista, Win7
    Points Points : 25235
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    ComboFix Log

    Post by yolinda on 19th April 2010, 3:31 pm

    Hi Net_Surfer,

    Great news.... ComboFix ran with no problems this time! I did accidentally forget to rename it and ran it first just from the download, but then deleted that version and downloaded it again with the "commy" rename and ran with your command line. I don't know if that would affect the scan you wanted, so I wanted to let you know just in case. I do have the log from the first scan also if you need me to post it.

    Here is the log from the second scan, run as you instructed:

    ComboFix 10-04-18.04 - yo 04/19/2010 9:33.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1066 [GMT -4:00]
    Running from: c:\documents and settings\yo\desktop\commy.exe
    Command switches used :: /stepdel
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
    2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
    2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
    2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
    2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
    2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
    2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
    2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
    2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
    2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
    2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
    2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
    2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
    2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
    2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
    2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
    2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
    2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
    2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
    2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
    2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
    2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
    2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
    2010-04-05 01:04 . 2010-04-19 13:23 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
    2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
    2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
    2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
    2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
    2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
    2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
    2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
    2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
    2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
    2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
    2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
    2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
    2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
    2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
    2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
    2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
    2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
    2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
    2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
    2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
    2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
    2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
    2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
    2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
    2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
    2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
    .

    ((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_900.dat
    + 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_88c.dat
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
    + 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
    + 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_144.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\yo\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
    2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
    2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
    2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
    2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "rpcapd"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "MyWebSearchService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5823:TCP"= 5823:TCP:Services
    "5824:TCP"= 5824:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "4603:TCP"= 4603:TCP:Services
    "7706:TCP"= 7706:TCP:Services
    "6699:TCP"= 6699:TCP:Services
    "6698:TCP"= 6698:TCP:Services
    "7478:TCP"= 7478:TCP:Services
    "7479:TCP"= 7479:TCP:Services
    "7589:TCP"= 7589:TCP:Services
    "7590:TCP"= 7590:TCP:Services

    R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
    S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
    S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
    S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
    S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    mSearch Bar = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
    FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-19 09:46
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x889A9A80]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xf74a0852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885bf8f0
    PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
    SendHandler -> NDIS.sys @ 0xf795a87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\63.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
    "D-Code"="9943096400"
    "U-Code"="Demo"
    "S-Code"="4973197477"
    "C-Code"="2108728324272124"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1140)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-04-19 09:50:19
    ComboFix-quarantined-files.txt 2010-04-19 13:50
    ComboFix2.txt 2010-04-19 13:18

    Pre-Run: 60,579,667,968 bytes free
    Post-Run: 60,522,254,336 bytes free

    - - End Of File - - 1B7DDBC1094B96DDD95E45032EE48372

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Net_Surfer on 19th April 2010, 6:46 pm

    Hi Yolinda,

    Please post the report log of the first scan with Combofix.

    Thank you
    Net_Surfer


    Obstacles are what you see when you take you eyes off your GOALS
    Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

    Net_Surfer
    Intermediate
    Intermediate

    Posts Posts : 57
    Joined Joined : 2010-03-28
    Gender Gender : Male
    OS OS : xp sp3, Vista, Win7
    Points Points : 25235
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 19th April 2010, 6:49 pm

    Here is the first scan....

    By the way, I am still getting the ebay & paypal redirects...


    ComboFix 10-04-18.04 - yo 04/19/2010 8:59.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1069 [GMT -4:00]
    Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\yo\Recent\Thumbs.db
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
    2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
    2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
    2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
    2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
    2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
    2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
    2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
    2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
    2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
    2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
    2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
    2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
    2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
    2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
    2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
    2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
    2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
    2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
    2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
    2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
    2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
    2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
    2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
    2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
    2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
    2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
    2010-04-05 01:04 . 2010-04-19 12:52 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
    2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
    2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
    2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
    2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
    2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
    2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
    2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
    2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
    2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
    2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
    2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
    2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
    2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
    2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
    2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
    2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
    2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
    2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
    2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
    2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
    2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
    2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
    2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
    2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
    2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
    2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
    2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
    2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
    2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
    2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
    2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
    2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
    2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
    2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
    2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\yo\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
    backup=c:\windows\pss\GammaTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
    backup=c:\windows\pss\NCProTray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
    2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
    2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
    2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
    2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "rpcapd"=3 (0x3)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "MyWebSearchService"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
    "65533:TCP"= 65533:TCP:Services
    "52344:TCP"= 52344:TCP:Services
    "5823:TCP"= 5823:TCP:Services
    "5824:TCP"= 5824:TCP:Services
    "3389:TCP"= 3389:TCP:Remote Desktop
    "4603:TCP"= 4603:TCP:Services
    "7706:TCP"= 7706:TCP:Services
    "6699:TCP"= 6699:TCP:Services
    "6698:TCP"= 6698:TCP:Services
    "7478:TCP"= 7478:TCP:Services
    "7479:TCP"= 7479:TCP:Services

    R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
    S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
    S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
    S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
    S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
    S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

    2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = [You must be registered and logged in to see this link.]
    mSearch Bar = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
    FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-ActiveScan 2.0 - c:\program files\Panda Security\ActiveScan 2.0\as2uninst.exe
    AddRemove-Hard Disk Low Level Format Tool_is1 - a:\hddguru llf tool\unins000.exe
    AddRemove-ophcrack - c:\program files\ophcrack\uninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-04-19 09:13
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894163A8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xf74a0852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885958f0
    PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
    SendHandler -> NDIS.sys @ 0xf795a87b
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\63.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
    "D-Code"="9943096400"
    "U-Code"="Demo"
    "S-Code"="4973197477"
    "C-Code"="2108728324272124"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1140)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-04-19 09:18:02
    ComboFix-quarantined-files.txt 2010-04-19 13:18

    Pre-Run: 60,639,612,928 bytes free
    Post-Run: 60,608,466,944 bytes free

    - - End Of File - - 055EEEC8B7C7732A5AAE5ADD37CB1F3E

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    eset log

    Post by yolinda on 20th April 2010, 7:13 pm

    Hi Net_Surfer,

    I went ahead and did another ESET scan, and this is the result:

    C:\Program Files\AIM6\services\softwareUpdate\ver2_14_16_3\aolsetup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


    Also, the ebay/paypal redirect seems to be gone for now, but I am not able to log on to ebay. When I try to, I get a message that says I am not allowing cookies, so I can't log on. I checked my cookie settings, and changed them to always allow, but still get the message. I tried ebay tech support, and after going thru checking the privacy and security settings on IE8 with them, they said that there may be a virus on my system that has put a setting somewhere that is making this message appear so I can't log on. If I try to log on to ebay.ca, I have no problems. (of course, I can't list items, etc through the .ca site, but this at least shows I can log on & cookies are fine, it is something with the ebay.com site/url). I thought this info might help you identify whatever critter is lurking on my system.

    I did try to run Dr WebCurit again, and after many hours of running, I came back to a computer with the blue screen.

    Not trying to jump the gun on you, just thougth I'd go ahead and try to rerun these scans you had requested previously while you were working on the log... I just need to get this system clean so I can transfer all my files/data to a new system and not worry about transferring this virus to the new pc.

    I do appreciate all your time/patience and help on this.

    Thank you,
    yolinda

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 21st April 2010, 5:27 am

    GMER

    Note about this tool:
    • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
    • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
    • No matter what is in the log, please post all the information/contents of the log.


    Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 21st April 2010, 4:38 pm

    Gmer crashed... blue screen of death...
    Stop: 0X000000C5 (0X00000004, 0X000000002, 0X00000001, 0X8054BBB4)

    I got Gmer to run before by unchecking everything except System, Sections and Services boxes. Do you want me to try that again? Which boxes have to be checked?

    Thanks

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 22nd April 2010, 1:19 am

    Let's try this, and see if we can work around it.

    Launch GMER and in the right panel, untick all except the following:
    • Modules
    • Processes
    • Libraries
    • Services
    • Show All
    Then click the scan button & show me the log it produces.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 22nd April 2010, 2:26 am

    That scan was very fast.... less than a minute...

    The log is very long, so I'm uploading the file.

    Thank you for your help!

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 22nd April 2010, 3:19 am

    That did not give the info I was hoping for. Let's try to run this:

    Please download [You must be registered and logged in to see this link.] by DragonMaster Jay and save it to your Desktop.
    • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
    • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
    • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in. Please do not upload it.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 22nd April 2010, 3:49 am

    ok, here it is...

    SpiderKill by DragonMaster Jay ( Oct 2009 )


    Microsoft Windows XP [Version 5.1.2600]

    ********************Drivers list********************


    Volume in drive C has no label.
    Volume Serial Number is 8C30-4B1B

    Directory of C:\Windows\System32\Drivers

    04/19/2010 09:42 AM .
    04/19/2010 09:42 AM ..
    04/13/2008 02:46 PM 53,376 1394bus.sys
    04/13/2008 02:46 PM 48,128 61883.sys
    04/13/2008 02:36 PM 187,776 acpi.sys
    08/29/2002 08:00 AM 11,648 acpiec.sys
    04/13/2008 08:11 PM 4,255 adv01nt5.dll
    04/13/2008 08:11 PM 3,967 adv02nt5.dll
    04/13/2008 08:11 PM 3,615 adv05nt5.dll
    04/13/2008 08:11 PM 3,647 adv07nt5.dll
    04/13/2008 08:11 PM 3,135 adv08nt5.dll
    04/13/2008 08:11 PM 3,711 adv09nt5.dll
    04/13/2008 08:11 PM 3,775 adv11nt5.dll
    04/13/2008 12:39 PM 142,592 aec.sys
    08/14/2008 06:04 AM 138,496 afd.sys
    04/13/2008 02:36 PM 42,368 agp440.sys
    04/13/2008 02:36 PM 44,928 agpcpq.sys
    04/13/2008 02:36 PM 42,752 alim1541.sys
    04/13/2008 02:36 PM 43,008 amdagp.sys
    04/13/2008 02:31 PM 37,376 amdk6.sys
    04/13/2008 02:31 PM 37,760 amdk7.sys
    11/29/2006 01:46 AM 28,224 APLMp50.sys
    04/13/2008 02:51 PM 60,800 arp1394.sys
    03/29/2000 10:17 AM 5,824 ASUSHWIO.SYS
    04/13/2008 02:57 PM 14,336 asyncmac.sys
    04/13/2008 02:40 PM 96,512 atapi.sys
    08/04/2004 01:29 AM 56,623 ati1btxx.sys
    08/04/2004 01:29 AM 11,615 ati1mdxx.sys
    08/04/2004 01:29 AM 12,047 ati1pdxx.sys
    08/04/2004 01:29 AM 30,671 ati1raxx.sys
    08/04/2004 01:29 AM 63,663 ati1rvxx.sys
    08/04/2004 01:29 AM 26,367 ati1snxx.sys
    08/04/2004 01:29 AM 21,343 ati1ttxx.sys
    08/04/2004 01:29 AM 36,463 ati1tuxx.sys
    08/04/2004 01:29 AM 29,455 ati1xbxx.sys
    08/04/2004 01:29 AM 34,735 ati1xsxx.sys
    08/04/2004 01:29 AM 327,040 ati2mtaa.sys
    08/04/2004 01:29 AM 701,440 ati2mtag.sys
    08/04/2004 01:29 AM 57,856 atinbtxx.sys
    08/04/2004 01:29 AM 13,824 atinmdxx.sys
    08/04/2004 01:29 AM 14,336 atinpdxx.sys
    08/04/2004 01:29 AM 52,224 atinraxx.sys
    08/04/2004 01:29 AM 104,960 atinrvxx.sys
    08/04/2004 01:29 AM 28,672 atinsnxx.sys
    08/04/2004 01:29 AM 13,824 atinttxx.sys
    08/04/2004 01:29 AM 73,216 atintuxx.sys
    08/04/2004 01:29 AM 31,744 atinxbxx.sys
    08/04/2004 01:29 AM 63,488 atinxsxx.sys
    07/17/2004 02:36 PM 64,352 ativmc20.cod
    04/13/2008 02:51 PM 59,904 atmarpc.sys
    08/29/2002 08:00 AM 31,360 atmepvc.sys
    04/13/2008 02:51 PM 55,808 atmlane.sys
    08/29/2002 08:00 AM 352,256 atmuni.sys
    04/13/2008 08:11 PM 21,183 atv01nt5.dll
    04/13/2008 08:11 PM 11,359 atv02nt5.dll
    04/13/2008 08:11 PM 25,471 atv04nt5.dll
    04/13/2008 08:11 PM 14,143 atv06nt5.dll
    04/13/2008 08:11 PM 17,279 atv10nt5.dll
    08/17/2001 09:59 AM 3,072 audstub.sys
    04/13/2008 02:46 PM 38,912 avc.sys
    05/11/2009 11:49 AM 45,416 avgntdd.sys
    02/16/2010 01:24 PM 60,936 avgntflt.sys
    05/11/2009 11:49 AM 22,360 avgntmgr.sys
    03/01/2010 09:05 AM 124,784 avipbb.sys
    08/29/2002 08:00 AM 4,224 beep.sys
    04/13/2008 02:53 PM 71,552 bridge.sys
    04/13/2008 02:46 PM 17,024 bthenum.sys
    04/13/2008 02:46 PM 37,888 bthmodem.sys
    04/13/2008 02:51 PM 101,120 bthpan.sys
    06/13/2008 07:05 AM 272,128 bthport.sys
    04/13/2008 02:46 PM 36,480 bthprint.sys
    04/13/2008 02:46 PM 18,944 bthusb.sys
    08/29/2002 08:00 AM 13,952 cbidf2k.sys
    04/13/2008 02:46 PM 17,024 CCDECODE.sys
    08/29/2002 08:00 AM 18,688 cdaudio.sys
    04/13/2008 03:14 PM 63,744 cdfs.sys
    04/13/2008 02:40 PM 62,976 cdrom.sys
    04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
    08/29/2002 08:00 AM 262,528 cinemst2.sys
    04/13/2008 03:16 PM 49,536 classpnp.sys
    08/29/2002 08:00 AM 11,776 cpqdap01.sys
    04/13/2008 02:31 PM 36,736 crusoe.sys
    06/08/2005 02:08 PM 1,359,744 CT0531FL.SYS
    08/11/2006 03:45 PM 502,272 ctac32k.sys
    08/11/2006 03:45 PM 499,584 ctaud2k.sys
    11/10/2005 06:06 PM 340,704 ctdvda2k.sys
    12/30/2002 11:53 AM 12,160 CTGAME.SYS
    09/06/2005 03:02 PM 1,365,888 CTMMFILT.SYS
    08/11/2006 03:45 PM 116,224 ctoss2k.sys
    08/11/2006 03:45 PM 7,168 ctprxy2k.sys
    08/11/2006 03:45 PM 143,872 ctsfm2k.sys
    01/18/2007 04:28 PM 5,275 CVirtA.sys
    10/26/2007 02:27 PM 306,300 CVPNDRVA.sys
    07/18/2004 01:55 AM 129,045 cxthsfs2.cty
    01/12/2004 10:20 AM 9,600 CygF32x.sys
    01/12/2004 10:20 AM 16,000 CygLib.sys
    01/12/2008 09:58 AM disdn
    04/13/2008 02:40 PM 36,352 disk.sys
    04/13/2008 02:40 PM 14,208 diskdump.sys
    04/13/2008 02:44 PM 799,744 dmboot.sys
    04/13/2008 02:44 PM 153,344 dmio.sys
    08/29/2002 08:00 AM 5,888 dmload.sys
    04/13/2008 02:45 PM 52,864 dmusic.sys
    01/31/2007 01:45 PM 127,376 dne2000.sys
    04/13/2008 03:45 PM 60,160 drmk.sys
    04/13/2008 02:45 PM 2,944 drmkaud.sys
    08/29/2002 08:00 AM 10,496 dxapi.sys
    04/13/2008 02:38 PM 71,168 dxg.sys
    08/29/2002 08:00 AM 3,328 dxgthk.sys
    08/11/2006 03:45 PM 78,336 emupia2k.sys
    08/17/2001 09:46 AM 6,400 enum1394.sys
    10/11/2007 12:10 PM 30,008 ET5Drv.sys
    04/12/2010 06:10 PM etc
    04/13/2008 03:14 PM 143,744 fastfat.sys
    04/13/2008 02:40 PM 27,392 fdc.sys
    04/13/2008 02:33 PM 44,544 fips.sys
    04/13/2008 02:40 PM 20,480 flpydisk.sys
    04/13/2008 02:32 PM 129,792 fltmgr.sys
    08/29/2002 08:00 AM 12,160 fsvga.sys
    08/29/2002 08:00 AM 7,936 fs_rec.sys
    08/29/2002 08:00 AM 125,056 ftdisk.sys
    04/13/2008 02:36 PM 46,464 gagp30kx.sys
    04/13/2008 02:45 PM 10,624 gameenum.sys
    04/17/2008 01:12 PM 15,464 GEARAspiWDM.sys
    08/29/2002 08:00 AM 3,440,660 gm.dls
    08/29/2002 08:00 AM 646 gmreadme.txt
    01/23/2009 02:41 AM 24,944 GVTDrv.sys
    08/11/2006 03:45 PM 766,976 ha10kx2k.sys
    08/11/2006 03:45 PM 1,110,016 ha20x2k.sys
    08/11/2006 03:45 PM 154,112 haP16v2k.sys
    08/11/2006 03:45 PM 180,224 haP17v2k.sys
    11/22/2006 11:01 AM 693,760 hardlock.sys
    04/13/2008 12:36 PM 144,384 hdaudbus.sys
    04/13/2008 02:46 PM 25,600 hidbth.sys
    04/13/2008 02:45 PM 36,864 hidclass.sys
    04/13/2008 02:45 PM 19,200 hidir.sys
    04/13/2008 02:45 PM 24,960 hidparse.sys
    04/13/2008 09:11 PM 21,504 hidserv.dll
    04/13/2008 02:45 PM 10,368 hidusb.sys
    10/30/2008 05:08 PM 49,920 HPZid412.sys
    10/30/2008 05:08 PM 16,496 HPZipr12.sys
    10/30/2008 05:08 PM 21,568 HPZius12.sys
    08/04/2004 01:41 AM 220,032 hsfbs2s2.sys
    08/04/2004 01:41 AM 685,056 hsfcxts2.sys
    08/04/2004 01:41 AM 1,041,536 hsfdpsp2.sys
    10/20/2009 12:20 PM 265,728 http.sys
    04/13/2008 04:18 PM 52,480 i8042prt.sys
    04/13/2008 02:40 PM 42,112 imapi.sys
    11/26/2004 01:36 PM 98,176 InCDfs.sys
    11/26/2004 01:36 PM 28,928 InCDpass.sys
    11/26/2004 01:36 PM 7,808 InCDrec.sys
    11/26/2004 08:36 AM 27,648 InCDrm.sys
    04/13/2008 02:31 PM 36,352 intelppm.sys
    04/13/2008 02:53 PM 36,608 ip6fw.sys
    08/29/2002 08:00 AM 32,896 ipfltdrv.sys
    04/13/2008 02:57 PM 20,864 ipinip.sys
    04/13/2008 02:57 PM 152,832 ipnat.sys
    04/13/2008 03:19 PM 75,264 ipsec.sys
    04/13/2008 02:45 PM 46,592 irbus.sys
    04/13/2008 02:54 PM 11,264 irenum.sys
    04/13/2008 02:36 PM 37,248 isapnp.sys
    10/28/2005 05:11 PM 27,648 iteatapi.sys
    04/13/2008 02:39 PM 24,576 kbdclass.sys
    04/13/2008 02:39 PM 14,592 kbdhid.sys
    02/23/2010 01:10 PM 1,752 kgpcpy.cfg
    09/14/2009 03:42 PM 32,272 klim5.sys
    04/13/2008 02:45 PM 172,416 kmixer.sys
    04/13/2008 04:16 PM 141,056 ks.sys
    06/24/2009 07:18 AM 92,928 ksecdd.sys
    03/30/2010 12:45 AM 20,824 mbam.sys
    03/30/2010 12:46 AM 38,224 mbamswissarmy.sys
    08/29/2002 08:00 AM 7,680 mcd.sys
    08/04/2004 01:41 AM 11,868 mdmxsdk.sys
    04/13/2008 02:36 PM 63,744 mf.sys
    08/29/2002 08:00 AM 4,224 mnmdd.sys
    04/13/2008 03:00 PM 30,080 modem.sys
    04/13/2008 03:39 PM 23,040 mouclass.sys
    08/29/2002 08:00 AM 12,160 mouhid.sys
    04/13/2008 02:39 PM 42,368 mountmgr.sys
    04/13/2008 02:39 PM 92,544 mqac.sys
    04/13/2008 02:32 PM 180,608 mrxdav.sys
    02/24/2010 09:11 AM 455,680 mrxsmb.sys
    04/13/2008 02:46 PM 51,200 msdv.sys
    04/13/2008 02:32 PM 19,072 msfs.sys
    04/13/2008 02:56 PM 35,072 msgpc.sys
    04/13/2008 02:39 PM 7,552 mskssrv.sys
    08/17/2001 03:00 PM 2,944 msmpu401.sys
    04/13/2008 02:39 PM 5,376 mspclock.sys
    04/13/2008 02:39 PM 4,992 mspqm.sys
    04/13/2008 02:36 PM 15,488 mssmbios.sys
    04/13/2008 02:39 PM 5,504 MSTEE.sys
    08/28/2006 06:12 PM 13,312 MTictwl.sys
    08/04/2004 01:41 AM 126,686 mtlmnt5.sys
    08/04/2004 01:41 AM 1,309,184 mtlstrm.sys
    08/04/2004 01:29 AM 452,736 mtxparhm.sys
    04/13/2008 03:17 PM 105,344 mup.sys
    04/13/2008 02:43 PM 12,672 mutohpen.sys
    05/03/2007 01:37 PM 22,152 mxopswd.sys
    04/13/2008 02:46 PM 85,248 NABTSFEC.sys
    04/13/2008 03:20 PM 182,656 ndis.sys
    04/13/2008 02:46 PM 10,880 NdisIP.sys
    04/13/2008 02:57 PM 10,112 ndistapi.sys
    04/13/2008 02:55 PM 14,592 ndisuio.sys
    04/13/2008 03:20 PM 91,520 ndiswan.sys
    04/13/2008 02:57 PM 40,576 ndproxy.sys
    04/13/2008 02:56 PM 34,688 netbios.sys
    04/13/2008 03:21 PM 162,816 netbt.sys
    09/09/2009 10:29 AM 199,432 neti1639.sys
    04/15/2002 10:11 PM 67,866 netwlan5.img
    04/13/2008 02:51 PM 61,824 nic1394.sys
    08/29/2002 08:00 AM 12,032 nikedrv.sys
    04/13/2008 02:53 PM 40,320 nmnt.sys
    01/25/2007 01:31 PM 42,000 npf.sys
    04/13/2008 02:32 PM 30,848 npfs.sys
    04/13/2008 03:15 PM 574,976 ntfs.sys
    08/04/2004 01:41 AM 180,360 ntmtlfax.sys
    05/09/2009 02:14 AM 14,736 nuidfltr.sys
    08/29/2002 08:00 AM 2,944 null.sys
    12/05/2007 02:41 AM 7,435,392 nv4_mini.sys
    05/25/2004 04:58 PM 396,032 nvapu.sys
    05/25/2004 04:58 PM 66,688 nvarm.sys
    04/21/2003 03:18 PM 52,608 nvatabus.sys
    04/21/2003 03:18 PM 52,608 nvatabus_2.sys
    05/25/2004 04:58 PM 48,640 nvax.sys
    05/25/2004 04:58 PM 962,560 nvmcp.sys
    03/19/2003 04:51 PM 18,688 nv_agp.SYS
    08/29/2002 08:00 AM 12,416 nwlnkflt.sys
    08/29/2002 08:00 AM 32,512 nwlnkfwd.sys
    04/13/2008 02:56 PM 88,320 nwlnkipx.sys
    08/29/2002 08:00 AM 63,232 nwlnknb.sys
    08/29/2002 08:00 AM 55,936 nwlnkspx.sys
    04/13/2008 02:34 PM 163,584 nwrdr.sys
    04/13/2008 02:46 PM 61,696 ohci1394.sys
    08/29/2002 08:00 AM 3,456 oprghdlr.sys
    04/13/2008 02:31 PM 42,752 p3.sys
    04/13/2008 02:40 PM 80,128 parport.sys
    04/13/2008 02:40 PM 19,712 partmgr.sys
    08/29/2002 08:00 AM 6,784 parvdm.sys
    04/13/2008 02:36 PM 68,224 pci.sys
    08/17/2001 02:51 PM 3,328 pciide.sys
    04/13/2008 02:40 PM 24,960 pciidex.sys
    04/13/2008 02:36 PM 120,192 pcmcia.sys
    08/11/2006 03:56 PM 8,192 pfmodnt.sys
    06/01/2009 02:51 PM 27,792 point32.sys
    04/13/2008 04:19 PM 146,048 portcls.sys
    04/13/2008 02:31 PM 35,840 processr.sys
    04/13/2008 02:56 PM 69,120 psched.sys
    08/29/2002 08:00 AM 17,792 ptilink.sys
    08/29/2002 08:00 AM 8,832 rasacd.sys
    04/13/2008 03:19 PM 51,328 rasl2tp.sys
    04/13/2008 02:57 PM 41,472 raspppoe.sys
    04/13/2008 03:19 PM 48,384 raspptp.sys
    08/29/2002 08:00 AM 16,512 raspti.sys
    08/29/2002 08:00 AM 34,432 rawwan.sys
    04/13/2008 03:28 PM 175,744 rdbss.sys
    08/29/2002 08:00 AM 4,224 rdpcdd.sys
    04/13/2008 02:32 PM 196,224 rdpdr.sys
    04/13/2008 08:13 PM 139,656 rdpwd.sys
    08/04/2004 01:41 AM 13,776 recagent.sys
    04/13/2008 02:40 PM 57,600 redbook.sys
    04/13/2008 02:46 PM 59,136 rfcomm.sys
    08/29/2002 08:00 AM 12,032 rio8drv.sys
    08/29/2002 08:00 AM 12,032 riodrv.sys
    05/08/2008 10:02 AM 203,136 rmcast.sys
    04/13/2008 02:56 PM 30,592 rndismp.sys
    04/13/2008 02:56 PM 30,592 rndismpx.sys
    08/29/2002 08:00 AM 5,888 rootmdm.sys
    07/16/2004 03:19 PM 70,400 Rtlnicxp.sys
    11/20/2007 12:09 PM 104,320 Rtnicxp.sys
    08/04/2004 01:29 AM 166,912 s3gnbm.sys
    03/09/2010 11:13 PM 95,024 SBREDrv.sys
    04/13/2008 02:40 PM 96,384 scsiport.sys
    04/13/2008 02:36 PM 79,232 sdbus.sys
    11/13/2007 06:25 AM 20,480 secdrv.sys
    04/13/2008 02:40 PM 15,744 serenum.sys
    04/13/2008 03:15 PM 64,512 serial.sys
    04/13/2008 02:40 PM 11,904 sffdisk.sys
    04/13/2008 02:40 PM 10,240 sffp_mmc.sys
    04/13/2008 02:40 PM 11,008 sffp_sd.sys
    04/13/2008 02:40 PM 11,392 sfloppy.sys
    09/04/2003 08:45 AM 55,144 si3112.svs
    09/04/2003 08:45 AM 55,144 si3112.sys
    08/29/2007 04:04 AM 116,264 SI3112r.sys
    04/13/2008 08:12 PM 3,901 siint5.dll
    04/13/2008 02:36 PM 40,960 sisagp.sys
    08/29/2007 04:04 AM 19,240 SiWinAcc.sys
    04/13/2008 02:46 PM 11,136 SLIP.sys
    08/04/2004 01:41 AM 129,535 slnt7554.sys
    08/04/2004 01:41 AM 404,990 slntamr.sys
    08/04/2004 01:41 AM 95,424 slnthal.sys
    08/04/2004 01:41 AM 13,240 slwdmsup.sys
    04/13/2008 02:36 PM 5,888 smbali.sys
    08/29/2002 08:00 AM 14,592 smclib.sys
    04/13/2008 02:46 PM 25,344 sonydcam.sys
    04/13/2008 02:45 PM 6,272 splitter.sys
    04/13/2008 02:36 PM 73,472 sr.sys
    12/31/2009 12:50 PM 353,792 srv.sys
    05/11/2009 09:12 AM 28,520 ssmdrv.sys
    04/13/2008 03:45 PM 49,408 stream.sys
    04/13/2008 02:46 PM 15,232 StreamIP.sys
    04/13/2008 02:39 PM 4,352 swenum.sys
    04/13/2008 02:45 PM 56,576 swmidi.sys
    04/13/2008 03:15 PM 60,800 sysaudio.sys
    04/13/2008 02:40 PM 14,976 tape.sys
    06/20/2008 07:51 AM 361,600 tcpip.sys
    02/11/2010 08:02 AM 226,880 tcpip6.sys
    04/13/2008 03:00 PM 19,072 tdi.sys
    04/13/2008 08:13 PM 12,040 tdpipe.sys
    04/13/2008 08:13 PM 21,896 tdtcp.sys
    04/13/2008 08:13 PM 40,840 termdd.sys
    05/07/2009 03:04 AM 157,712 tmcomm.sys
    08/29/2002 08:00 AM 51,712 tosdvd.sys
    08/29/2002 08:00 AM 21,376 tsbvcap.sys
    04/13/2008 02:56 PM 12,288 tunmp.sys
    04/13/2008 02:36 PM 44,672 uagp35.sys
    04/13/2008 02:32 PM 66,048 udfs.sys
    11/23/2008 01:22 PM UMDF
    04/13/2008 02:39 PM 384,768 update.sys
    04/13/2008 02:56 PM 12,800 usb8023.sys
    04/13/2008 02:56 PM 12,800 usb8023x.sys
    04/13/2008 03:45 PM 60,032 USBAUDIO.sys
    04/13/2008 02:45 PM 25,600 usbcamd.sys
    04/13/2008 02:45 PM 25,728 usbcamd2.sys
    04/13/2008 02:45 PM 32,128 usbccgp.sys
    08/29/2002 08:00 AM 4,736 usbd.sys
    04/13/2008 02:45 PM 30,208 usbehci.sys
    04/13/2008 02:45 PM 59,520 usbhub.sys
    04/13/2008 02:45 PM 15,872 usbintel.sys
    04/13/2008 02:45 PM 17,152 usbohci.sys
    04/13/2008 02:45 PM 143,872 usbport.sys
    04/13/2008 02:47 PM 25,856 usbprint.sys
    04/13/2008 03:45 PM 15,104 usbscan.sys
    04/13/2008 02:45 PM 26,368 usbstor.sys
    04/13/2008 02:46 PM 121,984 usbvideo.sys
    04/13/2008 08:12 PM 11,325 vchnt5.dll
    08/29/2002 08:00 AM 58,112 vdmindvd.sys
    04/13/2008 02:44 PM 20,992 vga.sys
    04/13/2008 02:36 PM 42,240 viaagp.sys
    04/13/2008 02:44 PM 81,664 videoprt.sys
    04/13/2008 02:41 PM 52,352 volsnap.sys
    04/13/2008 02:43 PM 14,208 wacompen.sys
    08/04/2004 01:29 AM 11,807 wadv07nt.sys
    08/04/2004 01:29 AM 11,295 wadv08nt.sys
    08/04/2004 01:29 AM 11,871 wadv09nt.sys
    08/04/2004 01:29 AM 11,935 wadv11nt.sys
    04/13/2008 02:57 PM 34,560 wanarp.sys
    08/04/2004 01:29 AM 22,271 watv06nt.sys
    08/04/2004 01:29 AM 25,471 watv10nt.sys
    11/02/2006 08:22 AM 492,000 wdf01000.sys
    11/02/2006 08:22 AM 32,224 wdfldr.sys
    04/13/2008 03:17 PM 83,072 wdmaud.sys
    08/29/2002 08:00 AM 4,352 wmilib.sys
    10/18/2006 08:00 PM 38,528 wpdusb.sys
    08/29/2002 08:00 AM 12,032 ws2ifsl.sys
    04/13/2008 02:46 PM 19,200 WSTCODEC.SYS
    09/28/2006 06:55 PM 77,568 WudfPf.sys
    09/28/2006 07:00 PM 82,944 WudfRd.sys
    352 File(s) 44,020,948 bytes

    Directory of C:\Windows\System32\Drivers\disdn

    01/12/2008 09:58 AM .
    01/12/2008 09:58 AM ..
    0 File(s) 0 bytes

    Directory of C:\Windows\System32\Drivers\etc

    04/12/2010 06:10 PM .
    04/12/2010 06:10 PM ..
    04/12/2010 06:10 PM 98 Hosts
    08/29/2002 08:00 AM 734 hosts.20100309-193033.backup
    08/29/2002 08:00 AM 3,683 lmhosts.sam
    08/29/2002 08:00 AM 407 networks
    08/29/2002 08:00 AM 799 protocol
    08/29/2002 08:00 AM 7,116 services
    6 File(s) 12,837 bytes

    Directory of C:\Windows\System32\Drivers\UMDF

    11/23/2008 01:22 PM .
    11/23/2008 01:22 PM ..
    10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
    1 File(s) 671,232 bytes

    Total Files Listed:
    359 File(s) 44,705,017 bytes
    11 Dir(s) 60,875,743,232 bytes free


    ***********************Hidden Drivers********************
    Volume in drive C has no label.
    Volume Serial Number is 8C30-4B1B

    Directory of C:\Windows\System32\Drivers

    01/13/2008 12:07 AM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
    01/13/2008 12:07 AM 0 Msft_Kernel_NuidFltr_01005.Wdf
    2 File(s) 0 bytes
    0 Dir(s) 60,875,755,520 bytes free


    *********************Processes*******************


    PROCESS PID PRIO PATH
    smss.exe 1064 Normal C:\WINDOWS\System32\smss.exe
    csrss.exe 1116 Normal C:\WINDOWS\system32\csrss.exe
    winlogon.exe 1144 High C:\WINDOWS\system32\winlogon.exe
    services.exe 1188 Normal C:\WINDOWS\system32\services.exe
    lsass.exe 1200 Normal C:\WINDOWS\system32\lsass.exe
    svchost.exe 1372 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1472 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1596 Normal C:\WINDOWS\System32\svchost.exe
    InCDsrv.exe 1624 Normal C:\Program Files\Ahead\InCD\InCDsrv.exe
    svchost.exe 1776 Normal C:\WINDOWS\system32\svchost.exe
    svchost.exe 1892 Normal C:\WINDOWS\System32\svchost.exe
    svchost.exe 252 Normal C:\WINDOWS\system32\svchost.exe
    Explorer.EXE 428 Normal C:\WINDOWS\Explorer.EXE
    spoolsv.exe 568 Normal C:\WINDOWS\system32\spoolsv.exe
    sched.exe 628 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe 732 Normal C:\WINDOWS\System32\svchost.exe
    CTHELPER.EXE 1556 Normal C:\WINDOWS\CTHELPER.EXE
    SearchProtection.exe 1584 Normal C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    ipoint.exe 1612 Normal C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    itype.exe 1652 Normal C:\Program Files\Microsoft IntelliType Pro\itype.exe
    HPWuSchd2.exe 1924 Normal C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    avgnt.exe 1960 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    jusched.exe 1976 Normal C:\Program Files\Common Files\Java\Java Update\jusched.exe
    GoogleToolbarNotifier.exe 1988 Normal C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    ctfmon.exe 144 Normal C:\WINDOWS\system32\ctfmon.exe
    hpqtra08.exe 260 Normal C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    WindowsSearch.exe 300 Normal C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    ACService.exe 960 Normal C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    avguard.exe 944 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    cvpnd.exe 1088 Normal C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    DkService.exe 1100 Below Normal C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    dpupdchk.exe 2080 Normal C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    svchost.exe 2176 Normal C:\WINDOWS\system32\svchost.exe
    jqs.exe 2208 Idle C:\Program Files\Java\jre6\bin\jqs.exe
    avshadow.exe 2220 Normal C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    MagicTuneEngine.exe 2248 Normal C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
    SyncServices.exe 2356 Normal C:\Program Files\Maxtor\Sync\SyncServices.exe
    svchost.exe 2468 Normal C:\WINDOWS\System32\svchost.exe
    nTuneService.exe 2792 Normal C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    nvsvc32.exe 2856 Normal C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe 2904 Normal C:\WINDOWS\System32\svchost.exe
    snmp.exe 3068 Normal C:\WINDOWS\System32\snmp.exe
    svchost.exe 3276 Normal C:\WINDOWS\System32\svchost.exe
    YahooAUService.exe 3372 Normal C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    SearchIndexer.exe 3996 Normal C:\WINDOWS\system32\SearchIndexer.exe
    MagicTune.exe 2300 Normal C:\Program Files\MagicTune Premium\MagicTune.exe
    alg.exe 2876 Normal C:\WINDOWS\System32\alg.exe
    hpqSTE08.exe 700 Normal C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    hpqbam08.exe 1684 Normal C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    hpqgpc01.exe 2708 Normal C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    FNPLicensingService.exe 4716 Normal C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    AcroTray.exe 5568 Normal C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
    cmd.exe 5120 Normal C:\WINDOWS\system32\cmd.exe
    processes.exe 5536 Normal C:\Documents and Settings\yo\Desktop\SpiderKill\SpiderKill\processes.exe


    Module information for 'Explorer.EXE'(428)
    MODULE BASE SIZE PATH
    Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
    ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
    kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
    ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
    RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
    Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
    BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
    GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
    USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
    msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
    ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
    SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
    SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
    CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
    MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
    CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
    NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
    VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
    WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
    Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
    urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
    iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
    WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
    IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
    SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
    UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
    ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
    AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
    WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
    MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
    USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
    IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
    comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
    comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
    msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
    appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
    CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
    COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
    GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
    GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
    MSVCR80.dll dc0000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoftģ C Runtime Library
    GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
    ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
    rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
    MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
    cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
    CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
    themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
    xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
    actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
    SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
    GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
    msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
    LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
    ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
    ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
    WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
    SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
    msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
    ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Explorer
    MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
    msvcp60.dll 76080000 413696 C:\WINDOWS\System32\msvcp60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
    NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
    credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
    dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
    rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
    dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
    OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
    WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
    WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
    eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
    eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
    iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
    webcheck.dll 20f0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
    stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
    BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
    POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
    WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
    WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
    mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
    PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
    PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
    GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
    MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
    wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
    midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
    ctagent.dll 1b80000 24576 C:\WINDOWS\system32\ctagent.dll 1, 0, 0, 12 ctagent
    MSNLNamespaceMgr.dll 4050000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
    SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
    MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
    drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoftģ Lan Manager
    NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
    davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
    SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
    PDFShell.dll 4160000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.3.2.163 PDF Shell Extension
    browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
    gdiplus.dll 4ec50000 1748992 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll 5.2.6001.22319 (vistasp1_ldr.081126-1506) Microsoft GDI+
    DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
    mscms.dll 73b30000 86016 C:\WINDOWS\system32\mscms.dll 5.1.2600.5627 (xpsp_sp3_gdr.080624-1245) Microsoft Color Matching System DLL
    WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
    SnagItShellExtRes.dll 3500000 32768 C:\Program Files\TechSmith\SnagIt 9\SnagItShellExtRes.dll 9.0.0.351 SnagIt Shell Extension Resources DLL
    NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
    CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
    icm32.dll 66e90000 266240 C:\WINDOWS\system32\icm32.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft Color Management Module (CMM)
    printui.dll 74b80000 573440 C:\WINDOWS\system32\printui.dll 5.1.2600.5512 (xpsp.080413-0852) Print UI DLL
    ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
    adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
    AcroIEHelper.dll 990000 65536 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 9.3.2.163 Adobe PDF Helper for Internet Explorer
    msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component



    ******************************************
    EOF

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 22nd April 2010, 4:11 am

    Please do a scan with [You must be registered and logged in to see this link.]

    Click on the Accept button and install any components it needs.

    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    kapersky scan

    Post by yolinda on 22nd April 2010, 2:17 pm

    Hi Dragonmaster_Jay,

    Here are the results of the Kapersky scan:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, April 22, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Wednesday, April 21, 2010 20:27:33
    Records in database: 3962586
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    H:\

    Scan statistics:
    Objects scanned: 273092
    Threats found: 1
    Infected objects found: 0
    Suspicious objects found: 1
    Scan duration: 06:38:06


    File name / Threat / Threats count
    C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

    Selected area has been scanned.

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 22nd April 2010, 4:26 pm

    Good.

    I think this will be the final check.

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
    Please close all other applications running on your system.

    Please double click GetSystemInfo.exe to open it.

    Click the Settings button.



    Set it to Maximum



    IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    Click Create Report to run it.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

    Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 22nd April 2010, 4:58 pm

    ok...here is the link:

    [You must be registered and logged in to see this link.]

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 23rd April 2010, 12:12 am

    We need to do some diagnostics.

    1. Please download [You must be registered and logged in to see this link.] by noahdfear.
    • Save it to your desktop.
    • Double-click profiles.exe and post its log when you reply


    2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
    • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
    • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
    • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


    3. In your next reply, please post the following logs for my review:
    • Profiles log (1)
    • Win32kDiag log (2)


    Thanks! Smile


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 23rd April 2010, 12:31 am

    Unfortunatly, redirect is still alive and well. I just took a screen shot of what I get when I try to log on to ebay or paypal (except if paypal it has that logo of course...) If I log on with a different computer, I can log on without any problems.

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 23rd April 2010, 12:33 am

    Ok. Try Profiles and Win32kDiag and let me see the logs, please.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 23rd April 2010, 12:41 am

    Hi Dragonmaster_Jay,

    Thank you very much for your patience and continued help in trying to track down this problem!

    Here is the log for Profiles:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile REG_SZ Default User
    AllUsersProfile REG_SZ All Users

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

    SystemRoot REG_SZ C:\WINDOWS


    And here is the log for Win32Kdialog:

    Running from: C:\Documents and Settings\yo\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\yo\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...





    Finished!

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 23rd April 2010, 12:55 am

    Go here, and download SWReg:

    [You must be registered and logged in to see this link.]

    When installed, go to Start | Run and type the following. You may want to copy/paste, just to make sure:

    swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f

    ============

    Then, do the HelpAsst fix there again.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 23rd April 2010, 3:50 am

    Hi Dragonmaster_Jay,

    This did not find a mbr infection on the scan, so I followed the directions for that situation. Here is the helpasst log:

    C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
    Thu 04/22/2010 at 21:48:18.12

    HelpAssistant account is Active ~ attempting to de-activate

    Account active Yes
    Local Group Memberships *Administrators

    HelpAssistant successfully set Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present! ~ attempting to remove
    Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

    ~~ Checking firewall ports ~~

    backing up DomainProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "5823:TCP"=-
    "5824:TCP"=-
    "3389:TCP"=-
    "4603:TCP"=-
    "7706:TCP"=-
    "6698:TCP"=-
    "6699:TCP"=-
    "7478:TCP"=-
    "7479:TCP"=-
    "7590:TCP"=-
    "7589:TCP"=-
    "9885:TCP"=-
    "9886:TCP"=-
    "8540:TCP"=-
    "8541:TCP"=-

    backing up StandardProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "5823:TCP"=-
    "5824:TCP"=-
    "3389:TCP"=-
    "4603:TCP"=-
    "7706:TCP"=-
    "6699:TCP"=-
    "6698:TCP"=-
    "7478:TCP"=-
    "7479:TCP"=-
    "7589:TCP"=-
    "7590:TCP"=-
    "9886:TCP"=-
    "9885:TCP"=-
    "8540:TCP"=-
    "8541:TCP"=-

    ~~ Checking profile list ~~

    HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
    HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
    ~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Thu 04/22/2010 at 23:41:28.57

    Account active Yes
    Local Group Memberships *Administrators

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    S-1-5-21-1844237615-1409082233-725345543-1000
    %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant
    HelpAssistant.LINDAS

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services


    ~~ EOF ~~

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 23rd April 2010, 3:53 am

    Delete the current copy of HelpAsst_mebroot_fix.exe and download a fresh one from [You must be registered and logged in to see this link.]. Please save it to your desktop, else the following command will not work.
    Click Start>Run then copy and paste in the following bolded command, then hit Enter.

    "%userprofile%\desktop\helpasst_mebroot_fix.exe" -mbrt

    A log will open when it completes. Please post it's contents here.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 23rd April 2010, 2:57 pm

    ok, here it is:

    C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
    Thu 04/22/2010 at 21:48:18.12

    HelpAssistant account is Active ~ attempting to de-activate

    Account active Yes
    Local Group Memberships *Administrators

    HelpAssistant successfully set Inactive

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present! ~ attempting to remove
    Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

    ~~ Checking firewall ports ~~

    backing up DomainProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "5823:TCP"=-
    "5824:TCP"=-
    "3389:TCP"=-
    "4603:TCP"=-
    "7706:TCP"=-
    "6698:TCP"=-
    "6699:TCP"=-
    "7478:TCP"=-
    "7479:TCP"=-
    "7590:TCP"=-
    "7589:TCP"=-
    "9885:TCP"=-
    "9886:TCP"=-
    "8540:TCP"=-
    "8541:TCP"=-

    backing up StandardProfile\GloballyOpenPorts\List registry key
    closing rogue ports

    HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
    "65533:TCP"=-
    "52344:TCP"=-
    "5823:TCP"=-
    "5824:TCP"=-
    "3389:TCP"=-
    "4603:TCP"=-
    "7706:TCP"=-
    "6699:TCP"=-
    "6698:TCP"=-
    "7478:TCP"=-
    "7479:TCP"=-
    "7589:TCP"=-
    "7590:TCP"=-
    "9886:TCP"=-
    "9885:TCP"=-
    "8540:TCP"=-
    "8541:TCP"=-

    ~~ Checking profile list ~~

    HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
    HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
    ~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

    ~~ Checking mbr ~~

    user & kernel MBR OK

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Thu 04/22/2010 at 23:41:28.57

    Account active Yes
    Local Group Memberships *Administrators

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll not found


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

    ~~ Checking profile list ~~

    S-1-5-21-1844237615-1409082233-725345543-1000
    %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant
    HelpAssistant.LINDAS

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services


    ~~ EOF ~~

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Status check on Fri 04/23/2010 at 10:55:51.35

    Account active Yes
    Local Group Memberships *Administrators

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D2E5A8]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present!


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

    ~~ Checking profile list ~~

    S-1-5-21-1844237615-1409082233-725345543-1000
    %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant
    HelpAssistant.LINDAS

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


    ~~ EOF ~~

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 23rd April 2010, 8:08 pm

    We beat up part of it now. Let's search and destroy.

    Please download SystemLook from one of the links below and save it to your Desktop.
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:

      :filefind
      *helpassistant*
      *helpasst*
      *assistant*

      :folderfind
      *helpassistant*
      *helpasst*
      *assistant*

      :regfind
      helpassistant
      helpasst

    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 23rd April 2010, 9:14 pm

    Sounds Great... I'm ready to squash this bug for good!


    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 16:56 on 23/04/2010 by yo (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "*helpassistant*"
    C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
    C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

    Searching for "*helpasst*"
    C:\Documents and Settings\HelpAssistant.LINDAS\Desktop\HelpAsst_mebroot_fix.exe --a--- 490232 bytes [03:36 23/04/2010] [01:29 23/04/2010] 1F400D155A8F31DD57BC2A9CE5B8D6F5
    C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAsst.log.lnk --a--- 415 bytes [04:01 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
    C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe --a--- 489984 bytes [14:55 23/04/2010] [14:55 23/04/2010] 3516C911A1B9264D5E6B26F27D114FB6
    C:\Documents and Settings\yo\Recent\HelpAsst.log.lnk --a--- 415 bytes [15:17 19/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
    C:\HelpAsst.log --a--- 4856 bytes [22:23 11/04/2010] [14:55 23/04/2010] C9356F32033DB9C16EA6E62EB04047DA
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Desktop\HelpAsst_mebroot_fix.exe --a--- 490008 bytes [01:52 23/04/2010] [22:20 11/04/2010] 58B59A8C44CB661F3E4A952E88B0F8F3
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAsst.log.lnk --a--- 415 bytes [02:06 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
    C:\WINDOWS\Prefetch\HELPASST_MEBROOT_FIX.EXE-23271C94.pf --a--- 59716 bytes [01:48 23/04/2010] [14:55 23/04/2010] 04DD050E52A2FA069BEB963B364537DD

    Searching for "*assistant*"
    C:\Documents and Settings\All Users\Application Data\HP Product Assistant\HPProductAssistant.ini --a--- 9024 bytes [23:23 16/10/2008] [05:28 23/04/2010] 612BA8FFDD872F33F164BE751B6B7471
    C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [03:38 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
    C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [03:38 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
    C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
    C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [04:01 15/05/2008] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
    C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [04:02 15/05/2008] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
    C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [01:53 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [01:53 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
    C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\MicrosoftDotNetFrameworkAssistant.xpi --a--- 19153 bytes [18:40 18/03/2009] [18:40 18/03/2009] 142AA9EC7D07C3F7B26E20E5EA399C80

    ========== folderfind ==========

    Searching for "*helpassistant*"
    C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
    C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]

    Searching for "*helpasst*"
    C:\HelpAsst_backup d----- [22:23 11/04/2010]

    Searching for "*assistant*"
    C:\Documents and Settings\All Users\Application Data\HP Product Assistant d----- [00:33 05/04/2010]
    C:\Documents and Settings\All Users\Application Data\HP\ProductAssistant d----- [00:33 05/04/2010]
    C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
    C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
    C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant d----- [03:38 23/04/2010]
    C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [03:38 23/04/2010]
    C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant d----- [04:01 15/05/2008]
    C:\Documents and Settings\yo\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [04:02 15/05/2008]
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant d-a--- [01:53 23/04/2010]
    C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d-a--- [01:53 23/04/2010]
    C:\Program Files\HP\Digital Imaging\Product Assistant d----- [00:33 05/04/2010]
    C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent d----- [05:31 28/11/2008]
    C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension d----- [07:09 15/08/2009]

    ========== regfind ==========

    Searching for "helpassistant"
    [HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
    @="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
    "ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
    "ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
    "File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
    [HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
    @="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

    Searching for "helpasst"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
    @="C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe"

    -=End Of File=-

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 24th April 2010, 3:50 am

    Do you have an XP cd?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 24th April 2010, 3:23 pm

    Yes, I do.

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 24th April 2010, 5:12 pm

    Reboot your computer.

    Boot from the windows XP CD, press the "R" key in the setup in order to start the Recovery Console.

    Select your windows XP installation from the list (usually 1). It will prompt for an administrator password. The password is probably blank, so just hit enter.

    Enter the command: fixmbr at the input prompt and confirm the next question with a Y.

    It should then reboot the computer. If it does not, then type exit.

    Boot back in to the Normal XP.

    =================

    After that, please do the following:

    Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
    • Double-click mbr.exe to start the program.
    • When done scanning, it will save a log on the Desktop called mbr.log.
    • Please post the contents of that log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 28th April 2010, 6:21 pm

    Hi Dragonmaster Jay,

    I followed the directions, booted from windows xp cd. When I typed R to go to recovery consol, it went to the black screen with the c prompt. (I did not have to select anything). When I typed fixmbr, it just popped up another c prompt. No response, just the c prompt. So I typed exit.

    Upon restarting, I tried going into windows recovery consol (installed on one of the earlier steps, it shows now whenever I boot). It started loading, then BAM.... blue screen of death...

    So I am going to go ahead and do the Stealth MBR Rootkit Detector & post log... but wanted to update you on what was happening.

    Thanks
    yolinda

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 28th April 2010, 6:24 pm

    Here is the log from Stealth MBR Rootkit Detector:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 28th April 2010, 9:10 pm

    Having anymore redirects?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 29th April 2010, 8:11 pm

    Man, I was really hoping we killed this thing!

    I did not have the redirect last night, but now it is back again.

    This thing is worse than a bad horror movie where they "kill" the bad guy, then he pops back up and attacks again...

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 29th April 2010, 8:29 pm

    Whenever rootkit scanners, and antivirus software scan for the rootkit, it gets as close to the system kernel as possible. If the rootkit is beyond that point, it will not be detected.

    Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
    • Double-click mbr.exe to start the program.
    • When done scanning, it will save a log on the Desktop called mbr.log.
    • Please post the contents of that log in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 29th April 2010, 9:41 pm

    Ok, here is the scan:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x0E4FBFE2

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 30th April 2010, 2:58 am

    Please download [You must be registered and logged in to see this link.] by noahdfear.
    • Save it to your desktop.
    • Double-click profiles.exe and post its log when you reply


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 30th April 2010, 3:32 am

    Below is the log for Profiles... by the way, can I delete the help assistant folders under documents and settings? Or do I need to leave those there?
    Thank you-- Linda

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    DefaultUserProfile REG_SZ Default User
    AllUsersProfile REG_SZ All Users

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
    ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

    SystemRoot REG_SZ C:\WINDOWS

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 30th April 2010, 3:57 am

    Please download [You must be registered and logged in to see this link.] and save it to your desktop.

    • Double-click on HAMeb_check.exe to run the utility and it will create a log.
    • Copy and paste the contents of that log in your next reply.


    ===============================

    Please download SystemLook from one of the links below and save it to your Desktop.
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]


    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      termsrv.dll
      termsrv32.dll
      :reg
      HKLM\SYSTEM\CurrentControlSet\Services\TermService /s
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    =============================================

    Open Notepad and copy/paste the code box below into a new text file.
    Code:
    @echo off
    net user HelpAssistant
    /active:no >nul 2>&1
    net localgroup Administrators
    HelpAssistant /delete >nul 2>&1
    attrib -s -h -r
    C:\docume~\HelpAssistant\* /s /d
    del /s/q
    C:\docume~\HelpAssistant\*.*
    rmdir /s/q C:\docume~\HelpAssistant
    • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
    • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
    • It will open a text file, please copy the content in your next reply.


    Please make sure to post the log from HAMeb_Check, SystemLook, and the regquery in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 30th April 2010, 5:04 am

    ok... first two ran fine... but regquery did not give me a txt file. It popped open a black window and I saw a bunch of text for about 1/2 second, then it closed and no log file opened... here are the logs for HAMeb_check and SystemLook:

    C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
    Fri 04/30/2010 at 0:47:11.73

    Account active Yes
    Local Group Memberships *Administrators

    ~~ Checking profile list ~~

    S-1-5-21-1844237615-1409082233-725345543-1000
    %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

    ~~ Checking for HelpAssistant directories ~~

    HelpAssistant
    HelpAssistant.LINDAS

    ~~ Checking mbr ~~

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A439BC0]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ~~ Checking for termsrv32.dll ~~

    termsrv32.dll present!


    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
    ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

    ~~ Checking firewall ports ~~

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=65533:TCP:*:Enabled:Services
    "52344:TCP"=52344:TCP:*:Enabled:Services
    "8540:TCP"=8540:TCP:*:Enabled:Services
    "8541:TCP"=8541:TCP:*:Enabled:Services
    "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


    ~~ EOF ~~


    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 00:48 on 30/04/2010 by yo (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "termsrv.dll"
    C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
    C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
    C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
    C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F

    Searching for "termsrv32.dll"
    C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [22:23 11/04/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
    C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
    "DependOnService"="RPCSS"
    "Description"="Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server."
    "DisplayName"="Terminal Services"
    "ErrorControl"= 0x0000000001 (1)
    "ImagePath"="%SystemRoot%\System32\svchost -k DComLaunch"
    "ObjectName"="LocalSystem"
    "Start"= 0x0000000002 (2)
    "Type"= 0x0000000020 (32)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
    "0"="Root\LEGACY_TERMSERVICE\0000"
    "Count"= 0x0000000001 (1)
    "NextInstance"= 0x0000000001 (1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters]
    "Certificate"=01 00 00 00 01 00 00 00 01 00 00 00 06 00 5c 00 52 53 41 31 48 00 00 00 00 02 00 00 3f 00 00 00 01 00 01 00 7f d2 2e a9 8b cc 63 eb 41 8a 8e b2 13 3c 20 ef 92 f2 76 8b 92 2d 8b c6 4b 76 f8 03 f6 6f 47 80 68 0d a1 19 2e ce 3c f5 93 30 be 01 61 c7 c1 65 73 b9 a5 39 51 78 65 f2 25 e0 3d dd 84 0c 47 b6 00 00 00 00 00 00 00 00 08 00 48 00 42 37 0d ab 7b 6e 5a 4b f5 a7 d9 16 ff 4e 49 62 99 d5 0a 33 d4 56 63 ac 42 28 c9 f5 b3 a5 e8 42 88 7e 56 4c dd 5e 03 e7 78 80 08 fc 40 bb 44 36 ae 44 f9 10 7a 21 26 c5 fd 39 26 22 4a 21 49 4b 00 00 00 00 00 00 00 00 (REG_BINARY)
    "ServiceDll"="%SystemRoot%\System32\termsrv32.dll"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Performance]
    "Close"="CloseTSObject"
    "Collect Timeout"= 0x00000003e8 (1000)
    "Collect"="CollectTSObjectData"
    "First Counter"= 0x0000000806 (2054)
    "First Help"= 0x0000000807 (2055)
    "Last Counter"= 0x0000000886 (2182)
    "Last Help"= 0x0000000887 (2183)
    "Library Validation Code"=00 60 bd 99 53 4f c2 01 00 30 00 00 00 00 00 00 (REG_BINARY)
    "Library"="perfts.dll"
    "Object List"="2054 2176"
    "Open Timeout"= 0x00000003e8 (1000)
    "Open"="OpenTSObject"
    "WbemAdapFileSignature"=7e fd 21 14 ea d1 ac 72 34 26 10 d7 19 2b fb 32 (REG_BINARY)
    "WbemAdapFileSize"= 0x0000003000 (12288)
    "WbemAdapFileTime"=00 60 bd 99 53 4f c2 01 (REG_BINARY)
    "WbemAdapStatus"= 0000000000 (0)


    -=End Of File=-

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 30th April 2010, 7:57 pm

    Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

    Please open Command Prompt (Start > Run and type CMD and press OK)
    Enter the following in to the black box, pressing enter after each line:

    Code:
    mbr.exe -f

    exit

    Post a log (MBR.log).


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by yolinda on 30th April 2010, 9:07 pm

    ok... here is the log...

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x0E4FBFE2
    malicious code @ sector 0x0E4FBFE5 !
    PE file found in sector at 0x0E4FBFFB !

    yolinda
    Intermediate
    Intermediate

    Posts Posts : 72
    Joined Joined : 2010-04-04
    Gender Gender : Female
    OS OS : Windows XP
    Protection Protection : Currently using Avira.
    Points Points : 25488
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: ebay paypal redirect/hijack

    Post by Dr Jay on 1st May 2010, 3:40 am

    Ok. We are going to start over here. Right On!

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download [You must be registered and logged in to see this link.] by OldTimer:

    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    ============

    Then, please do the following:

    GMER

    Note about this tool:
    • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
    • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
    • No matter what is in the log, please post all the information/contents of the log.


    Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any
    "<--- ROOKIT" entries unless advised!

    If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

    • Click NO
    • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
    • Now click the Scan button.
      Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
    • Save it where you can easily find it, such as your desktop.

    Post the contents of GMER.txt in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Page 1 of 3 1, 2, 3  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum