ebay paypal redirect/hijack

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Re: ebay paypal redirect/hijack12th April 2010, 12:18 am

Download: >>> OTL by Old Timer <<< to your desktop.
if you have problems, try this download link:
>>> Link #2: OTL <<<
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check

.

.

ebay paypal redirect/hijack - Page 1 NewOtl2

netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

.
Click the Run Scan button.
Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

Summary of the logs I will need in your next reply:

the report logs of OTL:

OTL.Txt and Extras.Txt

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack12th April 2010, 2:15 pm

Hi Yolanda, I edited your post so I can research each line of the logs and I may reply with the other half since the report of OTL is too big. Keep checking your thread until I post a fix.

Here are the logs....

OTL logfile created on: 4/11/2010 10:50:43 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\yo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): D:\pagefile.sys 2956 2956 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 44.38 Gb Free Space | 38.76% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 35.12 Gb Free Space | 30.67% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 31.15 Mb Total Space | 10.02 Mb Free Space | 32.16% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: LINDAS
Current User Name: yo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\yo\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
PRC - C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
PRC - C:\Program Files\PC Tools Firewall Plus\FWService.exe (PC Tools)
PRC - C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe (Microsoft Corporation)
PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\MagicTune Premium\MagicTune.exe (SEC)
PRC - C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe ()
PRC - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)
PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\yo\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd)

========== Win32 Services (SafeList) ==========

SRV - (PavPrSrv) -- File not found
SRV - (getPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (PCToolsFirewallPlus) -- C:\Program Files\PC Tools Firewall Plus\FWService.exe (PC Tools)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (Maxtor Sync Service) -- C:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (nTuneService) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (MagicTuneEngine) -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe ()
SRV - (Diskeeper) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (Diskeeper Corporation)
SRV - (Adobe Version Cue CS3) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe (Adobe Systems Incorporated)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (Adobe Version Cue CS2) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe (Adobe Systems Incorporated)
SRV - (InCDsrvR) InCD Helper (read only) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (InCDsrv) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (LPDSVC) -- C:\WINDOWS\system32\tcpsvcs.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (Sunbelt Software)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (pctgntdi) -- C:\WINDOWS\system32\drivers\pctgntdi.sys (PC Tools)
DRV - (pctplfw) -- C:\WINDOWS\system32\drivers\pctplfw.sys (PC Tools)
DRV - (PCTAppEvent) -- C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (GVTDrv) -- C:\WINDOWS\system32\drivers\GVTDrv.sys ()
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (ET5Drv) -- C:\WINDOWS\system32\drivers\ET5Drv.sys (Windows (R) 2000 DDK provider)
DRV - (NVR0Dev) -- C:\WINDOWS\nvoclock.sys (NVidia Corp.)
DRV - (SI3112r) -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys (Silicon Image, Inc)
DRV - (SiWinAcc) -- C:\WINDOWS\system32\drivers\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (MXOPSWD) -- C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor Corp.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (Hardlock) -- C:\WINDOWS\system32\drivers\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (NCPro) -- C:\WINDOWS\system32\drivers\MTictwl.sys ()
DRV - (MagicTune) -- C:\WINDOWS\system32\drivers\MTictwl.sys ()
DRV - (CTHWIUT.DLL) -- C:\WINDOWS\system32\CTHWIUT.DLL (Creative Technology Ltd.)
DRV - (CT20XUT.DLL) -- C:\WINDOWS\system32\CT20XUT.DLL (Creative Technology Ltd.)
DRV - (CTEXFIFX.DLL) -- C:\WINDOWS\system32\CTEXFIFX.dll (Creative Technology Ltd.)
DRV - (CTSBLFX.DLL) -- C:\WINDOWS\system32\ctsblfx.dll (Creative Technology Ltd)
DRV - (CTEAPSFX.DLL) -- C:\WINDOWS\system32\cteapsfx.dll (Creative Technology Ltd)
DRV - (CTAUDFX.DLL) -- C:\WINDOWS\system32\ctaudfx.dll (Creative Technology Ltd)
DRV - (COMMONFX.DLL) -- C:\WINDOWS\system32\commonfx.dll (Creative Technology Ltd)
DRV - (CTEDSPSY.DLL) -- C:\WINDOWS\system32\CTEDSPSY.DLL (Creative Technology Ltd)
DRV - (CTEDSPIO.DLL) -- C:\WINDOWS\system32\CTEDSPIO.DLL (Creative Technology Ltd)
DRV - (CTEDSPFX.DLL) -- C:\WINDOWS\system32\CTEDSPFX.DLL (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (hap17v2k) -- C:\WINDOWS\system32\drivers\haP17v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\system32\drivers\haP16v2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (iteatapi) -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Ahead Software AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDpass.sys (Ahead Software AG)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDrm.sys (Ahead Software AG)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (CYGF32X) -- C:\WINDOWS\system32\drivers\CygF32x.sys (Cygnal Integrated Products)
DRV - (si3112) -- C:\WINDOWS\system32\drivers\si3112.sys (Silicon Image, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/15 14:58:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: c:\program files\real\realplayer\browserrecord\firefox\ext [2009/09/28 21:43:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/04/04 20:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/15 11:28:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 16:02:45 | 000,000,000 | ---D | M]

[2009/10/15 11:28:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions
[2009/10/15 11:28:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/12 21:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/11 21:36:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions
[2009/10/15 11:31:42 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/20 23:20:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/15 11:28:09 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/24 16:15:25 | 000,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/08/24 16:15:26 | 000,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/08/24 16:15:27 | 000,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2009/12/21 18:34:06 | 000,103,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2010/03/22 15:52:24 | 000,032,576 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
[2009/08/24 14:45:46 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 14:45:46 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/02/23 04:45:06 | 000,001,375 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/08/24 14:45:46 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 14:45:46 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 14:45:46 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 14:45:46 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 14:45:46 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/04/06 12:53:02 | 000,000,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [00PCTFW] C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe (PC Tools)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\yo\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} http://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200188651437 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5924/mcfscan.cab (McFreeScan Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avldr: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/12 15:14:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell - "" = AutoRun
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\´ò¿ª(&O)\command - "" = newumsg.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

Last edited by Net_Surfer on 12th April 2010, 6:06 pm; edited 1 time in total (Reason for editing : Pasted the log to easy the research)

Re: ebay paypal redirect/hijack12th April 2010, 6:07 pm

========== Files/Folders - Created Within 30 Days ==========

[2010/04/11 21:55:04 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/04/11 18:33:20 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\yo\mbr.log
[2010/04/11 18:23:34 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/04/06 16:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/04/06 10:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\DoctorWeb
[2010/04/06 00:35:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/05 17:46:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/04/05 17:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\Avira
[2010/04/05 17:27:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\PCToolsFirewallPlus
[2010/04/05 17:23:18 | 000,070,664 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.sys
[2010/04/05 17:23:18 | 000,032,680 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-DNS.sys
[2010/04/05 17:23:15 | 000,115,216 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplfw.sys
[2010/04/05 17:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Firewall Plus
[2010/04/05 17:19:00 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/04/05 17:18:53 | 000,217,032 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/04/05 17:18:53 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/04/05 17:18:47 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\PC Tools
[2010/04/05 17:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/04/05 17:08:37 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/05 17:08:35 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/05 17:08:35 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/05 17:08:35 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/05 17:08:34 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/05 17:08:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/05 16:42:40 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/04/05 16:37:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/04/05 16:02:53 | 000,000,000 | --SD | C] -- C:\commy29599c
[2010/04/05 15:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WEBREG
[2010/04/05 15:58:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\HP
[2010/04/05 15:23:03 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/04/05 15:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 15:23:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/05 15:23:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/04/04 21:52:35 | 000,118,272 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hpz3l696.dll
[2010/04/04 21:04:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\HPAppData
[2010/04/04 20:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Local Settings\Application Data\ArcSoft
[2010/04/04 20:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2010/04/04 20:35:29 | 000,000,000 | ---D | C] -- C:\Program Files\ArcSoft
[2010/04/04 20:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2010/04/04 20:35:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\Application Data\ArcSoft
[2010/04/04 20:33:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
[2010/04/04 20:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP
[2010/04/04 20:32:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\HP
[2010/04/04 19:54:54 | 000,372,736 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hppldcoi.dll
[2010/04/04 19:54:54 | 000,309,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\difxapi.dll
[2010/04/04 19:54:52 | 000,271,704 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzids01.dll
[2010/04/04 19:54:40 | 000,000,000 | ---D | C] -- C:\Program Files\HP
[2010/04/04 19:52:14 | 000,003,993 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/04/04 16:11:51 | 000,000,000 | --SD | C] -- C:\commy
[2010/04/04 15:57:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/04/04 15:57:41 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/04/04 04:54:36 | 000,052,608 | R--- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus_2.sys
[2010/04/04 04:51:56 | 000,000,000 | ---D | C] -- C:\cmdcons
[2010/04/04 04:51:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 04:51:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 04:51:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 04:51:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 04:50:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 04:50:55 | 000,000,000 | --SD | C] -- C:\Combo-Fix
[2010/04/04 04:49:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/04 03:36:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/04 03:36:15 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/04 03:36:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 02:11:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\yo\My Documents\Downloads
[2010/03/24 09:38:26 | 000,199,432 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\neti1639.sys
[2010/03/20 19:24:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Backup
[2010/03/20 19:23:53 | 000,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2010/03/19 22:14:02 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/03/19 11:30:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\McAfee.com
[2010/03/19 10:52:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/03/19 10:05:33 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/03/09 20:04:42 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\yo\Application Data\netstat.bat
[2010/02/08 18:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/08 17:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/02/08 17:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/02/08 17:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/04 20:23:07 | 000,054,093 | ---- | C] () -- C:\Program Files\EULA.eng
[2010/01/29 20:28:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/14 13:36:11 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\housecall.guid.cache
[2010/01/13 12:53:49 | 001,605,658 | -H-- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\IconCache.db
[2009/11/12 11:34:32 | 000,000,063 | ---- | C] () -- C:\Documents and Settings\yo\jagex_runescape_preferences2.dat
[2009/06/20 14:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/06/18 11:02:46 | 000,061,224 | ---- | C] () -- C:\Documents and Settings\yo\GoToAssistDownloadHelper.exe
[2009/04/15 05:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\NVIDIA Corporation
[2009/04/07 16:05:29 | 000,049,152 | ---- | C] () -- C:\Documents and Settings\yo\PNPrint3.exe
[2008/12/22 16:09:41 | 013,631,488 | ---- | C] () -- C:\Documents and Settings\yo\ntuser.dat
[2008/10/22 18:49:34 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\yo\default.pls
[2008/09/29 12:50:33 | 000,009,638 | ---- | C] () -- C:\Documents and Settings\yo\TraceLog.txt
[2008/07/12 20:30:37 | 000,000,038 | ---- | C] () -- C:\Documents and Settings\yo\jagex_runescape_preferences.dat
[2008/03/05 09:55:29 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\yo\PUTTY.RND
[2008/01/29 13:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/01/17 20:41:27 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/13 00:12:27 | 000,000,968 | RHS- | C] () -- C:\Documents and Settings\yo\ntuser.pol
[2008/01/12 23:02:56 | 000,205,416 | ---- | C] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/01/12 15:33:45 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\yo\ntuser.dat.LOG
[2008/01/12 15:33:45 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\yo\ntuser.ini
[2008/01/12 15:33:45 | 000,000,062 | -HS- | C] () -- C:\Documents and Settings\yo\Application Data\desktop.ini
[2008/01/12 10:03:52 | 000,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/04/09 13:32:58 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2006/06/29 14:58:52 | 000,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 000,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/11 22:37:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 21:55:10 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\yo\Desktop\OTL.exe
[2010/04/11 21:50:54 | 013,631,488 | ---- | M] () -- C:\Documents and Settings\yo\ntuser.dat
[2010/04/11 19:49:31 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 19:48:35 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/11 19:48:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 19:48:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 19:24:45 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\yo\ntuser.ini
[2010/04/11 19:24:12 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.CDF
[2010/04/11 19:24:12 | 004,958,588 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000008-00001102-00000004-20021102}.BAK
[2010/04/11 18:23:09 | 000,016,023 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\prob.docx
[2010/04/11 18:20:22 | 000,490,008 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/10 10:29:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/10 07:42:56 | 005,687,914 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\Vinyl.eps
[2010/04/09 23:10:20 | 037,038,904 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\65b2mypv.exe
[2010/04/09 22:13:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/09 15:34:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\mbr.exe
[2010/04/08 19:24:38 | 000,012,963 | ---- | M] () -- C:\Documents and Settings\yo\My Documents\Signs for Chippokes Estates.docx
[2010/04/07 22:33:16 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/06 16:31:01 | 000,104,381 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl20.pdf
[2010/04/06 16:12:05 | 000,103,618 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl.pdf
[2010/04/06 12:53:02 | 000,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/05 16:02:06 | 003,907,460 | R--- | M] () -- C:\Documents and Settings\yo\Desktop\commy.exe
[2010/04/05 16:00:39 | 000,152,184 | ---- | M] () -- C:\WINDOWS\hphins29.dat
[2010/04/04 20:37:21 | 000,001,954 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Add a Device - Photosmart B8500 series.lnk
[2010/04/04 20:34:48 | 000,001,930 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Shop for HP Supplies.lnk
[2010/04/04 20:34:36 | 000,001,870 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 3.5.lnk
[2010/04/04 20:33:46 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010/04/04 20:33:28 | 000,001,018 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/04/04 19:50:51 | 198,219,864 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\PS_BSIZE_04_B8500_NonNet_Full_Win_enu_120_217.exe
[2010/04/04 13:14:18 | 000,003,188 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\Easter.nra
[2010/04/04 04:52:06 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/04 03:36:21 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/31 16:01:59 | 000,008,627 | ---- | M] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/24 11:09:52 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-20021102}.rfx
[2010/03/24 11:09:52 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/03/24 11:09:52 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/03/24 09:46:57 | 000,000,691 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/24 09:41:54 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/24 09:41:54 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/24 09:41:52 | 000,513,516 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/23 14:13:45 | 001,842,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/22 12:50:22 | 000,205,416 | ---- | M] () -- C:\Documents and Settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/20 11:12:40 | 000,067,584 | ---- | M] () -- C:\Documents and Settings\yo\My Documents\Antony E.doc
[2010/03/15 19:21:04 | 000,000,036 | -H-- | M] () -- C:\WINDOWS\System32\f9t.dat
[2010/03/15 17:15:00 | 000,559,862 | ---- | M] () -- C:\Documents and Settings\yo\Desktop\PhotoBrent.jpg
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\yo\My Documents\*.tmp files -> C:\Documents and Settings\yo\My Documents\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\yo\*.tmp files -> C:\Documents and Settings\yo\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 18:20:21 | 000,490,008 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/10 07:42:48 | 005,687,914 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\Vinyl.eps
[2010/04/09 23:10:19 | 037,038,904 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\65b2mypv.exe
[2010/04/09 15:34:40 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\mbr.exe
[2010/04/07 22:33:16 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/06 16:31:01 | 000,104,381 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl20.pdf
[2010/04/06 16:12:05 | 000,103,618 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\hl=en&tab=wl.pdf
[2010/04/06 16:09:30 | 000,012,963 | ---- | C] () -- C:\Documents and Settings\yo\My Documents\Signs for Chippokes Estates.docx
[2010/04/05 17:23:18 | 000,007,435 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.cat
[2010/04/05 17:23:18 | 000,007,399 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctNdis-DNS.cat
[2010/04/05 17:23:15 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplfw.cat
[2010/04/05 17:19:00 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/04/05 17:18:53 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/04/05 17:18:53 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/04/05 17:18:47 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/04/05 16:02:04 | 003,907,460 | R--- | C] () -- C:\Documents and Settings\yo\Desktop\commy.exe
[2010/04/04 20:37:29 | 000,001,060 | ---- | C] () -- C:\WINDOWS\hphmdl29.dat.temp
[2010/04/04 20:37:21 | 000,001,954 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Add a Device - Photosmart B8500 series.lnk
[2010/04/04 20:34:48 | 000,001,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shop for HP Supplies.lnk
[2010/04/04 20:34:36 | 000,001,870 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Photosmart Essential 3.5.lnk
[2010/04/04 20:33:46 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2010/04/04 20:33:28 | 000,001,018 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2010/04/04 19:52:14 | 000,152,184 | ---- | C] () -- C:\WINDOWS\hphins29.dat
[2010/04/04 19:52:14 | 000,001,060 | ---- | C] () -- C:\WINDOWS\hphmdl29.dat
[2010/04/04 19:50:44 | 198,219,864 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\PS_BSIZE_04_B8500_NonNet_Full_Win_enu_120_217.exe
[2010/04/04 13:14:18 | 000,003,188 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\Easter.nra
[2010/04/04 12:03:36 | 000,016,023 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\prob.docx
[2010/04/04 04:52:06 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/04 04:52:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/04 04:51:10 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 04:51:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 04:51:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 04:51:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 04:51:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/04 03:36:21 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/24 12:17:13 | 000,008,627 | ---- | C] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2010/03/15 17:14:59 | 000,559,862 | ---- | C] () -- C:\Documents and Settings\yo\Desktop\PhotoBrent.jpg
[2009/09/28 21:44:10 | 000,000,038 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/02/13 23:28:05 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTictwl.sys
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/07/01 14:46:07 | 000,000,899 | ---- | C] () -- C:\WINDOWS\CadraViewExp.ini
[2008/06/29 09:39:31 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2008/05/09 16:42:24 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/24 00:20:00 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/02/01 21:03:21 | 000,025,339 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/01/14 13:56:19 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS61.DLL
[2008/01/14 12:32:14 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/01/13 19:29:15 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/01/13 19:29:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/01/13 19:29:15 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/01/13 13:33:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/12 22:24:48 | 000,024,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\GVTDrv.sys
[2008/01/12 20:24:20 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll
[2008/01/12 15:58:54 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/12/05 02:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 02:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 02:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 02:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 02:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2007/03/09 03:12:32 | 000,027,648 | -HS- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/03/06 05:14:48 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/03/06 05:14:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2007/01/25 13:31:36 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/07/25 14:57:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL

========== LOP Check ==========

[2009/08/05 23:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/01/27 14:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avery
[2010/03/20 19:24:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Backup
[2008/06/02 14:46:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/12/01 01:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2008/08/02 16:40:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2008/12/15 11:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eBay
[2010/02/21 08:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2008/06/02 19:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2008/01/12 21:51:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/07/12 23:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2008/12/23 17:31:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/02/23 12:30:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2010/02/23 15:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2008/08/22 11:19:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/04/11 19:55:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/04 16:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/15 11:43:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WholeSecurity
[2009/09/03 13:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8737778F-82C6-4680-A660-E8B2B8C8C22B}
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{876C6265-922D-4EF3-A784-71D72FF033C0}
[2009/04/26 21:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{B0AFCE64-DF3F-4824-8985-B21DB0EEE07B}
[2008/01/14 13:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{D9AA4D17-9292-410D-9AA5-84526D062900}
[2008/08/14 11:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\1&1
[2008/09/29 02:11:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\3M
[2009/08/05 23:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\acccore
[2009/12/25 17:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Alien Skin
[2008/12/15 11:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\eBay
[2010/04/05 22:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Facebook
[2008/06/02 19:32:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Flood Light Games
[2008/11/22 15:14:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\GetRightToGo
[2008/06/29 22:24:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\GrabPro
[2009/01/16 19:19:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\ICAClient
[2010/04/04 13:17:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\LimeWire
[2010/04/05 22:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\mjusbsp
[2008/04/13 13:21:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Opera
[2008/06/30 12:09:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Orbit
[2010/04/05 17:34:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\PCToolsFirewallPlus
[2009/02/01 23:59:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Pogo Games
[2008/12/23 17:31:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Runaware
[2008/04/27 16:48:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Simple Star
[2008/10/29 12:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Snapfish
[2008/01/14 13:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Stamps.com Internet Postage
[2010/02/03 08:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Windows Desktop Search
[2008/12/14 20:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\Windows Search
[2008/06/29 09:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\yo\Application Data\YouSendIt
[2010/04/09 22:13:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) MD5=F45FDCB8D45439459A6B738AEF45AA94 -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) MD5=F45FDCB8D45439459A6B738AEF45AA94 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07348C09
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D
< End of report >

< MD5 for: [2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA CORPORATION) >
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvatabus.sys
[2003/04/21 15:18:00 | 000,052,608 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\nvatabus.sys

< MD5 for: [2004/08/04 01:59:42 | 000,095,360 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: [2004/08/04 02:07:41 | 000,042,368 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: [2004/08/04 03:56:42 | 000,055,808 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: [2004/08/04 03:56:44 | 000,180,224 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< MD5 for: [2004/08/04 03:56:44 | 000,407,040 | ---- | M] (MICROSOFT CORPORATION) >
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (MICROSOFT CORPORATION) >
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< MD5 for: AGP440.SYS >
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/01/12 22:35:44 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/24 22:09:36 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack12th April 2010, 7:14 pm

Hello again Yolinda,

While I research your logs I need you to fix some issues:

you have old versions of Java and adobe also I need you to upload some files to jotti so we can verify if the Virut virus is in your system.

please follow my next set of steps:

Step 1. Update Software

Going over your logs I noticed that you are using an old version of Mozilla Firefox browser, You need to update to the latest version: 3.6.3

Click on the help tab on top of your firefox browser page and select: "Check for Updates"

Older versions contain holes that hackers can use to manipulate your machine.

Step 2. Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Step 3.* JavaRa and Java update.

ebay paypal redirect/hijack - Page 1 Javaicon

ebay paypal redirect/hijack - Page 1 Javaicon

Your Java program is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
Download and Run JavaRA

Please download JavaRa and unzip it to your desktop.

Double-click on JavaRa.exe to start.
Use the drop down box to choose your language and click Select.
Select "Remove Older Versions".
Click Yes when asked "This will remove all older versions of the Java JRE...Are you sure you want to proceed?"
Click Ok when search and removal of old versions has completed.
A notice will appear indicating "Finished searching for all old versions...A logfile has been created...called JavaRa.log...
JavaRa will now open its logfile."
Click Ok and notepad will open with the log results of what was found and removed.
View the logfile and close notepad.
A copy of JavaRa.log will automatically be saved to your primary hard drive (usually C\:JavaRa.log).
Return to JavaRa and click the button for Additonal Tasks.
Select these Tasks:
- Remove Useless JRE Files
- Remove Startup Entry
- Remove JavaRa Logfile (optional)
Click Go and then Ok when prompted "Finished searching for useless JRE files.
Click Ok again when prompted "Finished searching for JRE startup entries.
Close the Additional Tasks window, exit JavaRa and reboot your computer.

Step 4. Then download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.

Look for "JDK 6 Update 19 (JDK or JRE)"
Click the "Download JRE" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
From your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.

-- The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.

Click Ok and reboot your computer.

Step 5

To verify for some signs of VIRUT, we need to send some files to Jotti.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->>>> Jotti <<<

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please reply back with the report log of Jotti or Virus Total.

Kind regards
Net_Surfer
(Gunsmoke)

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack12th April 2010, 8:56 pm

Hi Net_Surfer,

I updated all the programs as instructed and scanned the files you requested with Jotti. Each file came back with"0 out of 20 scanners reported malware."

I am not getting the redirects any more for paypal and ebay, so maybe something we did got rid of it?

I have had this happen before where I can log on to paypal or ebay for a day or so, then the redirect comes back.... do you want me to repost if that happens?

Thank you,
yolinda

Re: ebay paypal redirect/hijack12th April 2010, 9:57 pm

Hello again Yolinda.

Glad to hear that the jotti report log came back clean.

Please carefully follow my next set of steps:
==============================
P2P (File Sharing) Warning!

P2P file sharing: >>> Know the risks <<<

Going over your logs I noticed that you have LimeWire 5.2.13 installed.

Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

There are some very good reasons for this, and they are for your protection:

From a security standpoint, p2p forms a direct connection into your computer and circumvents or by passes most security, Anti-Malware and firewall software or hardware.

Any type of security on these programs is poor at best and non existent on some, this could lead to Malware being downloaded into your computer without your knowledge.

Additionally, in cases where the program has not been configured correctly, a lot more than your music files have finished up being shared with others.

Passwords, PIN numbers, bank accounts, and other personal details have been harvested by the unscrupulous for their own gain at your expense.

Have a read of the below article to see where that happened:

Update: Seattle man arrested for p-to-p ID theft | InfoWorld | News | 2007-09-06 | By Robert McMillan, IDG News Service

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Programs and Features if Vista or within Add or remove programs in XP.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

Step 1. Let's fix some issues with OTL by doing the following:

Double click on the Icon at your desktop to run it.
(Vista users right click and run as an Admin.)
Copy the lines in the codebox below. (make sure that :Otl is on the first line ) just highlight everything in the code box (starting with :Otl ) and copy and paste it into the 'Custom scan/fix' box on OTL.
Code:
:OTL SRV - (PavPrSrv) -- File not found O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O4 - HKCU..\Run: [Aim6] File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11) O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5924/mcfscan.cab (McFreeScan Class) O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\msdaipp - No CLSID value found O20 - Winlogon\Notify\avldr: DllName - Reg Error: Value error. - Reg Error: Value error. File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/01/12 15:14:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell - "" = AutoRun O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell - "" = AutoRun O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) O33 - MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\Shell\´ò¿ª(&O)\command - "" = newumsg.exe O34 - HKLM BootExecute: (autocheck autochk *) - File not found O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found @Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07348C09 @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7 @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9 @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6 @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D :Commands [PURITY] [RESETHOSTS] [EMPTYTEMP] [EMPTYFLASH] [REBOOT]

Return to OTL,
right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

Click the red Run Fix button.

Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

[i]if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2. ebay paypal redirect/hijack - Page 1 Mbamicontw5

ebay paypal redirect/hijack - Page 1 Mbamicontw5

Malwarebytes' Anti-Malware

* Note: You already have Malwarebytes' Anti-Malware, just update first then run it.

Double Click mbam icon on your desktop to run it
Click on the Update tab and update the program.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform a Full system Scan", then click Scan (the scan may take some time to finish, so please be patient).
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply .

Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Summary of the logs I will need in your next reply:

The OTL report log.
MBAM log.

How are things your end Yolinda?

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer
(Gunsmoke)

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack13th April 2010, 1:03 pm

Hi Net_Surfer...

Well, redirect is back again... so that didn't last long Smile...

Malwarebytes keeps crashing doing the scan, but OTL worked fine. My husband also found a log he wanted me to send you... I will post that below this OTL log... THANK YOU...

All processes killed
========== OTL ==========
Service PavPrSrv stopped successfully!
Service PavPrSrv deleted successfully!
File File not found not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
C:\WINDOWS\Downloaded Program Files\mcfscan.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
File Protocol\Handler\ipp - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
File Protocol\Handler\msdaipp - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\AUTOEXEC.BAT moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0910242-ac43-11dd-9af7-000fea52b645}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
C:\WINDOWS\system32\shell32.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6b7b901-209d-11df-9bdd-000fea52b645}\ not found.
File newumsg.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:07348C09 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:588B60C7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:05113FB9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A73EAFFB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C31F31E6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1A6AFE3D deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: HelpAssistant
->Temp folder emptied: 744188382 bytes
->Temporary Internet Files folder emptied: 262957181 bytes
->Java cache emptied: 85708718 bytes
->FireFox cache emptied: 29277622 bytes
->Flash cache emptied: 367974 bytes

User: HelpAssistant.LINDAS
->Temp folder emptied: 701914246 bytes
->Temporary Internet Files folder emptied: 64191626 bytes
->Java cache emptied: 85977201 bytes
->FireFox cache emptied: 3739884 bytes
->Flash cache emptied: 367922 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 406898 bytes
->Flash cache emptied: 621 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 155233244 bytes

User: yo
->Temp folder emptied: 7904027761 bytes
->Temporary Internet Files folder emptied: 16269248 bytes
->Java cache emptied: 374257987 bytes
->FireFox cache emptied: 41701081 bytes
->Flash cache emptied: 367922 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2672276 bytes
%systemroot%\System32 .tmp files removed: 2932753 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 58686300 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23901598 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 319102562 bytes

Total Files Cleaned = 10,374.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: HelpAssistant
->Flash cache emptied: 0 bytes

User: HelpAssistant.LINDAS
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: yo
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.1.1 log created on 04122010_181002

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\$$$dq3e scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\$67we.$ scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Re: ebay paypal redirect/hijack13th April 2010, 1:17 pm

Here are the files my husband wanted me to send that he found in C:\HelpAsst_backup

First is StandardGOPList.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"3703:TCP"="3703:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"3704:TCP"="3704:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"50900:TCP"="50900:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"50901:TCP"="50901:TCP:*:Enabled:Adobe Version Cue CS3 Server"
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"65533:TCP"="65533:TCP:*:Enabled:Services"
"52344:TCP"="52344:TCP:*:Enabled:Services"
"5824:TCP"="5824:TCP:*:Enabled:Services"
"5823:TCP"="5823:TCP:*:Enabled:Services"

Next is S-1-5-21-1844237615-1409082233-725345543-1000.reg

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\s-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,\
74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,\
00,67,00,73,00,5c,00,48,00,65,00,6c,00,70,00,41,00,73,00,73,00,69,00,73,00,\
74,00,61,00,6e,00,74,00,00,00
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,2f,d5,ec,6d,79,e3,fc,53,07,e5,3b,\
2b,e8,03,00,00
"Flags"=dword:00000001
"State"=dword:00000100
"CentralProfile"=""
"ProfileLoadTimeLow"=dword:20b45ffe
"ProfileLoadTimeHigh"=dword:01cad9bd
"RefCount"=dword:00000000

And Last is DomainGOPList.reg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
"65533:TCP"="65533:TCP:*:Enabled:Services"
"52344:TCP"="52344:TCP:*:Enabled:Services"
"5824:TCP"="5824:TCP:*:Enabled:Services"
"5823:TCP"="5823:TCP:*:Enabled:Services"

Re: ebay paypal redirect/hijack13th April 2010, 7:58 pm

Hello again Yolinda,

Since you can not get MBAM to scan, then I need you to run GooredFix tool, SuperAntispyware scan and a rootkit scan.

Please read and take a note:

Step 1. Please download >>> GooredFix <<< from one of the locations below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Let me know if you are still be redirected after that.

Step 2. SUPERAntiSpyware, NOTE: SAS may take a long time to scan

Please download and scan with >>> SUPERAntiSpyware Free <<<

Double-click SUPERAntiSypware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
In the Main Menu, click the Preferences... button.
Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.
Do not run a scan just yet.
First

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes" and reboot normally.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Note: .. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Step 3. We need to Scan for Rootkits.

Credit to Quietman for this speech canned.
The speed and ability to complete a scan depends on a variety of factors.

The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
Options to scan memory, boot sectors, registry and alternate data streams (ADS).
Type of scan performed: Deep, Quick or Custom scanning.
What action has to be performed when malware is detected.
A computer's hard drive size.
Disk used capacity (number of files to include temporary files) that have to be scanned.
Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
Whether external drives are included in the scan.
Competition for and utilization of system resources by the scanner.
Other running processes and programs in the background.
Interference from malware.
Interference from the user.

Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate file, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.

Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.

Step 4. * Disable CD-ROM Emulation Software.

DeFogger - Disable

Please download >>> DeFogger <<< to your desktop.

Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Step 5. * Rootkit Scan with Gmer.

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Some ARK scanners have settings which you can adjust if the scan hangs or freezes while others do not. If that's the case and you still cannot complete a scan, then try another ARK.

Summary of the logs I will need in your next reply:

The Gooredfix report log.
SuperAntispyware report log.
Gmer rootkit report log.

How are things your end Yolinda?

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer
(Gunsmoke)

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack14th April 2010, 1:58 pm

Hi Net_Surfer,

I have to re-run Gmer, I forgot to hit the save button before I closed it, but here are the logs from the other two scans... will have gmer later.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 17:26 on 13/04/2010 (yo)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:28 15/10/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [20:13 12/04/2010]

C:\Documents and Settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [15:31 15/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:09 15/08/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="c:\program files\real\realplayer\browserrecord\firefox\ext" [01:43 29/09/2009]
"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [00:34 05/04/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:12 12/04/2010]

-=E.O.F=-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2010 at 08:54 PM

Application Version : 4.35.1002

Core Rules Database Version : 4802
Trace Rules Database Version: 2614

Scan type : Complete Scan
Total Scan Time : 03:08:50

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 7876
Registry threats detected : 10
File items scanned : 258345
File threats detected : 403

Adware.Gamevance
HKU\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

Adware.Tracking Cookie
C:\Documents and Settings\yo\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\yo\Cookies\yo@2o7[2].txt
C:\Documents and Settings\yo\Cookies\yo@readersdigest.122.2o7[1].txt
C:\Documents and Settings\yo\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@1.sharkadnetwork[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@2o7[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@a1.interclick[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.allvoices[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.cozycot[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.wsod[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad.zanox[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ad1.clickhype[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adbrite[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adecn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adinterax[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.active[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.adap[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.adultswim[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.associatedcontent[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.associatedcontent[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.audxch[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.aws.sitepoint[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.belointeractive[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.belointeractive[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.biglots[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.bleepingcomputer[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.cnn[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.foodbuzz[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.funadvice[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.glispa[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.meredithads[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.monster[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.nexstardigital[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.ogdenpubs[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.oneplace[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.oneplace[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pgatour[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pgatour[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.somd[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.starfields[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.supplyframe[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.supplyframe[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.techguy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.techguy[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.undertone[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads.widgetbucks[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ads1.ag[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adserver.adtechus[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adstats.cdfreaks[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adtrack.tlsolutions[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@adultswim[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@aff.primaryads[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@at.atwola[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@avgtechnologies.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@banner4sale[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@bannerstandpros[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@beacon.dmsinsights[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@bs.serving-sys[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@burstbeacon[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@burstbeacon[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cb.adbureau[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cct.clickable[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cdn4.specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@cdn4.specificclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@centralmediaserver[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@chitika[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@chitika[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.circuitcity-online[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.compusaonline[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click.mediadome[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@click2go[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickaider[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickintext[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clickiq[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clicksor[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@clicktorrent[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coedmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@collective-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@content.yieldmanager[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.cnw[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.inkfrog[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.inkfrog[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.marketplaceadvisor.channeladvisor[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@counter.rewardsnetwork[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coxhsi.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@coxhsi.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dc.tremormedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dc.tremormedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@decho.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@dmtracker[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@draftfcb.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@e-2dj6wjny-1iajad.stats.esomniture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ecnext.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@emailfinder[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@embed.trafficland[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@epilot.hamptonroads[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ettrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ext-us.bestofmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@eyewonder[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@farecastcom.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@find.t-mobile[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@findlaw[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@google.lucidmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@gotquestions[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@healthinsurancefinders[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@healthinsurancefinders[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@hookedmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@imrworldwide[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@insightexpressai[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@interclick[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@invitemedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@jra.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kaspersky.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kaspersky.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@kontera[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@link.mercent[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@liveperson[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@lockedonmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@lockedonmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.causes[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.legacy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.medhelp[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media.photobucket[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media303[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@media6degrees[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediafire[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediafire[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mediapromoter[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mmaadnet.ad-control-panel[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@mogo-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@myroitracking[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@myroitracking[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@nextag[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@nitropayouts.directtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@optimize.indieclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@overture[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@paypal.112.2o7[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@peoplefinders[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pickenscountyscbeekeepers[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pointroll[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@popcapgames.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@popcapgames.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@precisionclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@pview.findlaw[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@questionmarket[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@questionmarket[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@realmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@retractable-banner-stands[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@retractable-banner-stands[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@revsci[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@richmedia.yahoo[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@roi.clicklab[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@rotator.adjuggler[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@ru4[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@s.clickability[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@samsclub.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@sdctrack.thomasnet[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@server.iad.liveperson[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@serving-sys[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@signbanners[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@snap9.advertserve[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificclick[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@specificmedia[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stat.dealtime[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.crayola[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.gamestop[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.gamestop[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.paypal[6].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stats.zmags[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@stmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@super.kitnmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tacoda[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@teenmania[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@theaccountspayablenetwork[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@thefind[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tns-counter[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@track.bestbuy[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tracking.mivhydra[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@traffic.prod.cobaltgroup[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@trafficmp[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tribalfusion[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@tribalfusion[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@triplediscountdisplays[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@upclick[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@usatoday1.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@user-activity-tracking[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@usnews.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@video.izv.user.madbanner[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vinylbannersandsigns[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@virginmedia[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vpmc.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@vpmc.122.2o7[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@web4.realtracker[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.adxtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.bannerstandpros[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.burstnet[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.burstnet[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.clickmanage[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.co2stats[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.findaccountingsoftware[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.googleadservices[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.googleadservices[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.googleadservices[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.googleadservices[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.googleadservices[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.gotquestions[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.healthinsurancefinders[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.hookedmediagroup[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.linktrack66[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.mogo-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.paypal-media[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.pdmtrack[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.theaccountspayablenetwork[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.theaccountspayablenetwork[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.triplediscountdisplays[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@www.virginmedia[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yellowpages.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@yieldmanager[5].txt
C:\Documents and Settings\HelpAssistant\Cookies\yo@zanox[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@a1.interclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@a1.interclick[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.wsod[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.wsod[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ad.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adbrite[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adinterax[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adinterax[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.oneplace[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.pgatour[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ads.pointroll[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@at.atwola[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@azjmp[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@bs.serving-sys[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cb.adbureau[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cb.adbureau[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@cdn4.specificclick[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@centralmediaserver[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@chitika[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.circuitcity-online[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.circuitcity-online[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@click.compusaonline[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@content.yieldmanager[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@coxhsi.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@decho.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@eyewonder[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@farecastcom.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@healthinsurancefinders[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@imrworldwide[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@insightexpressai[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@interclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@invitemedia[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@invitemedia[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@kaspersky.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@media6degrees[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@paypal.112.2o7[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@paypal.112.2o7[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pointroll[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pointroll[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@popcapgames.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@pro-market[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@questionmarket[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@readersdigest.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@revsci[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@richmedia.yahoo[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@richmedia.yahoo[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@ru4[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@serving-sys[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@specificclick[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@specificmedia[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@stats.paypal[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@stats.paypal[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@tacoda[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@trafficmp[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@usnews.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@vpmc.122.2o7[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@web4.realtracker[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@www.googleadservices[1].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@www.googleadservices[2].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@www.googleadservices[3].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@www.googleadservices[4].txt
C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@www.healthinsurancefinders[1].txt
C:\Documents and Settings\yo\Cookies\yo@adserver.adtechus[1].txt
C:\Documents and Settings\yo\Cookies\yo@azjmp[2].txt
C:\Documents and Settings\yo\Cookies\yo@chitika[1].txt
C:\Documents and Settings\yo\Cookies\yo@collective-media[1].txt
C:\Documents and Settings\yo\Cookies\yo@insightexpressai[1].txt
C:\Documents and Settings\yo\Cookies\yo@interclick[1].txt
C:\Documents and Settings\yo\Cookies\yo@media6degrees[1].txt
C:\Documents and Settings\yo\Cookies\yo@revsci[1].txt
C:\Documents and Settings\yo\Cookies\yo@tacoda[2].txt
C:\Documents and Settings\yo\Cookies\yo@trafficmp[2].txt

Adware.MyWebSearch/FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

Re: ebay paypal redirect/hijack14th April 2010, 4:33 pm

Hello Yolinda,

when you run GMER ensure that is with sections option enabled.

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack14th April 2010, 4:48 pm

I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon

Re: ebay paypal redirect/hijack14th April 2010, 5:16 pm

yolinda wrote:

I forgot to tell you.... whenever I reboot, I get a small window that opens just before the final windows logo comes up. At the top of the window in the title bar there are four squares then c:\windows\system32\mui\040\xpsplres.dll\ then in the window is a couple of squares. At the bottom are a couple of buttons, I have to press one to finish loading windows. Sometimes the title bar has just squares and other symbols instead of that path showing.

GMER log coming soon

Hi Yolinda.

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to run a reg file

1. Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".

Code:

Windows Registry Editor Version 5.00
;
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"legalnoticecaption"=-
"legalnoticetext"=-
"legalnoticecaption"=""
"legalnoticetext"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=-
"LegalNoticeText"=-
"system"=-
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"system"=""
;

2. Click File, then Save As... .
3. Click Desktop on the left.
4. Under the Save as type dropdown, select All Files.
5. In the box File Name, input fix.reg
6. Hit Ok. It should look like this ---> ebay paypal redirect/hijack - Page 1 Reg

ebay paypal redirect/hijack - Page 1 Reg

7. Double click fix.reg. A message box will pop up asking whether you want to merge the file with the registry. Click "yes". Once complete, click "ok"
After you have done all of that Reboot your computer and let me know if you still have those little windows pop ups.

Regards
Net_Surfer
(Gunsmoke)

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

sophos log16th April 2010, 7:53 pm

Hi Net_Surfer,

I tried to run GMER several times, it would run for 8+ hours, then sometime after that the computer either rebooted or shut down, so I ran Sophos. It did not create a log file that I found, but I did a sreen shot of the results and I am uploading that. I will try to run GMER again this evening.

Re: ebay paypal redirect/hijack16th April 2010, 8:25 pm

See if you can run Gmer in safe mode and ensure that SECTIONS option is checked before you run it.

Can you update me in how your computer is acting?

do you still have the same problems?

I need you to update me when you reply back in how your computer is reacting each step of the way, I need the information so I can think of what tool to use to fix your problem.

You need to update your system.

Hackers are exploiting some new holes on adobe and java and there is new version for you to download again. So please update java and adobe you can read more about this here:

http://www.computerworld.com/s/article/9175499/Hackers_exploit_new_Java_zero_day_bug

http://blogs.zdnet.com/security/?p=6135&tag=nl.e539

Please follow my next set of steps:

Step 1. * TFC (Temp File Cleaner)[/size]
Lets clean up the temp files and make sure there are not any other leftovers.

Download: to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

NOTE:
_It's normal after running TFC cleaner that the PC will be slower to boot the first time.

_TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Step 2* FREE ESET Online Virus Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer.

You can use either Internet Explorer or Mozilla FireFox for this scan.

Please go here then click on: button.
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.

Check

ebay paypal redirect/hijack - Page 1 EsetAcceptTerms

Click the

ebay paypal redirect/hijack - Page 1 EsetStart

button.

Accept any security warnings from your browser.

Check

ebay paypal redirect/hijack - Page 1 EsetScanArchives

Push the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push ebay paypal redirect/hijack - Page 1 EsetListThreats

Push

ebay paypal redirect/hijack - Page 1 EsetExport

, and save the file to your desktop using a unique name, such as ESETScan. the logfile will be located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Include the contents of this report in your next reply.
Note: If Eset finds not bad files it will NOT produce a log. This is normal.

Push the

ebay paypal redirect/hijack - Page 1 EsetBack

button.

Push

ebay paypal redirect/hijack - Page 1 EsetFinish

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
ebay paypal redirect/hijack - Page 1 75708734

ebay paypal redirect/hijack - Page 1 75708734

You can refer to this animation by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing anti-virus program while performing the online scan.

Please reply back with Eset Online scan and Gmer report logs

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack17th April 2010, 3:16 pm

Hi Net_Surfer,

Well, the good news is the windows at start up are gone now.
Ran TFC and it cleared out all the temporary files that were still lurking on the computer..... Updated Adobe and Java....

The bad news is I ran GMER in safe mode, it ran for over 12 hours. I went to save the log and got an error that said "Windows was unable to save the data for the file \Device\HarddiskVolume1\Windows\System32. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere." Then the computer completly froze. Could not even ctrl-alt-delete. Had to reboot. Pretty frustrating, the computer almost became a flying object....

Re: ebay paypal redirect/hijack17th April 2010, 3:47 pm

ebay and paypal redirects are back...

Est log18th April 2010, 3:57 am

Hello...

Here is the EST log.... going to try GMER again, do I need all the boxes on the right checked? or just sections? Thank you

C:\Documents and Settings\HelpAssistant\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
C:\Documents and Settings\HelpAssistant.LINDAS\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined
C:\Documents and Settings\yo\DoctorWeb\Quarantine\autorun.inf Win32/AutoRun.FS worm cleaned by deleting - quarantined

GMER log18th April 2010, 4:45 pm

Hi Net_Surfer,

Good news! I finally got GMER to run and give me a log!!! I ran it with just the System, Sections and Services boxes checked, so if you need me to run it again, please let me know which options you need me to check. I think having everything checked was too much info and too long of a scan, but I can do separate scans with different options checked if you need me to. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 12:13:32
Windows 5.1.2600 Service Pack 3
Running: urm8osfb.exe; Driver: C:\DOCUME~1\yo\LOCALS~1\Temp\uwtdapob.sys

---- System - GMER 1.0.15 ----

SSDT AF0E8B0E ZwCreateKey
SSDT AF0E8B04 ZwCreateThread
SSDT AF0E8B13 ZwDeleteKey
SSDT AF0E8B1D ZwDeleteValueKey
SSDT AF0E8B22 ZwLoadKey
SSDT AF0E8AF0 ZwOpenProcess
SSDT AF0E8AF5 ZwOpenThread
SSDT AF0E8B2C ZwReplaceKey
SSDT AF0E8B27 ZwRestoreKey
SSDT AF0E8B18 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB8E8D380, 0x346307, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA827A400, 0x87EE2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA831E620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA831E620]
.protectÿÿÿÿhardlockunknown last code section [0xA831E400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA831E400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E52862
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E526EE
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E527E0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E52726
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[256] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E5275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 029B2862
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!send 71AB4C27 5 Bytes JMP 029B26EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 029B27E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!recv 71AB676F 5 Bytes JMP 029B2726
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[304] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 029B275E
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01CF2862
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01CF26EE
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01CF27E0
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01CF2726
.text C:\WINDOWS\Explorer.EXE[376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01CF275E
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E82862
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E826EE
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E827E0
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E82726
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[552] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E8275E
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01992862
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019926EE
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019927E0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01992726
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199275E
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F02862
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F026EE
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F027E0
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F02726
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[836] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F0275E
.text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01542862
.text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015426EE
.text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015427E0
.text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01542726
.text C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0154275E
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01022862
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010226EE
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010227E0
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01022726
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1328] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0102275E
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011E2862
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011E26EE
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011E27E0
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011E2726
.text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011E275E
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01292862
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012926EE
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012927E0
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01292726
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1512] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0129275E
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F52862
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F526EE
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F527E0
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F52726
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1520] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F5275E
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010C2862
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010C26EE
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010C27E0
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010C2726
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[1532] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010C275E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D52862
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D526EE
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D527E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D52726
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1704] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D5275E
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 012E2862
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012E26EE
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012E27E0
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012E2726
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[2440] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 012E275E
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01982862
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019826EE
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019827E0
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01982726
.text C:\Program Files\MagicTune Premium\MagicTune.exe[2812] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0198275E
.text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00992862
.text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009926EE
.text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009927E0
.text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00992726
.text C:\WINDOWS\System32\snmp.exe[3084] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0099275E
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01202862
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012026EE
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012027E0
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01202726
.text C:\WINDOWS\system32\SearchIndexer.exe[3240] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0120275E
.text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C22862
.text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C226EE
.text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C227E0
.text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C22726
.text C:\WINDOWS\System32\alg.exe[3644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2275E
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00972862
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009726EE
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 009727E0
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00972726
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[3748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0097275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[4108] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E02862
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E026EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E027E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E02726
.text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[4184] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E0275E
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01E62862
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01E626EE
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01E627E0
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01E62726
.text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[4528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01E6275E

---- EOF - GMER 1.0.15 ----

Re: ebay paypal redirect/hijack19th April 2010, 12:20 pm

Hi Yolinda,

Please right click on the combofix icon on your desktop and select delete.

Then use the same steps that I gave you before and download it again and run it.......After that paste the log here.

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

ComboFix Log19th April 2010, 3:31 pm

Hi Net_Surfer,

Great news.... ComboFix ran with no problems this time! I did accidentally forget to rename it and ran it first just from the download, but then deleted that version and downloaded it again with the "commy" rename and ran with your command line. I don't know if that would affect the scan you wanted, so I wanted to let you know just in case. I do have the log from the first scan also if you need me to post it.

Here is the log from the second scan, run as you instructed:

ComboFix 10-04-18.04 - yo 04/19/2010 9:33.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1066 [GMT -4:00]
Running from: c:\documents and settings\yo\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-04-19 13:23 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-19_13.13.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_900.dat
+ 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_88c.dat
+ 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
+ 2010-04-19 13:33 . 2010-04-19 13:33 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2010-04-19 13:32 . 2010-04-19 13:32 16384 c:\windows\Temp\Perflib_Perfdata_144.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\yo\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5823:TCP"= 5823:TCP:Services
"5824:TCP"= 5824:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4603:TCP"= 4603:TCP:Services
"7706:TCP"= 7706:TCP:Services
"6699:TCP"= 6699:TCP:Services
"6698:TCP"= 6698:TCP:Services
"7478:TCP"= 7478:TCP:Services
"7479:TCP"= 7479:TCP:Services
"7589:TCP"= 7589:TCP:Services
"7590:TCP"= 7590:TCP:Services

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 09:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x889A9A80]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885bf8f0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-19 09:50:19
ComboFix-quarantined-files.txt 2010-04-19 13:50
ComboFix2.txt 2010-04-19 13:18

Pre-Run: 60,579,667,968 bytes free
Post-Run: 60,522,254,336 bytes free

- - End Of File - - 1B7DDBC1094B96DDD95E45032EE48372

Re: ebay paypal redirect/hijack19th April 2010, 6:46 pm

Hi Yolinda,

Please post the report log of the first scan with Combofix.

Thank you
Net_Surfer

............................................................................................

Obstacles are what you see when you take your eyes off your GOALS
Net_Surfer is a Graduate of BleepingComputer: Malware Removal Training Program You too could train to help others!

Re: ebay paypal redirect/hijack19th April 2010, 6:49 pm

Here is the first scan....

By the way, I am still getting the ebay & paypal redirects...

ComboFix 10-04-18.04 - yo 04/19/2010 8:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1069 [GMT -4:00]
Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yo\Recent\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 52224 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 21:37 . 2010-04-19 01:45 117760 ----a-w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 22:34 . 2010-04-12 22:34 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\.SunDownloadManager
2010-04-12 22:10 . 2010-04-12 22:10 -------- d-----w- C:\_OTL
2010-04-12 20:13 . 2010-04-12 20:13 61440 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-sse.dll
2010-04-12 20:13 . 2010-04-12 20:13 503808 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcp71.dll
2010-04-12 20:13 . 2010-04-12 20:13 499712 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\jmc.dll
2010-04-12 20:13 . 2010-04-12 20:13 348160 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1fba2ba1-n\msvcr71.dll
2010-04-12 20:13 . 2010-04-12 20:13 12800 ----a-w- c:\documents and settings\yo\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e1e4669-n\decora-d3d.dll
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-12 02:41 . 2010-04-12 02:41 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-12 02:40 . 2010-04-12 02:40 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-12 02:40 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-12 02:19 . 2010-04-12 02:19 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IECompatCache
2010-04-12 02:04 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\GoToAssistDownloadHelper.exe
2010-04-12 02:04 . 2010-04-12 02:04 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\DoctorWeb
2010-04-11 22:23 . 2010-04-11 22:23 -------- d-----w- C:\HelpAsst_backup
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 14:15 . 2010-04-11 13:45 -------- d-----w- c:\documents and settings\yo\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-04-05 22:52 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-04-19 12:52 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 20:11 . 2010-04-04 21:03 -------- d-----w- C:\commy
2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-04 19:57 . 2010-04-04 19:57 -------- d-----w- c:\program files\NOS
2010-04-04 08:54 . 2003-04-21 19:18 52608 ----a-r- c:\windows\system32\drivers\nvatabus_2.sys
2010-04-04 08:50 . 2010-04-04 08:52 -------- d-----w- C:\Combo-Fix
2010-04-04 07:36 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 07:36 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 23:05 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant\PNPrint3.exe
2010-03-30 22:41 . 2009-06-18 15:02 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-03-24 13:38 . 2009-09-09 14:29 199432 ----a-w- c:\windows\system32\drivers\neti1639.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 23:23 . 2003-10-22 22:23 446464 ----a-w- c:\windows\system32\HHActiveX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 04:21 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-03-22 16:50 . 2008-01-13 03:02 205416 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 22:41 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-25 22:41 . 2010-02-23 21:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 15:38 . 2010-02-24 15:38 50354 ----a-w- c:\documents and settings\yo\Application Data\Facebook\uninstall.exe
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-23 21:08 . 2010-02-23 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-23 19:29 . 2010-02-23 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-23 17:10 . 2010-02-23 17:07 1752 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-23 16:30 . 2010-02-23 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-02-23 16:29 . 2010-02-23 16:29 -------- d-----w- c:\program files\Common Files\iS3
2010-02-21 12:05 . 2010-02-21 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-02-18 14:53 . 2010-02-18 14:53 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-02-18 14:50 . 2010-02-18 14:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\yo\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\yo\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - d:\erunt\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5823:TCP"= 5823:TCP:Services
"5824:TCP"= 5824:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4603:TCP"= 4603:TCP:Services
"7706:TCP"= 7706:TCP:Services
"6699:TCP"= 6699:TCP:Services
"6698:TCP"= 6698:TCP:Services
"7478:TCP"= 7478:TCP:Services
"7479:TCP"= 7479:TCP:Services

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-ActiveScan 2.0 - c:\program files\Panda Security\ActiveScan 2.0\as2uninst.exe
AddRemove-Hard Disk Low Level Format Tool_is1 - a:\hddguru llf tool\unins000.exe
AddRemove-ophcrack - c:\program files\ophcrack\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 09:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x894163A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf768bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> 0x885958f0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-19 09:18:02
ComboFix-quarantined-files.txt 2010-04-19 13:18

Pre-Run: 60,639,612,928 bytes free
Post-Run: 60,608,466,944 bytes free

- - End Of File - - 055EEEC8B7C7732A5AAE5ADD37CB1F3E

eset log20th April 2010, 7:13 pm

Hi Net_Surfer,

I went ahead and did another ESET scan, and this is the result:

C:\Program Files\AIM6\services\softwareUpdate\ver2_14_16_3\aolsetup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

Also, the ebay/paypal redirect seems to be gone for now, but I am not able to log on to ebay. When I try to, I get a message that says I am not allowing cookies, so I can't log on. I checked my cookie settings, and changed them to always allow, but still get the message. I tried ebay tech support, and after going thru checking the privacy and security settings on IE8 with them, they said that there may be a virus on my system that has put a setting somewhere that is making this message appear so I can't log on. If I try to log on to ebay.ca, I have no problems. (of course, I can't list items, etc through the .ca site, but this at least shows I can log on & cookies are fine, it is something with the ebay.com site/url). I thought this info might help you identify whatever critter is lurking on my system.

I did try to run Dr WebCurit again, and after many hours of running, I came back to a computer with the blue screen.

Not trying to jump the gun on you, just thougth I'd go ahead and try to rerun these scans you had requested previously while you were working on the log... I just need to get this system clean so I can transfer all my files/data to a new system and not worry about transferring this virus to the new pc.

I do appreciate all your time/patience and help on this.

Thank you,
yolinda

Re: ebay paypal redirect/hijack21st April 2010, 5:27 am

GMER

Note about this tool:

This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Re: ebay paypal redirect/hijack21st April 2010, 4:38 pm

Gmer crashed... blue screen of death...
Stop: 0X000000C5 (0X00000004, 0X000000002, 0X00000001, 0X8054BBB4)

I got Gmer to run before by unchecking everything except System, Sections and Services boxes. Do you want me to try that again? Which boxes have to be checked?

Thanks

Re: ebay paypal redirect/hijack22nd April 2010, 1:19 am

Let's try this, and see if we can work around it.

Launch GMER and in the right panel, untick all except the following:

Modules
Processes
Libraries
Services
Show All

Then click the scan button & show me the log it produces.

Re: ebay paypal redirect/hijack22nd April 2010, 2:26 am

That scan was very fast.... less than a minute...

The log is very long, so I'm uploading the file.

Thank you for your help!

Re: ebay paypal redirect/hijack22nd April 2010, 3:19 am

That did not give the info I was hoping for. Let's try to run this:

Please download SpiderKill by DragonMaster Jay and save it to your Desktop.

Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in. Please do not upload it.

Re: ebay paypal redirect/hijack22nd April 2010, 3:49 am

ok, here it is...

SpiderKill by DragonMaster Jay ( Oct 2009 )

Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************

Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

04/19/2010 09:42 AM .
04/19/2010 09:42 AM ..
04/13/2008 02:46 PM 53,376 1394bus.sys
04/13/2008 02:46 PM 48,128 61883.sys
04/13/2008 02:36 PM 187,776 acpi.sys
08/29/2002 08:00 AM 11,648 acpiec.sys
04/13/2008 08:11 PM 4,255 adv01nt5.dll
04/13/2008 08:11 PM 3,967 adv02nt5.dll
04/13/2008 08:11 PM 3,615 adv05nt5.dll
04/13/2008 08:11 PM 3,647 adv07nt5.dll
04/13/2008 08:11 PM 3,135 adv08nt5.dll
04/13/2008 08:11 PM 3,711 adv09nt5.dll
04/13/2008 08:11 PM 3,775 adv11nt5.dll
04/13/2008 12:39 PM 142,592 aec.sys
08/14/2008 06:04 AM 138,496 afd.sys
04/13/2008 02:36 PM 42,368 agp440.sys
04/13/2008 02:36 PM 44,928 agpcpq.sys
04/13/2008 02:36 PM 42,752 alim1541.sys
04/13/2008 02:36 PM 43,008 amdagp.sys
04/13/2008 02:31 PM 37,376 amdk6.sys
04/13/2008 02:31 PM 37,760 amdk7.sys
11/29/2006 01:46 AM 28,224 APLMp50.sys
04/13/2008 02:51 PM 60,800 arp1394.sys
03/29/2000 10:17 AM 5,824 ASUSHWIO.SYS
04/13/2008 02:57 PM 14,336 asyncmac.sys
04/13/2008 02:40 PM 96,512 atapi.sys
08/04/2004 01:29 AM 56,623 ati1btxx.sys
08/04/2004 01:29 AM 11,615 ati1mdxx.sys
08/04/2004 01:29 AM 12,047 ati1pdxx.sys
08/04/2004 01:29 AM 30,671 ati1raxx.sys
08/04/2004 01:29 AM 63,663 ati1rvxx.sys
08/04/2004 01:29 AM 26,367 ati1snxx.sys
08/04/2004 01:29 AM 21,343 ati1ttxx.sys
08/04/2004 01:29 AM 36,463 ati1tuxx.sys
08/04/2004 01:29 AM 29,455 ati1xbxx.sys
08/04/2004 01:29 AM 34,735 ati1xsxx.sys
08/04/2004 01:29 AM 327,040 ati2mtaa.sys
08/04/2004 01:29 AM 701,440 ati2mtag.sys
08/04/2004 01:29 AM 57,856 atinbtxx.sys
08/04/2004 01:29 AM 13,824 atinmdxx.sys
08/04/2004 01:29 AM 14,336 atinpdxx.sys
08/04/2004 01:29 AM 52,224 atinraxx.sys
08/04/2004 01:29 AM 104,960 atinrvxx.sys
08/04/2004 01:29 AM 28,672 atinsnxx.sys
08/04/2004 01:29 AM 13,824 atinttxx.sys
08/04/2004 01:29 AM 73,216 atintuxx.sys
08/04/2004 01:29 AM 31,744 atinxbxx.sys
08/04/2004 01:29 AM 63,488 atinxsxx.sys
07/17/2004 02:36 PM 64,352 ativmc20.cod
04/13/2008 02:51 PM 59,904 atmarpc.sys
08/29/2002 08:00 AM 31,360 atmepvc.sys
04/13/2008 02:51 PM 55,808 atmlane.sys
08/29/2002 08:00 AM 352,256 atmuni.sys
04/13/2008 08:11 PM 21,183 atv01nt5.dll
04/13/2008 08:11 PM 11,359 atv02nt5.dll
04/13/2008 08:11 PM 25,471 atv04nt5.dll
04/13/2008 08:11 PM 14,143 atv06nt5.dll
04/13/2008 08:11 PM 17,279 atv10nt5.dll
08/17/2001 09:59 AM 3,072 audstub.sys
04/13/2008 02:46 PM 38,912 avc.sys
05/11/2009 11:49 AM 45,416 avgntdd.sys
02/16/2010 01:24 PM 60,936 avgntflt.sys
05/11/2009 11:49 AM 22,360 avgntmgr.sys
03/01/2010 09:05 AM 124,784 avipbb.sys
08/29/2002 08:00 AM 4,224 beep.sys
04/13/2008 02:53 PM 71,552 bridge.sys
04/13/2008 02:46 PM 17,024 bthenum.sys
04/13/2008 02:46 PM 37,888 bthmodem.sys
04/13/2008 02:51 PM 101,120 bthpan.sys
06/13/2008 07:05 AM 272,128 bthport.sys
04/13/2008 02:46 PM 36,480 bthprint.sys
04/13/2008 02:46 PM 18,944 bthusb.sys
08/29/2002 08:00 AM 13,952 cbidf2k.sys
04/13/2008 02:46 PM 17,024 CCDECODE.sys
08/29/2002 08:00 AM 18,688 cdaudio.sys
04/13/2008 03:14 PM 63,744 cdfs.sys
04/13/2008 02:40 PM 62,976 cdrom.sys
04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
08/29/2002 08:00 AM 262,528 cinemst2.sys
04/13/2008 03:16 PM 49,536 classpnp.sys
08/29/2002 08:00 AM 11,776 cpqdap01.sys
04/13/2008 02:31 PM 36,736 crusoe.sys
06/08/2005 02:08 PM 1,359,744 CT0531FL.SYS
08/11/2006 03:45 PM 502,272 ctac32k.sys
08/11/2006 03:45 PM 499,584 ctaud2k.sys
11/10/2005 06:06 PM 340,704 ctdvda2k.sys
12/30/2002 11:53 AM 12,160 CTGAME.SYS
09/06/2005 03:02 PM 1,365,888 CTMMFILT.SYS
08/11/2006 03:45 PM 116,224 ctoss2k.sys
08/11/2006 03:45 PM 7,168 ctprxy2k.sys
08/11/2006 03:45 PM 143,872 ctsfm2k.sys
01/18/2007 04:28 PM 5,275 CVirtA.sys
10/26/2007 02:27 PM 306,300 CVPNDRVA.sys
07/18/2004 01:55 AM 129,045 cxthsfs2.cty
01/12/2004 10:20 AM 9,600 CygF32x.sys
01/12/2004 10:20 AM 16,000 CygLib.sys
01/12/2008 09:58 AM disdn
04/13/2008 02:40 PM 36,352 disk.sys
04/13/2008 02:40 PM 14,208 diskdump.sys
04/13/2008 02:44 PM 799,744 dmboot.sys
04/13/2008 02:44 PM 153,344 dmio.sys
08/29/2002 08:00 AM 5,888 dmload.sys
04/13/2008 02:45 PM 52,864 dmusic.sys
01/31/2007 01:45 PM 127,376 dne2000.sys
04/13/2008 03:45 PM 60,160 drmk.sys
04/13/2008 02:45 PM 2,944 drmkaud.sys
08/29/2002 08:00 AM 10,496 dxapi.sys
04/13/2008 02:38 PM 71,168 dxg.sys
08/29/2002 08:00 AM 3,328 dxgthk.sys
08/11/2006 03:45 PM 78,336 emupia2k.sys
08/17/2001 09:46 AM 6,400 enum1394.sys
10/11/2007 12:10 PM 30,008 ET5Drv.sys
04/12/2010 06:10 PM etc
04/13/2008 03:14 PM 143,744 fastfat.sys
04/13/2008 02:40 PM 27,392 fdc.sys
04/13/2008 02:33 PM 44,544 fips.sys
04/13/2008 02:40 PM 20,480 flpydisk.sys
04/13/2008 02:32 PM 129,792 fltmgr.sys
08/29/2002 08:00 AM 12,160 fsvga.sys
08/29/2002 08:00 AM 7,936 fs_rec.sys
08/29/2002 08:00 AM 125,056 ftdisk.sys
04/13/2008 02:36 PM 46,464 gagp30kx.sys
04/13/2008 02:45 PM 10,624 gameenum.sys
04/17/2008 01:12 PM 15,464 GEARAspiWDM.sys
08/29/2002 08:00 AM 3,440,660 gm.dls
08/29/2002 08:00 AM 646 gmreadme.txt
01/23/2009 02:41 AM 24,944 GVTDrv.sys
08/11/2006 03:45 PM 766,976 ha10kx2k.sys
08/11/2006 03:45 PM 1,110,016 ha20x2k.sys
08/11/2006 03:45 PM 154,112 haP16v2k.sys
08/11/2006 03:45 PM 180,224 haP17v2k.sys
11/22/2006 11:01 AM 693,760 hardlock.sys
04/13/2008 12:36 PM 144,384 hdaudbus.sys
04/13/2008 02:46 PM 25,600 hidbth.sys
04/13/2008 02:45 PM 36,864 hidclass.sys
04/13/2008 02:45 PM 19,200 hidir.sys
04/13/2008 02:45 PM 24,960 hidparse.sys
04/13/2008 09:11 PM 21,504 hidserv.dll
04/13/2008 02:45 PM 10,368 hidusb.sys
10/30/2008 05:08 PM 49,920 HPZid412.sys
10/30/2008 05:08 PM 16,496 HPZipr12.sys
10/30/2008 05:08 PM 21,568 HPZius12.sys
08/04/2004 01:41 AM 220,032 hsfbs2s2.sys
08/04/2004 01:41 AM 685,056 hsfcxts2.sys
08/04/2004 01:41 AM 1,041,536 hsfdpsp2.sys
10/20/2009 12:20 PM 265,728 http.sys
04/13/2008 04:18 PM 52,480 i8042prt.sys
04/13/2008 02:40 PM 42,112 imapi.sys
11/26/2004 01:36 PM 98,176 InCDfs.sys
11/26/2004 01:36 PM 28,928 InCDpass.sys
11/26/2004 01:36 PM 7,808 InCDrec.sys
11/26/2004 08:36 AM 27,648 InCDrm.sys
04/13/2008 02:31 PM 36,352 intelppm.sys
04/13/2008 02:53 PM 36,608 ip6fw.sys
08/29/2002 08:00 AM 32,896 ipfltdrv.sys
04/13/2008 02:57 PM 20,864 ipinip.sys
04/13/2008 02:57 PM 152,832 ipnat.sys
04/13/2008 03:19 PM 75,264 ipsec.sys
04/13/2008 02:45 PM 46,592 irbus.sys
04/13/2008 02:54 PM 11,264 irenum.sys
04/13/2008 02:36 PM 37,248 isapnp.sys
10/28/2005 05:11 PM 27,648 iteatapi.sys
04/13/2008 02:39 PM 24,576 kbdclass.sys
04/13/2008 02:39 PM 14,592 kbdhid.sys
02/23/2010 01:10 PM 1,752 kgpcpy.cfg
09/14/2009 03:42 PM 32,272 klim5.sys
04/13/2008 02:45 PM 172,416 kmixer.sys
04/13/2008 04:16 PM 141,056 ks.sys
06/24/2009 07:18 AM 92,928 ksecdd.sys
03/30/2010 12:45 AM 20,824 mbam.sys
03/30/2010 12:46 AM 38,224 mbamswissarmy.sys
08/29/2002 08:00 AM 7,680 mcd.sys
08/04/2004 01:41 AM 11,868 mdmxsdk.sys
04/13/2008 02:36 PM 63,744 mf.sys
08/29/2002 08:00 AM 4,224 mnmdd.sys
04/13/2008 03:00 PM 30,080 modem.sys
04/13/2008 03:39 PM 23,040 mouclass.sys
08/29/2002 08:00 AM 12,160 mouhid.sys
04/13/2008 02:39 PM 42,368 mountmgr.sys
04/13/2008 02:39 PM 92,544 mqac.sys
04/13/2008 02:32 PM 180,608 mrxdav.sys
02/24/2010 09:11 AM 455,680 mrxsmb.sys
04/13/2008 02:46 PM 51,200 msdv.sys
04/13/2008 02:32 PM 19,072 msfs.sys
04/13/2008 02:56 PM 35,072 msgpc.sys
04/13/2008 02:39 PM 7,552 mskssrv.sys
08/17/2001 03:00 PM 2,944 msmpu401.sys
04/13/2008 02:39 PM 5,376 mspclock.sys
04/13/2008 02:39 PM 4,992 mspqm.sys
04/13/2008 02:36 PM 15,488 mssmbios.sys
04/13/2008 02:39 PM 5,504 MSTEE.sys
08/28/2006 06:12 PM 13,312 MTictwl.sys
08/04/2004 01:41 AM 126,686 mtlmnt5.sys
08/04/2004 01:41 AM 1,309,184 mtlstrm.sys
08/04/2004 01:29 AM 452,736 mtxparhm.sys
04/13/2008 03:17 PM 105,344 mup.sys
04/13/2008 02:43 PM 12,672 mutohpen.sys
05/03/2007 01:37 PM 22,152 mxopswd.sys
04/13/2008 02:46 PM 85,248 NABTSFEC.sys
04/13/2008 03:20 PM 182,656 ndis.sys
04/13/2008 02:46 PM 10,880 NdisIP.sys
04/13/2008 02:57 PM 10,112 ndistapi.sys
04/13/2008 02:55 PM 14,592 ndisuio.sys
04/13/2008 03:20 PM 91,520 ndiswan.sys
04/13/2008 02:57 PM 40,576 ndproxy.sys
04/13/2008 02:56 PM 34,688 netbios.sys
04/13/2008 03:21 PM 162,816 netbt.sys
09/09/2009 10:29 AM 199,432 neti1639.sys
04/15/2002 10:11 PM 67,866 netwlan5.img
04/13/2008 02:51 PM 61,824 nic1394.sys
08/29/2002 08:00 AM 12,032 nikedrv.sys
04/13/2008 02:53 PM 40,320 nmnt.sys
01/25/2007 01:31 PM 42,000 npf.sys
04/13/2008 02:32 PM 30,848 npfs.sys
04/13/2008 03:15 PM 574,976 ntfs.sys
08/04/2004 01:41 AM 180,360 ntmtlfax.sys
05/09/2009 02:14 AM 14,736 nuidfltr.sys
08/29/2002 08:00 AM 2,944 null.sys
12/05/2007 02:41 AM 7,435,392 nv4_mini.sys
05/25/2004 04:58 PM 396,032 nvapu.sys
05/25/2004 04:58 PM 66,688 nvarm.sys
04/21/2003 03:18 PM 52,608 nvatabus.sys
04/21/2003 03:18 PM 52,608 nvatabus_2.sys
05/25/2004 04:58 PM 48,640 nvax.sys
05/25/2004 04:58 PM 962,560 nvmcp.sys
03/19/2003 04:51 PM 18,688 nv_agp.SYS
08/29/2002 08:00 AM 12,416 nwlnkflt.sys
08/29/2002 08:00 AM 32,512 nwlnkfwd.sys
04/13/2008 02:56 PM 88,320 nwlnkipx.sys
08/29/2002 08:00 AM 63,232 nwlnknb.sys
08/29/2002 08:00 AM 55,936 nwlnkspx.sys
04/13/2008 02:34 PM 163,584 nwrdr.sys
04/13/2008 02:46 PM 61,696 ohci1394.sys
08/29/2002 08:00 AM 3,456 oprghdlr.sys
04/13/2008 02:31 PM 42,752 p3.sys
04/13/2008 02:40 PM 80,128 parport.sys
04/13/2008 02:40 PM 19,712 partmgr.sys
08/29/2002 08:00 AM 6,784 parvdm.sys
04/13/2008 02:36 PM 68,224 pci.sys
08/17/2001 02:51 PM 3,328 pciide.sys
04/13/2008 02:40 PM 24,960 pciidex.sys
04/13/2008 02:36 PM 120,192 pcmcia.sys
08/11/2006 03:56 PM 8,192 pfmodnt.sys
06/01/2009 02:51 PM 27,792 point32.sys
04/13/2008 04:19 PM 146,048 portcls.sys
04/13/2008 02:31 PM 35,840 processr.sys
04/13/2008 02:56 PM 69,120 psched.sys
08/29/2002 08:00 AM 17,792 ptilink.sys
08/29/2002 08:00 AM 8,832 rasacd.sys
04/13/2008 03:19 PM 51,328 rasl2tp.sys
04/13/2008 02:57 PM 41,472 raspppoe.sys
04/13/2008 03:19 PM 48,384 raspptp.sys
08/29/2002 08:00 AM 16,512 raspti.sys
08/29/2002 08:00 AM 34,432 rawwan.sys
04/13/2008 03:28 PM 175,744 rdbss.sys
08/29/2002 08:00 AM 4,224 rdpcdd.sys
04/13/2008 02:32 PM 196,224 rdpdr.sys
04/13/2008 08:13 PM 139,656 rdpwd.sys
08/04/2004 01:41 AM 13,776 recagent.sys
04/13/2008 02:40 PM 57,600 redbook.sys
04/13/2008 02:46 PM 59,136 rfcomm.sys
08/29/2002 08:00 AM 12,032 rio8drv.sys
08/29/2002 08:00 AM 12,032 riodrv.sys
05/08/2008 10:02 AM 203,136 rmcast.sys
04/13/2008 02:56 PM 30,592 rndismp.sys
04/13/2008 02:56 PM 30,592 rndismpx.sys
08/29/2002 08:00 AM 5,888 rootmdm.sys
07/16/2004 03:19 PM 70,400 Rtlnicxp.sys
11/20/2007 12:09 PM 104,320 Rtnicxp.sys
08/04/2004 01:29 AM 166,912 s3gnbm.sys
03/09/2010 11:13 PM 95,024 SBREDrv.sys
04/13/2008 02:40 PM 96,384 scsiport.sys
04/13/2008 02:36 PM 79,232 sdbus.sys
11/13/2007 06:25 AM 20,480 secdrv.sys
04/13/2008 02:40 PM 15,744 serenum.sys
04/13/2008 03:15 PM 64,512 serial.sys
04/13/2008 02:40 PM 11,904 sffdisk.sys
04/13/2008 02:40 PM 10,240 sffp_mmc.sys
04/13/2008 02:40 PM 11,008 sffp_sd.sys
04/13/2008 02:40 PM 11,392 sfloppy.sys
09/04/2003 08:45 AM 55,144 si3112.svs
09/04/2003 08:45 AM 55,144 si3112.sys
08/29/2007 04:04 AM 116,264 SI3112r.sys
04/13/2008 08:12 PM 3,901 siint5.dll
04/13/2008 02:36 PM 40,960 sisagp.sys
08/29/2007 04:04 AM 19,240 SiWinAcc.sys
04/13/2008 02:46 PM 11,136 SLIP.sys
08/04/2004 01:41 AM 129,535 slnt7554.sys
08/04/2004 01:41 AM 404,990 slntamr.sys
08/04/2004 01:41 AM 95,424 slnthal.sys
08/04/2004 01:41 AM 13,240 slwdmsup.sys
04/13/2008 02:36 PM 5,888 smbali.sys
08/29/2002 08:00 AM 14,592 smclib.sys
04/13/2008 02:46 PM 25,344 sonydcam.sys
04/13/2008 02:45 PM 6,272 splitter.sys
04/13/2008 02:36 PM 73,472 sr.sys
12/31/2009 12:50 PM 353,792 srv.sys
05/11/2009 09:12 AM 28,520 ssmdrv.sys
04/13/2008 03:45 PM 49,408 stream.sys
04/13/2008 02:46 PM 15,232 StreamIP.sys
04/13/2008 02:39 PM 4,352 swenum.sys
04/13/2008 02:45 PM 56,576 swmidi.sys
04/13/2008 03:15 PM 60,800 sysaudio.sys
04/13/2008 02:40 PM 14,976 tape.sys
06/20/2008 07:51 AM 361,600 tcpip.sys
02/11/2010 08:02 AM 226,880 tcpip6.sys
04/13/2008 03:00 PM 19,072 tdi.sys
04/13/2008 08:13 PM 12,040 tdpipe.sys
04/13/2008 08:13 PM 21,896 tdtcp.sys
04/13/2008 08:13 PM 40,840 termdd.sys
05/07/2009 03:04 AM 157,712 tmcomm.sys
08/29/2002 08:00 AM 51,712 tosdvd.sys
08/29/2002 08:00 AM 21,376 tsbvcap.sys
04/13/2008 02:56 PM 12,288 tunmp.sys
04/13/2008 02:36 PM 44,672 uagp35.sys
04/13/2008 02:32 PM 66,048 udfs.sys
11/23/2008 01:22 PM UMDF
04/13/2008 02:39 PM 384,768 update.sys
04/13/2008 02:56 PM 12,800 usb8023.sys
04/13/2008 02:56 PM 12,800 usb8023x.sys
04/13/2008 03:45 PM 60,032 USBAUDIO.sys
04/13/2008 02:45 PM 25,600 usbcamd.sys
04/13/2008 02:45 PM 25,728 usbcamd2.sys
04/13/2008 02:45 PM 32,128 usbccgp.sys
08/29/2002 08:00 AM 4,736 usbd.sys
04/13/2008 02:45 PM 30,208 usbehci.sys
04/13/2008 02:45 PM 59,520 usbhub.sys
04/13/2008 02:45 PM 15,872 usbintel.sys
04/13/2008 02:45 PM 17,152 usbohci.sys
04/13/2008 02:45 PM 143,872 usbport.sys
04/13/2008 02:47 PM 25,856 usbprint.sys
04/13/2008 03:45 PM 15,104 usbscan.sys
04/13/2008 02:45 PM 26,368 usbstor.sys
04/13/2008 02:46 PM 121,984 usbvideo.sys
04/13/2008 08:12 PM 11,325 vchnt5.dll
08/29/2002 08:00 AM 58,112 vdmindvd.sys
04/13/2008 02:44 PM 20,992 vga.sys
04/13/2008 02:36 PM 42,240 viaagp.sys
04/13/2008 02:44 PM 81,664 videoprt.sys
04/13/2008 02:41 PM 52,352 volsnap.sys
04/13/2008 02:43 PM 14,208 wacompen.sys
08/04/2004 01:29 AM 11,807 wadv07nt.sys
08/04/2004 01:29 AM 11,295 wadv08nt.sys
08/04/2004 01:29 AM 11,871 wadv09nt.sys
08/04/2004 01:29 AM 11,935 wadv11nt.sys
04/13/2008 02:57 PM 34,560 wanarp.sys
08/04/2004 01:29 AM 22,271 watv06nt.sys
08/04/2004 01:29 AM 25,471 watv10nt.sys
11/02/2006 08:22 AM 492,000 wdf01000.sys
11/02/2006 08:22 AM 32,224 wdfldr.sys
04/13/2008 03:17 PM 83,072 wdmaud.sys
08/29/2002 08:00 AM 4,352 wmilib.sys
10/18/2006 08:00 PM 38,528 wpdusb.sys
08/29/2002 08:00 AM 12,032 ws2ifsl.sys
04/13/2008 02:46 PM 19,200 WSTCODEC.SYS
09/28/2006 06:55 PM 77,568 WudfPf.sys
09/28/2006 07:00 PM 82,944 WudfRd.sys
352 File(s) 44,020,948 bytes

Directory of C:\Windows\System32\Drivers\disdn

01/12/2008 09:58 AM .
01/12/2008 09:58 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

04/12/2010 06:10 PM .
04/12/2010 06:10 PM ..
04/12/2010 06:10 PM 98 Hosts
08/29/2002 08:00 AM 734 hosts.20100309-193033.backup
08/29/2002 08:00 AM 3,683 lmhosts.sam
08/29/2002 08:00 AM 407 networks
08/29/2002 08:00 AM 799 protocol
08/29/2002 08:00 AM 7,116 services
6 File(s) 12,837 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/23/2008 01:22 PM .
11/23/2008 01:22 PM ..
10/18/2006 09:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
359 File(s) 44,705,017 bytes
11 Dir(s) 60,875,743,232 bytes free

***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 8C30-4B1B

Directory of C:\Windows\System32\Drivers

01/13/2008 12:07 AM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
01/13/2008 12:07 AM 0 Msft_Kernel_NuidFltr_01005.Wdf
2 File(s) 0 bytes
0 Dir(s) 60,875,755,520 bytes free

*********************Processes*******************

PROCESS PID PRIO PATH
smss.exe 1064 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 1116 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 1144 High C:\WINDOWS\system32\winlogon.exe
services.exe 1188 Normal C:\WINDOWS\system32\services.exe
lsass.exe 1200 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 1372 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1472 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1596 Normal C:\WINDOWS\System32\svchost.exe
InCDsrv.exe 1624 Normal C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe 1776 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1892 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 252 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 428 Normal C:\WINDOWS\Explorer.EXE
spoolsv.exe 568 Normal C:\WINDOWS\system32\spoolsv.exe
sched.exe 628 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe 732 Normal C:\WINDOWS\System32\svchost.exe
CTHELPER.EXE 1556 Normal C:\WINDOWS\CTHELPER.EXE
SearchProtection.exe 1584 Normal C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
ipoint.exe 1612 Normal C:\Program Files\Microsoft IntelliPoint\ipoint.exe
itype.exe 1652 Normal C:\Program Files\Microsoft IntelliType Pro\itype.exe
HPWuSchd2.exe 1924 Normal C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
avgnt.exe 1960 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
jusched.exe 1976 Normal C:\Program Files\Common Files\Java\Java Update\jusched.exe
GoogleToolbarNotifier.exe 1988 Normal C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
ctfmon.exe 144 Normal C:\WINDOWS\system32\ctfmon.exe
hpqtra08.exe 260 Normal C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
WindowsSearch.exe 300 Normal C:\Program Files\Windows Desktop Search\WindowsSearch.exe
ACService.exe 960 Normal C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
avguard.exe 944 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
cvpnd.exe 1088 Normal C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
DkService.exe 1100 Below Normal C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
dpupdchk.exe 2080 Normal C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
svchost.exe 2176 Normal C:\WINDOWS\system32\svchost.exe
jqs.exe 2208 Idle C:\Program Files\Java\jre6\bin\jqs.exe
avshadow.exe 2220 Normal C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
MagicTuneEngine.exe 2248 Normal C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
SyncServices.exe 2356 Normal C:\Program Files\Maxtor\Sync\SyncServices.exe
svchost.exe 2468 Normal C:\WINDOWS\System32\svchost.exe
nTuneService.exe 2792 Normal C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
nvsvc32.exe 2856 Normal C:\WINDOWS\system32\nvsvc32.exe
svchost.exe 2904 Normal C:\WINDOWS\System32\svchost.exe
snmp.exe 3068 Normal C:\WINDOWS\System32\snmp.exe
svchost.exe 3276 Normal C:\WINDOWS\System32\svchost.exe
YahooAUService.exe 3372 Normal C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
SearchIndexer.exe 3996 Normal C:\WINDOWS\system32\SearchIndexer.exe
MagicTune.exe 2300 Normal C:\Program Files\MagicTune Premium\MagicTune.exe
alg.exe 2876 Normal C:\WINDOWS\System32\alg.exe
hpqSTE08.exe 700 Normal C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
hpqbam08.exe 1684 Normal C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
hpqgpc01.exe 2708 Normal C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
FNPLicensingService.exe 4716 Normal C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
AcroTray.exe 5568 Normal C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
cmd.exe 5120 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 5536 Normal C:\Documents and Settings\yo\Desktop\SpiderKill\SpiderKill\processes.exe

Module information for 'Explorer.EXE'(428)
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5875 (xpsp_sp3_gdr.090904-1413) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 942080 C:\WINDOWS\system32\WININET.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 78130000 1257472 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) OLE32 Extensions for Win32
iertutil.dll 3dfd0000 1998848 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5922 (xpsp_sp3_gdr.091223-1907) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
GrooveShellExtensions.dll 661d0000 2224128 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll 12.0.6421.1000 GrooveShellExtensions Module
GrooveUtil.DLL 68ef0000 991232 C:\Program Files\Microsoft Office\Office12\GrooveUtil.DLL 12.0.6423.1000 GrooveUtil Module
MSVCR80.dll dc0000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 8.00.50727.4053 Microsoft

C Runtime Library
GrooveNew.DLL 68ff0000 28672 C:\Program Files\Microsoft Office\Office12\GrooveNew.DLL 12.0.6413.1000 GrooveNew Module
ATL80.DLL 7c630000 110592 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.DLL 8.00.50727.4053 ATL Module for Windows (Unicode)
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
MSImg32.dll 76380000 20480 C:\WINDOWS\system32\MSImg32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
xpsp2res.dll 1100000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
actxprxy.dll 71d40000 110592 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
GrooveSystemServices.dll 65e50000 184320 C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll 12.0.6421.1000 GrooveSystemServices Module
msxml3.dll 74980000 1191936 C:\WINDOWS\system32\msxml3.dll 8.100.1051.0 MSXML 3.0 SP10
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
ieframe.dll 3e1c0000 11087872 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18904 (longhorn_ie8_gdr.100222-1700) Internet Explorer
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
msvcp60.dll 76080000 413696 C:\WINDOWS\System32\msvcp60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
webcheck.dll 20f0000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5868 (xpsp_sp3_gdr.090824-1328) Windows HTTP Services
mydocs.dll 72410000 106496 C:\WINDOWS\System32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
GrooveMisc.dll 66b50000 1568768 C:\Program Files\Microsoft Office\Office12\GrooveMisc.dll 12.0.6421.1000 GrooveMisc Module
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
ctagent.dll 1b80000 24576 C:\WINDOWS\system32\ctagent.dll 1, 0, 0, 12 ctagent
MSNLNamespaceMgr.dll 4050000 315392 C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll 7.00.6001.18260 (vistasp1_gdr_oobsvc.090524-1500) Windows Search Namespace Manager
SASSEH.DLL 10000000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1012 ShellExecuteHook
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft

Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
SXS.DLL 7e720000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.5512 (xpsp.080413-2111) Fusion 2.5
PDFShell.dll 4160000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.3.2.163 PDF Shell Extension
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
gdiplus.dll 4ec50000 1748992 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\gdiplus.dll 5.2.6001.22319 (vistasp1_ldr.081126-1506) Microsoft GDI+
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
mscms.dll 73b30000 86016 C:\WINDOWS\system32\mscms.dll 5.1.2600.5627 (xpsp_sp3_gdr.080624-1245) Microsoft Color Matching System DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
SnagItShellExtRes.dll 3500000 32768 C:\Program Files\TechSmith\SnagIt 9\SnagItShellExtRes.dll 9.0.0.351 SnagIt Shell Extension Resources DLL
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.5512 (xpsp.080413-2111) Configuration Manager Forwarder DLL
icm32.dll 66e90000 266240 C:\WINDOWS\system32\icm32.dll 5.1.2600.5512 (xpsp.080413-2105) Microsoft Color Management Module (CMM)
printui.dll 74b80000 573440 C:\WINDOWS\system32\printui.dll 5.1.2600.5512 (xpsp.080413-0852) Print UI DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.5512 (xpsp.080413-2113) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.5512 (xpsp.080413-2113) ADs LDAP Provider C DLL
AcroIEHelper.dll 990000 65536 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 9.3.2.163 Adobe PDF Helper for Internet Explorer
msohevi.dll 6bd10000 65536 C:\Program Files\Microsoft Office\Office12\msohevi.dll 12.0.6413.1000 2007 Microsoft Office component

******************************************
EOF

Re: ebay paypal redirect/hijack22nd April 2010, 4:11 am

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

kapersky scan22nd April 2010, 2:17 pm

Hi Dragonmaster_Jay,

Here are the results of the Kapersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 20:27:33
Records in database: 3962586
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Objects scanned: 273092
Threats found: 1
Infected objects found: 0
Suspicious objects found: 1
Scan duration: 06:38:06

File name / Threat / Threats count
C:\Documents and Settings\yo\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

Re: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

Good.

I think this will be the final check.

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
ebay paypal redirect/hijack - Page 1 Icon13

Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button. ebay paypal redirect/hijack - Page 1 2hd457o

ebay paypal redirect/hijack - Page 1 2hd457o

ebay paypal redirect/hijack - Page 1 34gul1w

Set it to Maximum

ebay paypal redirect/hijack - Page 1 2n9gldh

IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.

Click Create Report to run it. ebay paypal redirect/hijack - Page 1 2ekm73m

ebay paypal redirect/hijack - Page 1 2ekm73m

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Re: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

ok...here is the link:

http://www.getsysteminfo.com/read.php?file=400e227e867fa84d76bbdb441b1bd205

Re: ebay paypal redirect/hijack23rd April 2010, 12:12 am

We need to do some diagnostics.

1. Please download Profiles by noahdfear.

Save it to your desktop.
Double-click profiles.exe and post its log when you reply

2. Download Win32kDiag by ad13 and save it to your Desktop.

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

3. In your next reply, please post the following logs for my review:

Profiles log (1)
Win32kDiag log (2)

Thanks! Smile...

Re: ebay paypal redirect/hijack23rd April 2010, 12:31 am

Unfortunatly, redirect is still alive and well. I just took a screen shot of what I get when I try to log on to ebay or paypal (except if paypal it has that logo of course...) If I log on with a different computer, I can log on without any problems.

Re: ebay paypal redirect/hijack23rd April 2010, 12:33 am

Ok. Try Profiles and Win32kDiag and let me see the logs, please.

Re: ebay paypal redirect/hijack23rd April 2010, 12:41 am

Hi Dragonmaster_Jay,

Thank you very much for your patience and continued help in trying to track down this problem!

Here is the log for Profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\yo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

And here is the log for Win32Kdialog:

Running from: C:\Documents and Settings\yo\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\yo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Re: ebay paypal redirect/hijack23rd April 2010, 12:55 am

Go here, and download SWReg:

http://www.xs4all.nl/~fstaal01/downloads/swreg.exe

When installed, go to Start | Run and type the following. You may want to copy/paste, just to make sure:

swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f

============

Then, do the HelpAsst fix there again.

Re: ebay paypal redirect/hijack23rd April 2010, 3:50 am

Hi Dragonmaster_Jay,

This did not find a mbr infection on the scan, so I followed the directions for that situation. Here is the helpasst log:

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/22/2010 at 21:48:18.12

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6698:TCP"=-
"6699:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7590:TCP"=-
"7589:TCP"=-
"9885:TCP"=-
"9886:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6699:TCP"=-
"6698:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7589:TCP"=-
"7590:TCP"=-
"9886:TCP"=-
"9885:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/22/2010 at 23:41:28.57

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

~~ EOF ~~

Re: ebay paypal redirect/hijack23rd April 2010, 3:53 am

Delete the current copy of HelpAsst_mebroot_fix.exe and download a fresh one from here. Please save it to your desktop, else the following command will not work.
Click Start>Run then copy and paste in the following bolded command, then hit Enter.

"%userprofile%\desktop\helpasst_mebroot_fix.exe" -mbrt

A log will open when it completes. Please post it's contents here.

Re: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

ok, here it is:

C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Thu 04/22/2010 at 21:48:18.12

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6698:TCP"=-
"6699:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7590:TCP"=-
"7589:TCP"=-
"9885:TCP"=-
"9886:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"5823:TCP"=-
"5824:TCP"=-
"3389:TCP"=-
"4603:TCP"=-
"7706:TCP"=-
"6699:TCP"=-
"6698:TCP"=-
"7478:TCP"=-
"7479:TCP"=-
"7589:TCP"=-
"7590:TCP"=-
"9886:TCP"=-
"9885:TCP"=-
"8540:TCP"=-
"8541:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant.LINDAS files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 04/22/2010 at 23:41:28.57

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A337C78]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services

~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 04/23/2010 at 10:55:51.35

Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D2E5A8]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-1844237615-1409082233-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"8540:TCP"=8540:TCP:*:Enabled:Services
"8541:TCP"=8541:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

~~ EOF ~~

Re: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

We beat up part of it now. Let's search and destroy.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind *helpassistant* *helpasst* *assistant* :folderfind *helpassistant* *helpasst* *assistant* :regfind helpassistant helpasst
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

Sounds Great... I'm ready to squash this bug for good!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:56 on 23/04/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "*helpasst*"
C:\Documents and Settings\HelpAssistant.LINDAS\Desktop\HelpAsst_mebroot_fix.exe --a--- 490232 bytes [03:36 23/04/2010] [01:29 23/04/2010] 1F400D155A8F31DD57BC2A9CE5B8D6F5
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAsst.log.lnk --a--- 415 bytes [04:01 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe --a--- 489984 bytes [14:55 23/04/2010] [14:55 23/04/2010] 3516C911A1B9264D5E6B26F27D114FB6
C:\Documents and Settings\yo\Recent\HelpAsst.log.lnk --a--- 415 bytes [15:17 19/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\HelpAsst.log --a--- 4856 bytes [22:23 11/04/2010] [14:55 23/04/2010] C9356F32033DB9C16EA6E62EB04047DA
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Desktop\HelpAsst_mebroot_fix.exe --a--- 490008 bytes [01:52 23/04/2010] [22:20 11/04/2010] 58B59A8C44CB661F3E4A952E88B0F8F3
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAsst.log.lnk --a--- 415 bytes [02:06 23/04/2010] [15:17 19/04/2010] E56FDA3CBEB0BFB4B6484CDD4FD8F79E
C:\WINDOWS\Prefetch\HELPASST_MEBROOT_FIX.EXE-23271C94.pf --a--- 59716 bytes [01:48 23/04/2010] [14:55 23/04/2010] 04DD050E52A2FA069BEB963B364537DD

Searching for "*assistant*"
C:\Documents and Settings\All Users\Application Data\HP Product Assistant\HPProductAssistant.ini --a--- 9024 bytes [23:23 16/10/2008] [05:28 23/04/2010] 612BA8FFDD872F33F164BE751B6B7471
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [03:38 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [03:38 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [04:01 15/05/2008] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [04:02 15/05/2008] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\Documents and Settings\yo\Recent\HelpAssistant.lnk --a--- 517 bytes [10:57 13/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Database\ShippingAssistant.sdf --a--- 282624 bytes [01:53 23/04/2010] [04:46 15/05/2008] DC4CBE48E58A09DDCCDE388087F749C9
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant\Logs\ShippingAssistant.log --a--- 740 bytes [01:53 23/04/2010] [04:45 15/05/2008] E03399893DC6F022AE2AB573E8AB956F
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.LINDAS.lnk --a--- 556 bytes [02:06 23/04/2010] [13:06 13/04/2010] C750B857F6A8620410F6ED1F4D31CEEF
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Recent\HelpAssistant.lnk --a--- 517 bytes [02:06 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\MicrosoftDotNetFrameworkAssistant.xpi --a--- 19153 bytes [18:40 18/03/2009] [18:40 18/03/2009] 142AA9EC7D07C3F7B26E20E5EA399C80

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]

Searching for "*helpasst*"
C:\HelpAsst_backup d----- [22:23 11/04/2010]

Searching for "*assistant*"
C:\Documents and Settings\All Users\Application Data\HP Product Assistant d----- [00:33 05/04/2010]
C:\Documents and Settings\All Users\Application Data\HP\ProductAssistant d----- [00:33 05/04/2010]
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\ShippingAssistant d----- [03:38 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [03:38 23/04/2010]
C:\Documents and Settings\yo\Local Settings\Application Data\ShippingAssistant d----- [04:01 15/05/2008]
C:\Documents and Settings\yo\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d----- [04:02 15/05/2008]
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\ShippingAssistant d-a--- [01:53 23/04/2010]
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1.LIN\Local Settings\Application Data\USPS\ShippingAssistant.exe_StrongName_1530igqym0lgi3fwh2vbxinwnit5pbs3 d-a--- [01:53 23/04/2010]
C:\Program Files\HP\Digital Imaging\Product Assistant d----- [00:33 05/04/2010]
C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ExceptionAssistantContent d----- [05:31 28/11/2008]
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension d----- [07:09 15/08/2009]

========== regfind ==========

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-1409082233-725345543-1000]
"ProfileImagePath"="%SystemDrive%\Documents and Settings\HelpAssistant.LINDAS"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "helpasst"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HelpAsst.exe]
@="C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe"

-=End Of File=-

Re: ebay paypal redirect/hijack24th April 2010, 3:50 am

Do you have an XP cd?

Re: ebay paypal redirect/hijack24th April 2010, 3:23 pm

Yes, I do.

Re: ebay paypal redirect/hijack24th April 2010, 5:12 pm

Reboot your computer.

Boot from the windows XP CD, press the "R" key in the setup in order to start the Recovery Console.

Select your windows XP installation from the list (usually 1). It will prompt for an administrator password. The password is probably blank, so just hit enter.

Enter the command: fixmbr at the input prompt and confirm the next question with a Y.

It should then reboot the computer. If it does not, then type exit.

Boot back in to the Normal XP.

=================

After that, please do the following:

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

Re: ebay paypal redirect/hijack28th April 2010, 6:21 pm

Hi Dragonmaster Jay,

I followed the directions, booted from windows xp cd. When I typed R to go to recovery consol, it went to the black screen with the c prompt. (I did not have to select anything). When I typed fixmbr, it just popped up another c prompt. No response, just the c prompt. So I typed exit.

Upon restarting, I tried going into windows recovery consol (installed on one of the earlier steps, it shows now whenever I boot). It started loading, then BAM.... blue screen of death...

So I am going to go ahead and do the Stealth MBR Rootkit Detector & post log... but wanted to update you on what was happening.

Thanks
yolinda

Re: ebay paypal redirect/hijack28th April 2010, 6:24 pm

Here is the log from Stealth MBR Rootkit Detector:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Re: ebay paypal redirect/hijack28th April 2010, 9:10 pm

Having anymore redirects?

ebay paypal redirect/hijack

descriptionRe: ebay paypal redirect/hijack12th April 2010, 12:18 am

descriptionRe: ebay paypal redirect/hijack12th April 2010, 2:15 pm

descriptionRe: ebay paypal redirect/hijack12th April 2010, 6:07 pm

descriptionRe: ebay paypal redirect/hijack12th April 2010, 7:14 pm

descriptionRe: ebay paypal redirect/hijack12th April 2010, 8:56 pm

descriptionRe: ebay paypal redirect/hijack12th April 2010, 9:57 pm

descriptionRe: ebay paypal redirect/hijack13th April 2010, 1:03 pm

descriptionRe: ebay paypal redirect/hijack13th April 2010, 1:17 pm

descriptionRe: ebay paypal redirect/hijack13th April 2010, 7:58 pm

descriptionRe: ebay paypal redirect/hijack14th April 2010, 1:58 pm

descriptionRe: ebay paypal redirect/hijack14th April 2010, 4:33 pm

descriptionRe: ebay paypal redirect/hijack14th April 2010, 4:48 pm

descriptionRe: ebay paypal redirect/hijack14th April 2010, 5:16 pm

descriptionsophos log16th April 2010, 7:53 pm

descriptionRe: ebay paypal redirect/hijack16th April 2010, 8:25 pm

descriptionRe: ebay paypal redirect/hijack17th April 2010, 3:16 pm

descriptionRe: ebay paypal redirect/hijack17th April 2010, 3:47 pm

descriptionEst log18th April 2010, 3:57 am

descriptionGMER log18th April 2010, 4:45 pm

descriptionRe: ebay paypal redirect/hijack19th April 2010, 12:20 pm

descriptionComboFix Log19th April 2010, 3:31 pm

descriptionRe: ebay paypal redirect/hijack19th April 2010, 6:46 pm

descriptionRe: ebay paypal redirect/hijack19th April 2010, 6:49 pm

descriptioneset log20th April 2010, 7:13 pm

descriptionRe: ebay paypal redirect/hijack21st April 2010, 5:27 am

descriptionRe: ebay paypal redirect/hijack21st April 2010, 4:38 pm

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 1:19 am

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 2:26 am

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 3:19 am

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 3:49 am

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:11 am

descriptionkapersky scan22nd April 2010, 2:17 pm

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

descriptionRe: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:12 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:31 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:33 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:41 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 12:55 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 3:50 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 3:53 am

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

descriptionRe: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

descriptionRe: ebay paypal redirect/hijack24th April 2010, 3:50 am

descriptionRe: ebay paypal redirect/hijack24th April 2010, 3:23 pm

descriptionRe: ebay paypal redirect/hijack24th April 2010, 5:12 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 6:21 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 6:24 pm

descriptionRe: ebay paypal redirect/hijack28th April 2010, 9:10 pm

descriptionRe: ebay paypal redirect/hijack

Re: ebay paypal redirect/hijack12th April 2010, 12:18 am

Re: ebay paypal redirect/hijack12th April 2010, 2:15 pm

Re: ebay paypal redirect/hijack12th April 2010, 6:07 pm

Re: ebay paypal redirect/hijack12th April 2010, 7:14 pm

Re: ebay paypal redirect/hijack12th April 2010, 8:56 pm

Re: ebay paypal redirect/hijack12th April 2010, 9:57 pm

Re: ebay paypal redirect/hijack13th April 2010, 1:03 pm

Re: ebay paypal redirect/hijack13th April 2010, 1:17 pm

Re: ebay paypal redirect/hijack13th April 2010, 7:58 pm

Re: ebay paypal redirect/hijack14th April 2010, 1:58 pm

Re: ebay paypal redirect/hijack14th April 2010, 4:33 pm

Re: ebay paypal redirect/hijack14th April 2010, 4:48 pm

Re: ebay paypal redirect/hijack14th April 2010, 5:16 pm

sophos log16th April 2010, 7:53 pm

Re: ebay paypal redirect/hijack16th April 2010, 8:25 pm

Re: ebay paypal redirect/hijack17th April 2010, 3:16 pm

Re: ebay paypal redirect/hijack17th April 2010, 3:47 pm

Est log18th April 2010, 3:57 am

GMER log18th April 2010, 4:45 pm

Re: ebay paypal redirect/hijack19th April 2010, 12:20 pm

ComboFix Log19th April 2010, 3:31 pm

Re: ebay paypal redirect/hijack19th April 2010, 6:46 pm

Re: ebay paypal redirect/hijack19th April 2010, 6:49 pm

eset log20th April 2010, 7:13 pm

Re: ebay paypal redirect/hijack21st April 2010, 5:27 am

Re: ebay paypal redirect/hijack21st April 2010, 4:38 pm

Re: ebay paypal redirect/hijack22nd April 2010, 1:19 am

Re: ebay paypal redirect/hijack22nd April 2010, 2:26 am

Re: ebay paypal redirect/hijack22nd April 2010, 3:19 am

Re: ebay paypal redirect/hijack22nd April 2010, 3:49 am

Re: ebay paypal redirect/hijack22nd April 2010, 4:11 am

kapersky scan22nd April 2010, 2:17 pm

Re: ebay paypal redirect/hijack22nd April 2010, 4:26 pm

Re: ebay paypal redirect/hijack22nd April 2010, 4:58 pm

Re: ebay paypal redirect/hijack23rd April 2010, 12:12 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:31 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:33 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:41 am

Re: ebay paypal redirect/hijack23rd April 2010, 12:55 am

Re: ebay paypal redirect/hijack23rd April 2010, 3:50 am

Re: ebay paypal redirect/hijack23rd April 2010, 3:53 am

Re: ebay paypal redirect/hijack23rd April 2010, 2:57 pm

Re: ebay paypal redirect/hijack23rd April 2010, 8:08 pm

Re: ebay paypal redirect/hijack23rd April 2010, 9:14 pm

Re: ebay paypal redirect/hijack24th April 2010, 3:50 am

Re: ebay paypal redirect/hijack24th April 2010, 3:23 pm

Re: ebay paypal redirect/hijack24th April 2010, 5:12 pm

Re: ebay paypal redirect/hijack28th April 2010, 6:21 pm

Re: ebay paypal redirect/hijack28th April 2010, 6:24 pm

Re: ebay paypal redirect/hijack28th April 2010, 9:10 pm

Re: ebay paypal redirect/hijack