WiredWX Hobby Weather ToolsLog in

 


ebay paypal redirect/hijack

3 posters

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Let's try and slaughter it. Big Grin

Please open Notepad and enter in the following:
@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
pause
del c:\windows\system32\termsrv32.dll
mbr -t > log.txt
start log.txt
exit

Then, click File > Save as...
Save as file.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on file.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

===================================

Then run the HelpAsst_mebroot_fix again, three times. At the end of the third run, please post the log from it along with the log from above.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
The first time I ran the HelpAsst_mebroot_fix it said Please wait, and sat for about 10 minutes, then blue screen of death.

I rebooted & ran it again 3 times and below is the log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8880BF28]<<
kernel: MBR read successfully
user & kernel MBR OK


C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Sat 05/01/2010 at 23:32:50.67

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1844237615-1409082233-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant.LINDAS.000 ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSPLI~2.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWSTYL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTABL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTEXT~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\DWTIME~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\FILEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1\SITEPA~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWANCH~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus\DWAPPL~1.XML
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache\ACCELE~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus\Cache
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1\Menus
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1\CONFIG~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe\DREAMW~1
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1\Adobe
Remove on reboot: C:\DOCUME~1\HELPAS~1.000\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant.LINDAS.000


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:37:55.29

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:38:48.73

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 05/01/2010 at 23:39:13.32

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Good progress.

Please open Notepad and enter in the following:
@echo off
mbr -f
reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
net stop RDSessMgr
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
mbr -f
pause
net user HelpAssistant > log.txt
mbr -t >> log.txt
pause
start log.txt
exit

Then, click File > Save as...
Save as check.bat to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on check.bat, and it will finish quickly and launch a log (log.txt).

Please post that in your next reply.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Ok... here you go...

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/1/2010 11:32 PM
Password expires Never
Password changeable 5/1/2010 11:32 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/1/2010 11:32 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK
Right On!

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Now, let's see if it is gone, before we try to delete the HelpAssistant account.

Please download HAMeb_check.exe and save it to your desktop.

  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
ok... here is the log...

C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Sun 05/02/2010 at 18:31:57.81

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A307B10]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Need more info to execute a total disinfection.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    *helpassistant*
    disk.sys
    atapi.sys
    mbr.sys
    ntoskrnl.exe
    mat*.dll
    termsrv*

    :folderfind
    *helpassistant*

    :regfind
    PhysicalDrive
    helpassistant
    termservice


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
ok... here is the log...

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:59 on 03/05/2010 by yo (Administrator - Elevation successful)

========== filefind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant.LINDAS\Recent\HelpAssistant.lnk --a--- 517 bytes [04:01 23/04/2010] [11:22 13/04/2010] 09EF2F44DA86715D3FD0354E1878EA5F

Searching for "disk.sys"
C:\WINDOWS\$NtServicePackUninstall$\disk.sys -----c 36352 bytes [02:10 25/09/2008] [05:59 04/08/2004] 00CA44E4534865F8A3B64F7C0984BFF0
C:\WINDOWS\ServicePackFiles\i386\disk.sys ------ 36352 bytes [05:59 04/08/2004] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25
C:\WINDOWS\system32\drivers\disk.sys --a--- 36352 bytes [12:00 29/08/2002] [18:40 13/04/2008] 044452051F3E02E7963599FC8F4F3E25

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [02:10 25/09/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [13:16 19/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [19:59 12/01/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "mbr.sys"
No files found.

Searching for "ntoskrnl.exe"
C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe --a--- 2179328 bytes [00:59 02/03/2005] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe --a--- 2179456 bytes [01:04 02/03/2005] [01:04 02/03/2005] 28187802B7C368C0D3AEF7D4C382AABB
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe --a--- 2182144 bytes [09:55 28/02/2007] [09:55 28/02/2007] 5A5C8DB4AA962C714C8371FBDF189FC9
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [23:35 07/02/2009] [23:35 07/02/2009] EFE8EACE83EAAD5849A7A548FB75B584
C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe --a--- 2189184 bytes [20:11 14/08/2008] [20:11 14/08/2008] 31914172342BFF330063F343AC6958FE
C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [18:18 15/10/2009] [13:56 04/08/2009] FDE779EA1A564EBFE16F4E0F82B61BAD
C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe --a--- 2189312 bytes [04:52 09/12/2009] [04:52 09/12/2009] 05BE3D9A71972223AFF6A3C823BA51B1
C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe --a--- 2190080 bytes [13:48 14/04/2010] [12:52 16/02/2010] E1F653A542449D54FA2D27463D99B6B6
C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe -----c 2180352 bytes [02:10 25/09/2008] [09:10 28/02/2007] 582A8DBAA58C3B1F176EB2817DAEE77C
C:\WINDOWS\$NtUninstallKB885835_0$\ntoskrnl.exe -----c 2042240 bytes [02:01 13/01/2008] [12:00 29/08/2002] B9080D97DBD631AADF9128F7316958D2
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe -----c 2180992 bytes [02:43 13/01/2008] [06:19 04/08/2004] CE218BC7088681FAA06633E218596CA7
C:\WINDOWS\$NtUninstallKB890859_0$\ntoskrnl.exe -----c 2088448 bytes [02:01 13/01/2008] [08:33 22/10/2004] 5A7EB0C9F96917B7ECF5ADF70C4B1BAE
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe -----c 2179328 bytes [03:17 13/01/2008] [00:59 02/03/2005] 4D4CF2C14550A4B7718E94A6E581856E
C:\WINDOWS\$NtUninstallKB956572$\ntoskrnl.exe -----c 2189184 bytes [07:06 17/04/2009] [10:11 14/08/2008] EEAF32F8E15A24F62BECB1BD403BB5C5
C:\WINDOWS\$NtUninstallKB956841$\ntoskrnl.exe -----c 2188928 bytes [07:01 15/10/2008] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\$NtUninstallKB971486$\ntoskrnl.exe -----c 2189056 bytes [07:08 16/10/2009] [11:08 06/02/2009] 7A95B10A73737EBF24139AAA63F5212B
C:\WINDOWS\$NtUninstallKB977165$\ntoskrnl.exe -----c 2189184 bytes [08:01 11/02/2010] [00:44 05/08/2009] 8415D9C7C050E7022AED8ABF281BE4A6
C:\WINDOWS\$NtUninstallKB979683$\ntoskrnl.exe -----c 2189184 bytes [07:07 16/04/2010] [19:27 08/12/2009] 78EC47F9B9A3A1D539262D8834C896CE
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe ------ 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ERDNT\cache\ntoskrnl.exe --a--- 2189952 bytes [13:16 19/04/2010] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe ------ 2188928 bytes [06:19 04/08/2004] [19:27 13/04/2008] 0C89243C7C3EE199B96FCC16990E0679
C:\WINDOWS\system32\dllcache\ntoskrnl.exe -----c 2189952 bytes [22:23 14/10/2008] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA
C:\WINDOWS\system32\ntoskrnl.exe --a--- 2189952 bytes [12:00 29/08/2002] [13:10 17/02/2010] D41C3CBAD0E1C0728D1CDFD541F60CFA

Searching for "mat*.dll"
No files found.

Searching for "termsrv*"
C:\Documents and Settings\HelpAssistant.LINDAS.000\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:43 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\Documents and Settings\yo\Local Settings\temp\RarSFX5\termsrv.dat --a--- 15 bytes [03:18 02/05/2010] [03:18 02/05/2010] BBFCC0810FB0FD869118C1053DDF0EAC
C:\HelpAsst_backup\termsrv32.dll --a--- 295424 bytes [03:18 02/05/2010] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [02:10 25/09/2008] [07:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\ERDNT\cache\termsrv.dll --a--- 295424 bytes [13:16 19/04/2010] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [07:56 04/08/2004] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [19:11 12/01/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv32.dll --a--- 295424 bytes [19:11 12/01/2008] [19:11 12/01/2008] 56F4867BAE6FD78E5365A3A7AFA59C82

========== folderfind ==========

Searching for "*helpassistant*"
C:\Documents and Settings\HelpAssistant d----- [21:43 28/12/2009]
C:\Documents and Settings\HelpAssistant.LINDAS d----- [03:31 23/04/2010]
C:\Documents and Settings\HelpAssistant.LINDAS.000 d----- [03:32 02/05/2010]

========== regfind ==========

Searching for "PhysicalDrive"
No data found.

Searching for "helpassistant"
[HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\Documents and Settings\HelpAssistant.LINDAS\Cookies\yo@2o7[1].txt"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Adobe\MediaBrowser\MRU\Dreamweaver\FileList\2010-04-13T10:20:04.9840Z]
@="C:\Documents and Settings\HelpAssistant\UserData\S9AV8HUZ\dmtstore[2].xml"

Searching for "termservice"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000]
"Service"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TERMSERVICE\0000\Control]
"ActiveService"="TermService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService\FilePrint\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Enum]
"0"="Root\LEGACY_TERMSERVICE\0000"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"
[HKEY_USERS\S-1-5-21-1844237615-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="swreg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDLL /t REG_EXPAND_SZ /d %systemroot%\System32\termsrv.dll /f\1"

-=End Of File=-

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Ok.

Please download and run this: http://www.eset.eu/download/emebremover

Let me know if it launches or saves a log.

===========

Once done, please re-run HaMeb_Check.exe and post a log.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Emebremover did not produce a log... but it did display 2 messages as it ran. First was that MBR rootkit (Win32/Mebroot) was found on my system and asked if I wanted it to clean/remove it. I clicked yes. Then it said it was cleaned sucessfully.

And here is the log for HaMeb_Check.exe


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 1:07:05.06

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Whew. This is going to be a little complicated. It is obviously reinstalling itself after every removal.

============================

In order to do this, every step should be taken correctly.

1. Download all that is needed in the below instructions, and then save all of these instructions to Notepad or print them for easy access.

2. Disconnect from the Internet. Very important to do, until after the last reboot.

3. Open Notepad and copy/paste the code box below into a new text file.

Code:

@echo off
net user HelpAssistant /active:no >nul 2>&1
net localgroup Administrators HelpAssistant /delete >nul 2>&1
attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
del /s/q C:\docume~\HelpAssistant\*.*
rmdir /s/q C:\docume~\HelpAssistant
del /s/q C:\documents and settings\HelpAssistant.LINDAS
del /s/q C:\documents and settings\HelpAssistant.LINDAS.000

  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).


4. Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    registry::


    file::
    c:\windows\system32\termsrv32.dll

    snapshot::
    mbr::
    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    ebay paypal redirect/hijack - Page 6 2v3rg44

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


5. Run Help_Asst_Mebroot_Fix and make sure that log gets posted in your next reply.

6. Reboot your computer three times!

7. Run HaMeb_Check once more and post a log.

Make sure to post the ComboFix log, HelpAsstMebrootFix log, and HaMeb_Check log in your next reply.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
Ok... all instructions followed precisely.... here are the logs:

ComboFix 10-05-03.06 - yo 05/04/2010 10:05:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.969 [GMT -4:00]
Running from: c:\documents and settings\yo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\yo\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\termsrv32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\yo\Recent\Thumbs.db
c:\program files\WindowsUpdate
c:\windows\system32\termsrv32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-02 04:07 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\UserData
2010-05-02 04:06 . 2010-05-02 04:06 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\PrivacIE
2010-05-02 04:06 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS.000\PNPrint3.exe
2010-05-02 03:52 . 2010-05-02 03:52 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\log
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IETldCache
2010-05-02 03:39 . 2010-05-02 03:39 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000\IECompatCache
2010-05-02 03:32 . 2010-05-02 04:07 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS.000
2010-05-02 03:18 . 2010-05-02 03:18 -------- d-----w- C:\HelpAsst_backup
2010-04-28 23:47 . 2010-04-28 23:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\UserData
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\Saved Games
2010-04-23 04:01 . 2010-04-23 04:01 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\PrivacIE
2010-04-23 04:01 . 2009-04-07 20:05 49152 ----a-w- c:\documents and settings\HelpAssistant.LINDAS\PNPrint3.exe
2010-04-23 03:49 . 2010-04-23 03:49 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\log
2010-04-23 03:31 . 2010-03-10 08:05 -------- d-----w- c:\documents and settings\HelpAssistant.LINDAS\IETldCache
2010-04-17 15:26 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-15 12:56 . 2010-04-15 12:56 -------- d-----w- c:\program files\Sophos
2010-04-14 21:59 . 2010-04-14 21:59 384872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-13 21:37 . 2010-04-13 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 21:35 . 2010-04-13 21:35 -------- d-----w- c:\documents and settings\yo\Application Data\SUPERAntiSpyware.com
2010-04-12 20:03 . 2010-04-12 20:07 -------- d-----w- c:\documents and settings\yo\.SunDownloadManager
2010-04-07 16:25 . 2010-04-11 21:37 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-04-06 04:35 . 2010-04-06 04:35 -------- d-----w- c:\program files\ESET
2010-04-05 21:46 . 2010-05-04 09:44 -------- d-----w- c:\windows\system32\NtmsData
2010-04-05 21:29 . 2010-04-05 21:29 -------- d-----w- c:\documents and settings\yo\Application Data\Avira
2010-04-05 21:18 . 2010-04-14 13:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-05 21:08 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-04-05 21:08 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-04-05 21:08 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\program files\Avira
2010-04-05 21:08 . 2010-04-05 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-04-05 20:42 . 2010-04-05 20:42 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-05 20:37 . 2010-04-05 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-05 19:59 . 2010-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-05 19:58 . 2010-04-05 20:00 -------- d-----w- c:\documents and settings\yo\Application Data\HP
2010-04-05 01:52 . 2008-10-28 16:49 321536 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp696.dll
2010-04-05 01:52 . 2008-10-28 16:49 118272 ----a-w- c:\windows\system32\hpz3l696.dll
2010-04-05 01:04 . 2010-05-04 13:59 -------- d-----w- c:\documents and settings\yo\Application Data\HPAppData
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Local Settings\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-06 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-04-04 23:52 . 2010-04-05 20:00 152184 ----a-w- c:\windows\hphins29.dat
2010-04-04 23:52 . 2008-12-15 12:44 1060 ------w- c:\windows\hphmdl29.dat
2010-04-04 19:57 . 2010-04-29 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 04:00 . 2008-08-07 18:14 -------- d-----w- c:\program files\PokerStars
2010-05-01 19:24 . 2008-01-13 03:02 207024 ----a-w- c:\documents and settings\yo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 15:26 . 2008-01-14 00:52 -------- d-----w- c:\program files\Java
2010-04-16 07:08 . 2008-11-22 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 01:49 . 2008-05-24 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-13 21:35 . 2008-08-22 15:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-12 22:31 . 2008-12-23 21:32 -------- d-----w- c:\program files\LimeWire
2010-04-12 20:14 . 2008-01-14 00:51 -------- d-----w- c:\program files\Common Files\Java
2010-04-07 01:50 . 2008-01-13 01:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 02:36 . 2008-12-12 17:59 -------- d-----w- c:\documents and settings\yo\Application Data\mjusbsp
2010-04-06 02:36 . 2010-02-24 15:38 -------- d-----w- c:\documents and settings\yo\Application Data\Facebook
2010-04-05 20:55 . 2010-01-10 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-05 14:56 . 2010-01-23 21:00 -------- d-----w- c:\program files\Panda Security
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\documents and settings\yo\Application Data\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-04-05 00:35 . 2010-04-05 00:35 -------- d-----w- c:\program files\ArcSoft
2010-04-05 00:35 . 2010-04-04 23:54 -------- d-----w- c:\program files\HP
2010-04-05 00:34 . 2010-04-05 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-05 00:33 . 2010-04-05 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-05 00:32 . 2010-04-05 00:32 -------- d-----w- c:\program files\Common Files\HP
2010-04-04 20:06 . 2008-03-26 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-04 20:02 . 2008-01-13 17:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-04 17:17 . 2008-01-14 00:54 -------- d-----w- c:\documents and settings\yo\Application Data\LimeWire
2010-04-04 16:00 . 2010-01-13 00:18 -------- d-----w- c:\program files\Lavasoft
2010-04-04 07:36 . 2010-04-04 07:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-04-04 07:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-04 07:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-20 23:24 . 2010-03-20 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2010-03-20 15:29 . 2010-01-13 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 23:21 . 2008-01-14 17:46 36 ---ha-w- c:\windows\system32\f9t.dat
2010-03-10 15:40 . 2010-03-10 15:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 14:58 . 2010-03-10 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2002-08-29 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\yo\Application Data\Malwarebytes
2010-03-10 03:22 . 2010-03-10 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 03:13 . 2010-03-20 02:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 00:04 . 2010-03-10 00:04 104 ----a-w- c:\documents and settings\yo\Application Data\netstat.bat
2010-03-09 22:58 . 2010-03-09 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-03-09 22:54 . 2010-03-09 22:54 -------- d-----w- c:\program files\Sunbelt Software
2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:24 . 2010-01-24 19:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-08-16 12:14 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-10-27 19:58 . 2010-02-05 00:23 54093 ----a-w- c:\program files\EULA.eng
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^yo^Start Menu^Programs^Startup^ERUNT AutoBackup.lnk]
path=c:\documents and settings\yo\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
backup=c:\windows\pss\ERUNT AutoBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1&1 EasyLogin]
2009-08-18 10:30 2200576 ----a-w- c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-11 23:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\documents and settings\yo\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 20:05 20480 ----a-w- c:\program files\GIGABYTE\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 14:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-12-07 20:44 1884160 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-04 23:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2004-11-12 01:50 212992 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-14 15:29 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-29 01:42 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MagicTuneEngine"=2 (0x2)
"CVPND"=2 (0x2)
"cisvc"=3 (0x3)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe Version Cue CS2"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\yo\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:Remote Desktop

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 AM 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [1/1/2008 3:51 PM 19240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [3/19/2010 10:14 PM 95024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2010 5:08 PM 135336]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:22 PM 135664]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\yo\LOCALS~1\Temp\aswArKrn.sys [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [1/12/2008 10:24 PM 24944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\63.tmp --> c:\windows\system32\63.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 1:31 PM 42000]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\yo\Application Data\Mozilla\Firefox\Profiles\n29uwi6z.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\yo\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{1753-23772}]
"D-Code"="9943096400"
"U-Code"="Demo"
"S-Code"="4973197477"
"C-Code"="2108728324272124"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\snmp.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2010-05-04 11:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 15:38

Pre-Run: 57,514,393,600 bytes free
Post-Run: 58,265,882,624 bytes free

- - End Of File - - C772DC53CDE8935104EAF894955A4315

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 11:40:51.81

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"3389:TCP"=-

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

------------------------------------------------------------------------------------------------


C:\Documents and Settings\yo\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 11:50:32.84

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.LINDAS
HelpAssistant.LINDAS.000

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll si3112.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FBFE2
malicious code @ sector 0x0E4FBFE5 !
PE file found in sector at 0x0E4FBFFB !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
I think we might have killed most of the infection. Run Help_Asst_Mebroot_Fix once more and post a log, please.

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
C:\Documents and Settings\yo\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 15:07:36.48

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

descriptionebay paypal redirect/hijack - Page 6 EmptyRe: ebay paypal redirect/hijack

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum