Solved Ebay log-in asking for credit card info.

a1b2c3 · 2010/03/30

It's still bring up the same page asking for personal financial information.

broni · 2010/03/30

What browser/version do you use?
Did you try another browser to see, if same thing happens?

a1b2c3 · 2010/03/30

Using internet explorer 8. I havent tried another browser. But I've open ebay on another computer with no problem.

I was wondering what spyware, malware, antivirus you use on your computer?

broni · 2010/03/30

On different Windows installations, I use combinations of Avast, Avira and Comodo, plus Malwarebytes and Superantispyware.

I just noticed something....

Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

a1b2c3 · 2010/03/30

C:\Documents and Settings\Eric.E-6BBAC174EFC44\Desktop\HelpAsst_mebroot_fix.exe
Tue 03/30/2010 at 21:14:40.17

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP "=-
"52344:TCP "=-
"2479:TCP "=-
"4227:TCP "=-
"3389:TCP "=-
"1771:TCP "=-
"3246:TCP "=-
"2233:TCP "=-
"2966:TCP "=-
"1662:TCP "=-
"1824:TCP "=-
"6786:TCP "=-
"6787:TCP "=-
"7864:TCP "=-
"7865:TCP "=-
"9161:TCP "=-
"9162:TCP "=-
"5584:TCP "=-
"9668:TCP "=-
"5973:TCP "=-
"5974:TCP "=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"6786:TCP "=-
"6787:TCP "=-
"7864:TCP "=-
"7865:TCP "=-
"9162:TCP "=-
"9161:TCP "=-
"65533:TCP "=-
"52344:TCP "=-
"5584:TCP "=-
"9668:TCP "=-
"3389:TCP "=-
"5973:TCP "=-
"5974:TCP "=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1454471165-854245398-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89ac8bf0
NDIS: Motorola Wireless PCI Adapter WPCI810G -> SendCompleteHandler -> 0x899a3330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89ac8bf0
NDIS: Motorola Wireless PCI Adapter WPCI810G -> SendCompleteHandler -> 0x899a3330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !
Use "Recovery Console" command "fixmbr" to clear infection !
user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 03/30/2010 at 21:29:15.65

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1A4F79
malicious code @ sector 0x01D1A4F7C !
PE file found in sector at 0x01D1A4F92 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

broni · 2010/03/30

How is eBay doing?

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

a1b2c3 · 2010/03/30

ComboFix 10-03-29.04 - Eric 03/30/2010 21:53:54.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2655 [GMT -5:00]
Running from: c:\documents and settings\Eric.E-6BBAC174EFC44\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 02:39 . 2010-01-22 14:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-31 02:39 . 2010-01-22 14:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-31 02:39 . 2010-01-22 14:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-31 02:39 . 2010-01-22 14:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-31 02:39 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-31 02:39 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-31 02:39 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-31 02:39 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-31 02:39 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-31 02:38 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-31 02:38 . 2010-03-31 02:52 -------- d-----w- c:\program files\Spyware Doctor
2010-03-31 02:38 . 2010-03-31 02:39 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-31 02:38 . 2010-03-31 02:38 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\PC Tools
2010-03-31 02:14 . 2010-03-31 02:14 -------- d-----w- C:\HelpAsst_backup
2010-03-29 22:21 . 2010-03-29 22:21 -------- d-----w- c:\program files\ESET
2010-03-28 22:39 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-28 22:39 . 2010-03-28 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-28 22:39 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 05:51 . 2010-03-27 05:51 -------- d-----w- c:\program files\Trend Micro
2010-03-25 22:24 . 2010-03-25 22:24 -------- d--h--w- c:\windows\PIF
2010-03-24 23:24 . 2010-03-24 23:28 -------- dc-h--w- c:\windows\ie8
2010-03-23 22:47 . 2010-03-23 22:47 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\Threat Expert
2010-03-23 22:39 . 2010-03-31 02:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-03-23 22:38 . 2010-03-31 02:52 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-23 22:05 . 2010-03-23 22:05 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-21 01:08 . 2010-03-21 01:08 -------- d-----w- c:\program files\Defender Pro
2010-03-10 18:04 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 23:38 . 2010-03-06 23:38 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\InstallShield
2010-03-06 18:07 . 2010-03-06 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-05 14:24 . 2010-03-05 14:24 -------- d-sh--w- c:\documents and settings\Administrator.E-6BBAC174EFC44\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 02:52 . 2010-01-15 19:23 -------- d-----w- c:\program files\PeerBlock
2010-03-31 02:50 . 2009-04-01 12:05 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\DNA
2010-03-31 02:20 . 2009-04-01 12:05 -------- d-----w- c:\program files\DNA
2010-03-30 12:17 . 2009-10-12 11:48 -------- d-----w- c:\program files\Unlocker
2010-03-27 04:02 . 2008-02-18 16:52 -------- d-----w- c:\program files\LimeWire
2010-03-27 03:59 . 2008-08-21 03:36 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\LimeWire
2010-03-27 03:59 . 2009-03-28 20:52 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Vso
2010-03-25 22:39 . 2008-08-19 19:09 52256 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-03-25 22:38 . 2009-01-24 16:09 -------- d-----w- c:\program files\AVS4YOU
2010-03-24 00:48 . 2008-04-27 21:16 -------- d-----w- c:\documents and settings\Eric\Application Data\Move Networks
2010-02-27 06:25 . 2008-09-01 13:41 -------- d-----w- c:\program files\CCleaner
2010-02-26 03:38 . 2008-09-21 03:08 -------- d-----w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\Corel
2010-02-26 03:37 . 2008-09-21 03:08 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-24 15:16 . 2009-10-03 06:37 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 21:54 . 2010-02-20 21:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ThumbnailCache4R
2010-02-18 10:35 . 2010-02-18 10:35 -------- d-----w- c:\documents and settings\Administrator.E-6BBAC174EFC44\Application Data\FaxCtr
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2010-01-07 00:38 . 2009-03-28 20:52 47360 ----a-w- c:\documents and settings\Eric.E-6BBAC174EFC44\Application Data\pcouffin.sys
2009-12-31 16:50 . 2004-08-10 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_07.00.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-31 02:21 . 2010-03-31 02:21 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA "= "c:\program files\DNA\btdna.exe" [2009-11-11 323392]
"PeerBlock "= "c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-22 98304]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-22 81920]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-19 185872]
"SigmatelSysTrayApp "= "stsystra.exe" [2006-03-20 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 19:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2008-06-13 16:00 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-22 01:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-22 01:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 18:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 18:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxamon]
2008-06-13 16:04 16040 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdxmon.exe]
2008-06-13 16:04 668328 ----a-w- c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-22 01:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-19 03:47 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\DNA\\btdna.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
"c:\\Program Files\\CCleaner\\CCleaner.exe "=
"c:\\WINDOWS\\system32\\lxdxcoms.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe "=
"c:\\WINDOWS\\system32\\lxdxcfg.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe "=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/30/2010 9:39 PM 217032]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/30/2010 9:39 PM 112592]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [1/15/2010 2:23 PM 14424]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [10/21/2009 7:48 PM 98984]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/30/2010 9:38 PM 366840]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BROWSER_DEFENDER_UPDATE_SERVICE
*NewlyCreated* - SDAUXSERVICE
*NewlyCreated* - SDCORESERVICE
*Deregistered* - PCTSDInjDriver32

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: download.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 22:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1454471165-854245398-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (S-1-5-21-1454471165-854245398-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-30 22:02:35
ComboFix-quarantined-files.txt 2010-03-31 03:02
ComboFix2.txt 2010-03-28 01:49
ComboFix3.txt 2010-03-28 00:49
ComboFix4.txt 2010-03-27 17:37
ComboFix5.txt 2010-03-31 02:53

Pre-Run: 215,620,251,648 bytes free
Post-Run: 215,795,904,512 bytes free

- - End Of File - - B26918B0C61F46631F3394D72E386107

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:05 PM, on 3/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe "
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.download.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220267475953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1220268559562
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7086 bytes

a1b2c3 · 2010/03/30

Oh yeah. No more ebay problem!

broni · 2010/03/30

Excellent!

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

==============================================================

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

When done....

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

a1b2c3 · 2010/03/31

My computer is free of the ebay problem and is running faster than it's run in a long time.

Thank you for your time, help and expertise! It's greatly appreciated!

broni · 2010/03/31

You're very welcome
Stay safe

Log in or Sign up

Solved Ebay log-in asking for credit card info.

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Ebay log-in asking for credit card info.

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

a1b2c3 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches