Is this a virus or?????

Not sure whats going on here. If your willing to allow me access to see your system so I can see what you are actually seeing, you can download a program called teamviewer. All I would need is your ID number and password to see your screen.

However, there is still one more thing to do. Move the combofix file to your desktop so you can perform the following procedure.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 
John this is what Microsoft has on this issue I copied and pasted the address into thier data base on virus definitions as follows.


Microsoft
Microsoft Malware Protection Center Malware Protection Center
Threat Research and Response
Sign In
Having trouble signing in?
Like us on Facebook
Follow us on Twitter

Get the latest definitions
Learn more about malware
Submit a sample
Learn about us

Skip Navigation LinksHome > Learn more about malware > Search the malware encyclopedia


Search the malware encyclopedia
Search Term = http://www.ebay.com/itm/25105096919...eName=STRK:MEWAX:IT&_trksid=p3984.m1423.l2649
Sorted by Relevance | Sort by Date

500 entries found | Page 1 of 50

AutoIt/Helompy
Description: AutoIt/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different web sites or services, including Facebook and GMail. The worm contacts a remote host in order to download arbitrary files and to upload stolen...
Published Date: Sep 07, 2011
Alert level: Severe

Win32/Virtumonde
Description: Win32/Virtumonde is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Virtumonde is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a...
Published Date: Apr 11, 2011
Alert level: High

Win32/Vundo
Description: Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Vundo is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent.
Published Date: Apr 11, 2011
Alert level: High

WinNT/Haxdoor
Description: WinNT/Haxdoor is a family of kernel-mode trojan components affiliated with Win32/Haxdoor. The Win32/Haxdoor family of trojans are rootkit-capable backdoor trojans which gather and send private user data to remote attackers. Collected data might include user names and passwords, credit card numbers,...
Published Date: Apr 11, 2011
Alert level: High

Win32/Slenfbot
Description: Win32/Slenfbot is a worm that can spread via instant messaging programs, which may include MSN Messenger, Yahoo Messenger and Skype. It may also spread via removable drives or exploiting the MS06-040 vulnerability. This worm spreads automatically via shares, but must be ordered to spread via...
Published Date: Apr 11, 2011
Alert level: Severe

Win32/Pushbot
Description: Win32/Pushbot is detection for a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM when commanded to by a remote attacker. This worm contains backdoor functionality that allows unauthorized access and control of an affected machine.
Published Date: Apr 11, 2011
Alert level: Severe

Win32/Expiro
Description: Win32/Expiro is a virus that infects EXE files in all drives and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer security settings.
Published Date: Aug 01, 2011
Alert level: Severe

Win32/Defmid
Description: Rogue:Win32/Defmid is a trojan that mimics security alerts and displays messages requesting the user to purchase the rogue to fix "detected" problems that in actuality don't exist.
Published Date: Jan 24, 2012
Alert level: Severe

Win32/Qakbot
Description: Win32/Qakbot is a multi-component family of malware that allows unauthorized access and control of an affected computer. By allowing remote access, this backdoor trojan can perform several actions including stealing sensitive information. Some variants of this malware may attempt to spread to...
Published Date: Jun 10, 2011
Alert level: Low

Win32/Dorkbot
Description: Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may...
Published Date: Feb 24, 2012
Alert level: Severe
Search results have been optimized and some results have been removed, click here to view all results.

1
2
3
4
5
6
7
8
9
10
Next



Didn't find what you were looking for? Here are some search tips:

Ensure words are spelled correctly.
Use quotation marks (" ") to search for specific terms, for example, "Green AV".
Try rephrasing keywords or using synonyms.
Try less specific keywords.
Make your queries as concise as possible.





Provide feedback


RSS | Blog | Help | Follow us on Twitter | Like us on Facebook
Translate this page
Microsoft® Translator
Terms of use | Trademarks | Privacy statement
© 2011 Microsoft Corporation. All rights reserved.
 
Combo Fix Log.
ComboFix 12-05-13.03 - 05/13/2012 13:09:25.3.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3454.2215 [GMT -7:00]
Running from: c:\users\\Downloads\ComboFix.exe
Command switches used :: c:\users\\Desktop\CFScript - Shortcut.lnk
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
.
.
2012-05-13 20:12 . 2012-05-13 20:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-12 21:45 . 2012-05-13 20:12 -------- d-----w- c:\users\Robert Rantzow\AppData\Local\temp
2012-05-11 21:08 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 21:08 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-08 03:05 . 2012-05-08 03:05 388096 ----a-r- c:\users\Robert Rantzow\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-05-08 03:05 . 2012-05-08 03:05 -------- d-----w- c:\program files\Trend Micro
2012-05-08 02:46 . 2012-05-08 02:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-05 02:46 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-05-03 03:10 . 2012-05-13 15:58 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 03:10 . 2012-05-12 21:55 85432 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-05-03 03:10 . 2012-04-25 22:58 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-05-03 03:10 . 2012-04-25 22:58 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-05-03 03:10 . 2012-05-12 21:55 624568 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-05-03 03:10 . 2012-05-12 21:55 43448 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-05-03 03:10 . 2012-05-12 21:55 157560 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-03 03:10 . 2012-05-12 21:55 113080 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-04-29 16:17 . 2012-04-29 16:17 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-04-29 16:17 . 2012-04-29 16:18 -------- d-----w- c:\program files\NVIDIA Corporation
2012-04-29 16:16 . 2010-06-07 23:57 56936 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-29 16:16 . 2010-06-07 23:57 10888168 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-04-29 16:16 . 2010-06-07 23:57 4513384 ----a-w- c:\windows\system32\nvcuda.dll
2012-04-29 16:16 . 2010-06-07 23:57 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-04-29 16:16 . 2010-06-07 23:57 2145896 ----a-w- c:\windows\system32\nvcuvid.dll
2012-04-29 16:16 . 2010-06-07 23:57 15764072 ----a-w- c:\windows\system32\nvoglv32.dll
2012-04-29 16:16 . 2010-06-07 23:57 232040 ----a-w- c:\windows\system32\nvcod1921.dll
2012-04-29 16:16 . 2010-06-07 23:57 232040 ----a-w- c:\windows\system32\nvcod.dll
2012-04-29 16:16 . 2010-06-07 23:57 10263144 ----a-w- c:\windows\system32\nvcompiler.dll
2012-04-29 16:16 . 2012-04-29 16:16 -------- d-----w- C:\NVIDIA
2012-04-26 23:26 . 2012-05-12 10:24 -------- d-----w- c:\program files\Microsoft Silverlight
2012-04-16 14:20 . 2012-05-07 14:12 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-07 14:12 . 2011-12-18 02:45 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 22:56 . 2012-02-01 17:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-17 18:55 . 2012-01-16 02:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-29 15:11 . 2012-04-12 10:04 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-12 10:04 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-12 10:04 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-12 10:04 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-12 10:04 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 10:04 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 10:04 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 10:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-15 18:01 . 2012-02-15 18:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 18:01 . 2012-02-15 18:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-05-12 21:55 . 2012-05-03 03:10 85432 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll" [2011-07-21 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PHOTOfunSTUDIO 5.0.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 5.0.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 05:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 02:05 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 01:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 18:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.my.yahoo.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
FF - ProfilePath - c:\users\Robert Rantzow\AppData\Roaming\Mozilla\Firefox\Profiles\dww3028f.default\
FF - prefs.js: browser.startup.homepage - hxxp://verizon.my.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-13 13:12
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-13 13:21:53
ComboFix-quarantined-files.txt 2012-05-13 20:21
ComboFix2.txt 2012-05-13 16:47
ComboFix3.txt 2012-05-12 21:45
.
Pre-Run: 242,084,917,248 bytes free
Post-Run: 242,059,182,080 bytes free
.
- - End Of File - - 17818D1E45EF609FD00EC25E045C19BD
 
Last edited:
Finally got this and it seems it found something.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/18/2012 at 22:34:04.
Operating System: Windows Vista (TM) Ultimate


Processes terminated by Rkill or while it was running:

C:\Windows\System32\grpconv.exe


Rkill completed on 05/18/2012 at 22:34:10.

I ran it again after this and nothing showed up. Could this be it then as posted above?
 
Last edited:
Please update malwarebytes to its latest definitions and do a full scan on your system instead of a quick scan and then post the results.
 
Results as follows.
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.04.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Robert Rantzow :: ROBERTRANTZO-PC [administrator]

6/4/2012 8:50:14 PM
mbam-log-2012-06-04 (20-50-14).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 345780
Time elapsed: 1 hour(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\TDSSKiller_Quarantine\07.05.2012_19.38.15\tdlfs0000\tsk0007.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\07.05.2012_19.38.15\tdlfs0001\tsk0007.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.

(end)
 
You performed the last combofix script incorrectly. You need to move the combofix file to your desktop first. Then do the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


Then I recommend doing an online scan.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.
 
I have just learned that there is a problem with E-Bay redirect to E-Bay.CN which is the E-Bay in China. They are gathering info on the subject and dont have a clue how to remedy this. They also are not sure if it is a virus or malfunction on their end. There is a growing discussion on the E-Bay forum and by searching the net is how I found the forum with the subject. I have contacted E-Bay 3 time so far in the last month. I guess shopping will change to Amazon for now.
 
You must log in or register to reply here.
Back
Top