"Confirm Your Identity" eBay pop-up

[Chiana 0]

Hi!

I'm having the same problem as a few previous posters - every time I try to search on eBay, a pop-up appears asking for credit card info. As far as I know, it started yesterday. I've attached the requested scan logs, thanks for any help

[Kevin Zoll 309]

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Shockwave Player on this computer is out-dated. Install the latest version of Adobe Shockwave Player available from Adobe.

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  DRV - (zumbus) -- system32\DRIVERS\zumbus.sys File not found
  DRV - (xpsec) -- C:\WINDOWS\system32\drivers\xpsec.sys File not found
  DRV - (xcpip) -- C:\WINDOWS\system32\drivers\xcpip.sys File not found
  DRV - (WDICA) --  File not found
  DRV - (UIUSys) -- system32\DRIVERS\UIUSYS.SYS File not found
  DRV - (PDRFRAME) --  File not found
  DRV - (PDRELI) --  File not found
  DRV - (PDFRAME) --  File not found
  DRV - (PDCOMP) --  File not found
  DRV - (PCIDump) --  File not found
  DRV - (MpKslff05689f) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04442758-5FB7-4EB6-8513-ED2C48C0C0F7}\MpKslff05689f.sys File not found
  DRV - (MpKslfeb4d9ea) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{335EC394-8593-447E-BAD4-7480C05D815F}\MpKslfeb4d9ea.sys File not found
  DRV - (MpKslf87c6a15) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D5B97B-B1AE-49FE-857D-102AD47C764D}\MpKslf87c6a15.sys File not found
  DRV - (MpKslf62ff771) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA87D638-8EA3-4AC7-9BA5-F5336BA7D1C2}\MpKslf62ff771.sys File not found
  DRV - (MpKslf4738580) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0E1FC8C9-BCD8-43AD-B371-8D95BE9E4EA3}\MpKslf4738580.sys File not found
  DRV - (MpKsleed41432) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C6FBAE59-9ED6-4390-82D5-6B84963C528E}\MpKsleed41432.sys File not found
  DRV - (MpKsleb33da4a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{04442758-5FB7-4EB6-8513-ED2C48C0C0F7}\MpKsleb33da4a.sys File not found
  DRV - (MpKslea1feaba) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D3200C87-92ED-48C7-B813-B6580A1E1DD1}\MpKslea1feaba.sys File not found
  DRV - (MpKsle0f6744a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{407C4400-16AB-43CD-BA02-2C2872247701}\MpKsle0f6744a.sys File not found
  DRV - (MpKsle0b79eea) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6DEE38E0-AF5C-4589-8E86-8C5664043EDF}\MpKsle0b79eea.sys File not found
  DRV - (MpKsldc56e6a5) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{56DAC770-DF9F-4FEA-B229-40AD34075080}\MpKsldc56e6a5.sys File not found
  DRV - (MpKsldbd07984) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66FF4F84-D1EA-4920-AAEC-2161C24F532B}\MpKsldbd07984.sys File not found
  DRV - (MpKslda88ed3c) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF6BA535-D955-4863-8987-E98A5BF0DEF6}\MpKslda88ed3c.sys File not found
  DRV - (MpKsld6ba20c2) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B06FED06-89E4-4A82-AA2C-F9924B0925CF}\MpKsld6ba20c2.sys File not found
  DRV - (MpKsld35a81ba) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF13D50E-448B-40BD-9E73-9B0263FFF30F}\MpKsld35a81ba.sys File not found
  DRV - (MpKsld180b078) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{43EDCF75-B80C-44D6-B86A-DC55AB5CF49A}\MpKsld180b078.sys File not found
  DRV - (MpKslcc4f7e4d) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{305669F6-C306-4A05-92D0-1B3D623A5540}\MpKslcc4f7e4d.sys File not found
  DRV - (MpKslc9ed75da) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6692C902-9BF2-4F86-9C4C-91DF74FCCD95}\MpKslc9ed75da.sys File not found
  DRV - (MpKslc838e143) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E2145D3-2E3A-4C39-9F2C-62CDC085304D}\MpKslc838e143.sys File not found
  DRV - (MpKslc706ca0b) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA002E3B-17F2-46AC-832A-B2226C35B3EA}\MpKslc706ca0b.sys File not found
  DRV - (MpKslc6256c7c) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F568FF24-5E1B-4696-9F3A-762747B05243}\MpKslc6256c7c.sys File not found
  DRV - (MpKslc059c944) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{027F1B67-19EF-4D37-BD0A-B136FC7831E3}\MpKslc059c944.sys File not found
  DRV - (MpKslba0aea00) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2DF238C3-BE30-4EB5-B7AB-5CCB53EAC599}\MpKslba0aea00.sys File not found
  DRV - (MpKslb52592bd) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEB74AA2-D911-44C3-9A20-A27737A3237A}\MpKslb52592bd.sys File not found
  DRV - (MpKslb4bdd7f3) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B49782B0-CC9F-4779-AD1C-EA7000E1A5C7}\MpKslb4bdd7f3.sys File not found
  DRV - (MpKslacdc997c) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6945AAE4-ECA4-447C-A232-39F7BE85617F}\MpKslacdc997c.sys File not found
  DRV - (MpKsla353a317) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{917E53C0-9507-4646-A516-38BB039D4961}\MpKsla353a317.sys File not found
  DRV - (MpKsla183ca0e) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8BE76901-D49C-4585-85FD-9023ECAE6864}\MpKsla183ca0e.sys File not found
  DRV - (MpKsla0953c84) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A167A412-1CB4-40ED-AF63-C31DC506DFA0}\MpKsla0953c84.sys File not found
  DRV - (MpKsl9f066e11) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A383D315-D36C-4B75-A4B6-78A9EA1FB426}\MpKsl9f066e11.sys File not found
  DRV - (MpKsl9df0a9f4) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E1FB779-6308-42D3-ACA3-A91D4961A687}\MpKsl9df0a9f4.sys File not found
  DRV - (MpKsl9c6e9d9a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8D6EB2F1-DAC4-4559-B1E7-012AC9072135}\MpKsl9c6e9d9a.sys File not found
  DRV - (MpKsl9c1d27ae) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2C8F67-7517-48AD-B503-4F190C1B33A5}\MpKsl9c1d27ae.sys File not found
  DRV - (MpKsl965c6803) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0DA9AB10-170D-4B4E-AAA6-C89A82FECAA8}\MpKsl965c6803.sys File not found
  DRV - (MpKsl9571b26b) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A2E1B0CE-ADD2-482B-AA74-2150F9DF05B2}\MpKsl9571b26b.sys File not found
  DRV - (MpKsl951bc617) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{537E7A07-B8DB-4D2F-B5E9-A600C3CD807A}\MpKsl951bc617.sys File not found
  DRV - (MpKsl8f4611f7) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B06FED06-89E4-4A82-AA2C-F9924B0925CF}\MpKsl8f4611f7.sys File not found
  DRV - (MpKsl8e4b6f0d) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{917E53C0-9507-4646-A516-38BB039D4961}\MpKsl8e4b6f0d.sys File not found
  DRV - (MpKsl8d21b091) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BD846EC-154C-4774-971F-82E5723B7C82}\MpKsl8d21b091.sys File not found
  DRV - (MpKsl86c8ed96) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9E1FB779-6308-42D3-ACA3-A91D4961A687}\MpKsl86c8ed96.sys File not found
  DRV - (MpKsl854cadc8) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7E76A682-D25A-45C4-B93A-1CABEF3E4437}\MpKsl854cadc8.sys File not found
  DRV - (MpKsl85352746) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{407C4400-16AB-43CD-BA02-2C2872247701}\MpKsl85352746.sys File not found
  DRV - (MpKsl7c3ea2d4) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2C8F67-7517-48AD-B503-4F190C1B33A5}\MpKsl7c3ea2d4.sys File not found
  DRV - (MpKsl71eb4090) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BBA14404-D1B0-43BA-93B4-6C35F8C5A071}\MpKsl71eb4090.sys File not found
  DRV - (MpKsl6b7cde71) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{55B9F23E-0109-440F-837D-253D92832C98}\MpKsl6b7cde71.sys File not found
  DRV - (MpKsl659972b2) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6945AAE4-ECA4-447C-A232-39F7BE85617F}\MpKsl659972b2.sys File not found
  DRV - (MpKsl64c47107) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FA87D638-8EA3-4AC7-9BA5-F5336BA7D1C2}\MpKsl64c47107.sys File not found
  DRV - (MpKsl61398b61) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FBB4BABC-CE1C-43F0-AFB2-0DB717F554FE}\MpKsl61398b61.sys File not found
  DRV - (MpKsl60bcdca4) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62772EAE-E0C1-43B8-904B-A449A98A923C}\MpKsl60bcdca4.sys File not found
  DRV - (MpKsl5c016f79) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2438E178-C5E5-4D09-90B8-365A0E5FEE90}\MpKsl5c016f79.sys File not found
  DRV - (MpKsl579e5ed7) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD6D8C17-6194-4B29-BA17-B6AA0486C09D}\MpKsl579e5ed7.sys File not found
  DRV - (MpKsl51c61e22) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B0D5B97B-B1AE-49FE-857D-102AD47C764D}\MpKsl51c61e22.sys File not found
  DRV - (MpKsl4b630135) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{27EFCADF-4BD6-4B66-B2A8-EC7CFCA57ED1}\MpKsl4b630135.sys File not found
  DRV - (MpKsl47259511) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5C466EB-AD5F-4A29-8FB8-E3A6FBE3BF0E}\MpKsl47259511.sys File not found
  DRV - (MpKsl40513cdc) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ED40DFF4-4FAD-4C64-AF75-3E9E65E0FC1B}\MpKsl40513cdc.sys File not found
  DRV - (MpKsl2998f019) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C54A3E2C-8F1F-46D5-9862-E6FA176270F1}\MpKsl2998f019.sys File not found
  DRV - (MpKsl27d5938d) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1C68DBDF-E1F5-4307-B6D8-DE84E3FD1F7A}\MpKsl27d5938d.sys File not found
  DRV - (MpKsl25c45f5c) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EAF645DE-7C99-4C0E-8AB3-9A18AC0447DF}\MpKsl25c45f5c.sys File not found
  DRV - (MpKsl250a2e8a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{345DCA11-BF34-4218-8D1B-0A62C52184B1}\MpKsl250a2e8a.sys File not found
  DRV - (MpKsl1b3b5122) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{027F1B67-19EF-4D37-BD0A-B136FC7831E3}\MpKsl1b3b5122.sys File not found
  DRV - (MpKsl17f7324a) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AD6D8C17-6194-4B29-BA17-B6AA0486C09D}\MpKsl17f7324a.sys File not found
  DRV - (MpKsl154de407) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{73BC756A-E953-43AA-BED2-CF9631F5E56C}\MpKsl154de407.sys File not found
  DRV - (MpKsl14028395) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC1EB3E7-3371-43D6-BBDD-DCC8E5732F79}\MpKsl14028395.sys File not found
  DRV - (MpKsl129e6628) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A92711C-94FD-4CF7-9E56-00BCFD8CA9CF}\MpKsl129e6628.sys File not found
  DRV - (MpKsl0cf1416b) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CD504E3E-EEE7-4487-81C8-A2B851D11790}\MpKsl0cf1416b.sys File not found
  DRV - (MpKsl0a0df688) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EC61370C-9D9F-49C2-804B-FA9A6A31FDD0}\MpKsl0a0df688.sys File not found
  DRV - (lbrtfdc) --  File not found
  DRV - (jqeeh.sys) -- C:\WINDOWS\system32\drivers\jqeeh.sys File not found
  DRV - (i2omgmt) --  File not found
  DRV - (Changer) --  File not found
  O4 - HKCU..\Run: []  File not found
  O33 - MountPoints2\{5047fad2-276c-11df-a277-0016415caae7}\Shell - "" = AutoRun
  O33 - MountPoints2\{5047fad2-276c-11df-a277-0016415caae7}\Shell\AutoRun\command - "" = E:\Startme.exe
  [7 C:\Documents and Settings\Mtailda\Mina dokument\*.tmp files -> C:\Documents and Settings\Mtailda\Mina dokument\*.tmp -> ]
  [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [14 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Chiana 0]

I'm having some trouble with OTL. At first it seemed to start running the fix, but then it stopped responding and the whole computer froze and I had to reboot. I tried a couple more times, and those times everything froze as soon as I clicked Run Fix. After the first reboot, a file called Thumb.db appeared on my desktop (but it was apparently created sometime last year so I don't really know if it's relevant, but thought it was worth mentioning). What should I do? Thanks

[Kevin Zoll 309]

I have edited the fix in my previous post. Run the edited fix.

[Chiana 0]

The same thing still happens. :/ I also tried redownloading OTL, but it still stops responding when I click Run Fix, the taskbar and desktop icons disappear, everything freezes. I don't know what I'm doing wrong. I reran the EEK and OTL scans (scanning works, just not the fixrunning) and have attached the logs, hopefully they can help.

[Kevin Zoll 309]

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Chiana 0]

ComboFix seemed to run fine, here's the log.

[Kevin Zoll 309]

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  
• If it is not on your Desktop, the below will not work.
  
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

Driver::
MpKsl0a0df688
MpKsl0cf1416b
MpKsl129e6628
MpKsl14028395
MpKsl154de407
MpKsl17f7324a
MpKsl1b3b5122
MpKsl250a2e8a
MpKsl25c45f5c
MpKsl27d5938d
MpKsl2998f019
MpKsl40513cdc
MpKsl47259511
MpKsl4b630135
MpKsl51c61e22
MpKsl579e5ed7
MpKsl5c016f79
MpKsl60bcdca4
MpKsl61398b61
MpKsl64c47107
MpKsl659972b2
MpKsl6b7cde71
MpKsl71eb4090
MpKsl7c3ea2d4
MpKsl85352746
MpKsl854cadc8
MpKsl86c8ed96
MpKsl8d21b091
MpKsl8e4b6f0d
MpKsl8f4611f7
MpKsl951bc617
MpKsl9571b26b
MpKsl965c6803
MpKsl9c1d27ae
MpKsl9c6e9d9a
MpKsl9df0a9f4
MpKsl9f066e11
MpKsla0953c84
MpKsla183ca0e
MpKsla353a317
MpKslacdc997c
MpKslb4bdd7f3
MpKslb52592bd
MpKslba0aea00
MpKslc059c944
MpKslc6256c7c
MpKslc706ca0b
MpKslc838e143
MpKslc9ed75da
MpKslcc4f7e4d
MpKsld180b078
MpKsld35a81ba
MpKsld6ba20c2
MpKslda88ed3c
MpKsldbd07984
MpKsldc56e6a5
MpKsle0b79eea
MpKsle0f6744a
MpKslea1feaba
MpKsleb33da4a
MpKsleed41432
MpKslf4738580
MpKslf62ff771
MpKslf87c6a15
MpKslfeb4d9ea
MpKslff05689f
jqeeh.sys

File::
c:\windows\system32\drivers\jqeeh.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  
  
• Follow the prompts.
  
• When it finishes, a log will be produced named c:\combofix.txt
  
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

Attach the log from ComboFix

[Chiana 0]

ComboFix has been running for more than six hours, but it's still not past the screen saying it's searching for infected files and that it should take 10 mins or double etc. I haven't clicked it or anything (I'm on a different computer). It hasn't said anything about completing any stages like it did when I ran the scan, but the cursor is still blinking... Is this normal? Is it doing something or is it just not working?

[Kevin Zoll 309]

OK, boot to Safe Mode and run the fix.

[Chiana 0]

Yep, that got it running Got a pop-up about an infection and one about a rootkit, then it rebooted and ran through the stages and produced the log.

[Kevin Zoll 309]

That's better.

Read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Double-click on TDSSKiller.exe to run the application.
  
  
• Click Change parameters
  
  
• Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
  
• Click on the Start Scan button to begin the scan and wait for it to finish.
  NOTE: Do not use the computer during the scan!
  
• During the scan it will look similar to the image below:
  
  
• When it finishes, you will either see a report that no threats were found like below:
  
  If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  
• If any infection or suspected items are found, you will see a window similar to below:
  
  
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

  [*]Click Continue to apply selected actions.

  [*]A reboot may be required to complete disinfection. A window like the below will appear:

  

  Reboot immediately if TDSSKiller states that one is needed.

  [*]Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

  [*]Attach this log to your next reply.

[Chiana 0]

Here's the log - it found a whole bunch of things.

[Chiana 0]

By the way, is there any way to know how long that Sinowal thing has been there or what information it has gotten hold of? Will I need to change passwords and stuff like that?

[Kevin Zoll 309]

All the UnsignedFile.Multi.Generic detections can be ignored. Rarely a generic detection is something that needs to be addressed.

We've dealt with the major part of the infection, now to finish cleaning up.

Download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please attach the log to your reply.

[Chiana 0]

Here's the log.

[Kevin Zoll 309]

Run Farbar Service Scanner.

Type the following in the edit box after "Search:"

dhcpcsvc.dll; dnsrslvr.dll; ipnathlp.dll; netman.dll; WMIsvc.dll; srsvc.dll; sr.sys; wscsvc.dll; WMIsvc.dll; wuauserv.dll; qmgr.dll; es.dll; cryptsvc.dll; svchost.exe; rpcss.dll; services.exe

Click Search Files button and attach the log (FSS.txt) it makes to your reply.

[Chiana 0]

The computer is being exceptionally slow today, it takes ages for it to actually open anything I click. Anyway, managed to start FSS after a while, here's the log.

[Kevin Zoll 309]

The md5sum matches for those files.

Do a fresh scan with OTL and attach the new OTL scan log.

[Chiana 0]

Voilà! A fresh OTL scan log.

[Kevin Zoll 309]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
  DRV - (zumbus) -- system32\DRIVERS\zumbus.sys File not found
  DRV - (xpsec) -- C:\WINDOWS\system32\drivers\xpsec.sys File not found
  DRV - (WDICA) --  File not found
  DRV - (UIUSys) -- system32\DRIVERS\UIUSYS.SYS File not found
  DRV - (PDRFRAME) --  File not found
  DRV - (PDRELI) --  File not found
  DRV - (PDFRAME) --  File not found
  DRV - (PDCOMP) --  File not found
  DRV - (PCIDump) --  File not found
  DRV - (lbrtfdc) --  File not found
  DRV - (i2omgmt) --  File not found
  DRV - (Changer) --  File not found
  DRV - (catchme) -- C:\Combo-Fix\catchme.sys File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Chiana 0]

The same thing happened as before with the other OTL fix. It seems to start fine, then nothing happens. I let it sit for a few hours, but still nothing. It just stops responding. The antivirus program was deactivated when I tried running the fix so I don't know what could be interfering with OTL.

[Kevin Zoll 309]

OK, boot to Safe Mode and run the fix.

[Chiana 0]

That worked! Here's the log.

[Kevin Zoll 309]

Run fresh scans with Emsisoft and OTL, attach the fresh logs to your next reply. How are things running?

[Chiana 0]

The computer has been super slow since the FSS scan, but maybe that's something that will improve after I uninstall that program? Other than that, I just checked eBay and the pop-up is gone! So in that regard things are running great - thank you so much

[Kevin Zoll 309]

Is Keyboard Guardian something you installed on your computer?

[Chiana 0]

No, it's not. I don't know what it is. Was that the "medium risk" threat that EEK found? I've been wondering about that one.

[Kevin Zoll 309]

Keyboard Guardian is a key logger, that someone had to install on the computer.

Uninstall Keyboard Guardian via Add/Remove Programs.

[Chiana 0]

I can't find it in the list of programs. Could it be hidden somehow? I searched for the name it had in the EEK log, which was a .lnk file located in the folder with recently used documents, and it appears to at one point have been a .jpg that now no longer exists but I guess still has a shortcut in that folder. Maybe that other file just happened to be named the same thing. Or is it the key logger program being sneaky?

[Kevin Zoll 309]

Well, let's see if we can figure out where the key logger is hiding.

Download:

- ISeeYouXP by ShadowPuterDude

Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.

Double-click the ISeeYouXP shortcut to run ISeeYouXP.

Possible Error Messages

• If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS

  C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.

  To fix the above error message, choose the download below which is appropriate for your system
  
  • For Windows XP Pro: download and run: XPproFix
    
  • For Windows XP Home: download and run: XPHomeFix
    
  • For Windows 2000: download and run: W2KFix

  Then run ISeeYouXP.bat again and attach the log.

  [*]A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

16 bit MS-DOS Subsystem

drive:\program path

XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.

-or-

16 bit MS-DOS Subsystem

drive:\program path

SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

IMPORTANT NOTE:

Vista Users

UAC must be turned off to run this script.

Turning Off/On UAC in Vista

1. Open the Control Panel.

2. Under User Account and Family settings click on the "Add or remove user account".

3. Click on your user account.

4. Under the user account click on the "Go to the main User Account page" link.

5. Under "Make changes to your user account" click on the "Change security settings" link.

6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.

7. You will be prompted to reboot your computer. Do so.

In order to re-enable UAC just select the above checkbox and reboot.

To Run ISeeYouXP right-click on the batch file and select "Run as Administrator"

Attach the ISeeYouXP log, it will be on the Desktop, to your next reply.

[Chiana 0]

I didn't get any error message, but I also didn't get a log. The program finished its scan and said the log would be on the desktop, but it's not there, nor is it in the ISeeYouXP folder. Should I try the XPHomeFix, or is this a different kind of error?

[Kevin Zoll 309]

Try running ISeeYouXP in Safe Mode.

[Chiana 0]

That didn't work either. But I think I know what the problem is: my computer is in Swedish. I took a closer look at the scan window, and under the *** Building Report *** headline it says something along the lines of "The file path could not be found". I'm guessing it doesn't know where to save the log because "Desktop" is "Skrivbord" on my computer.

Have I understood correctly that the KG file that EEK found is in the folder with shortcuts to recently used documents? Maybe I could try deleting all the files in that folder, and then maybe KG will go away?

[Kevin Zoll 309]

OK, I know what the issue is with ISeeYouXP. Look in C:\ISeeYouXP locate GetUnKeys.bat. Double-click it to run it. The log will be at C:\GetUnKey.txt. Notepad will also open with the log.

Attach GetUnKey.txt

[Chiana 0]

Here's the log.

[Kevin Zoll 309]

Keyboard Guardian doesn't appear to be installed. You can have Emsisoft delete c:\documents and settings\mtailda\recent\kg.lnk

[Chiana 0]

It's now been deleted. Does everything else look OK?

[Kevin Zoll 309]

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

• Download OTC to your desktop and run it
  
• A list of tool components used in the cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  
• Click Yes to begin the cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  

Delete the following from your Desktop (If they exist)

CFscript.txt

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

TDSSKiller.exe

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  
• The following should be selected by default, if not, please select:
  
  
• Click and choose
  
• Uncheck
  
• Then go back to and click to run it.
  
• Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

Inside the ISeeYouXP folder, locate and double-click HideIT.bat (C:\ISeeYouXP\HideIT.bat). This will return viewing of Hidden and System Files and Folders to the default settings.

Delete C:\ISeeYouXP

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[Chiana 0]

Thank you so much for all your time and help!

[Kevin Zoll 309]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.