ebay redirect on sign in

I've been reading through this forum and I have not found an answer, so I thought I would post here. I support PC's for a living, but don't know anything about Hijackthis, so...
Everytime in IE7 when I go to ebay and signin, it redirects me to <https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1>

I've rebooted in safe mode, ran malwarebytes and superantispyware and have not found a single issue to point a finger at. However, upon reentering my password and id on ebay, the same redirect page pops up.
I've already changed my passwords, I know I have to do it again, I won't log onto ebay via IE7 until this issue is resolved. Please tell me what you need from me. I've installed Hijack this, but I honestly don't know how to use it.
I'm at work now, but can post up logs of whatever you need me to around 5:30pm Eastern time.
Thank you in advance for your help.

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.

• Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
• Click on the log name to highlight it.
• Go to the bottom and click on Open.
• The log should automatically open in notepad as a text file.
• Go to Edit and choose Select all.
• Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
• Come back to this thread, click Add Reply, then right-click and choose Paste.
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download hosts.zip and save it to your Desktop.

• Extract (unzip) the file to its own folder C:\hosts. (Click here for information on how to do this if not sure.)
• Open up the hosts folder and double-click on the mvps.bat file.
• The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system.
• You can read more about what we are doing in Blocking Unwanted Parasites with a Hosts File.
  Note: You may have to overwrite the hosts file in "Safe Mode" if you get "an access denied message" when trying to do it in normal mode.

MVPS HOSTS File Install Instructions with screenshots if you need them.
Hosts File FAQ

Please download and scan with Dr.Web CureIt.
Follow the instructions here for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.

Malwarebytes' Anti-Malware 1.35
Database version: 1915
Windows 5.1.2600 Service Pack 3

3/29/2009 6:09:08 PM
mbam-log-2009-03-29 (18-09-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 253603
Time elapsed: 3 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I started to run Dr Web Cure It in normal mode (been a long day), restarted in safe mode, it found a couple of items during it's initial run, but found nothing in safe mode. I did notice they were in the MBR, which worries me.
I ran it again in normal mode and it found this:


Please let me know what you think my next steps should be. I am not using IE7 again.

Please download mbr.exe and save it to your desktop.

• Double-click on mbr.exe and allow it to run. (If asked about "mbr.sys" service being created, please allow)
• A "DOS" box will open and quickly disappear. That is normal.
• A log file named mbr.log will be created on the desktop.
• Copy and paste the results of the mbr.log in your next reply.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x57541440 size 0x1c2 !
copy of MBR has been found in sector 62 !


This doesn't look like good news. I read through the forums and I tried to run it with the -f switch and it didn't do anything, unless that needs to be run in DOS. Thank you again for your help. Please let me know what my next step should be.

Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

Restart the computer normally, run mbr.exe again and copy/paste the results of the mbr.log in your next reply.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x57541440 size 0x1c2 !
copy of MBR has been found in sector 62 !



Nothing's changed. I am really getting scared that I am going to have to reformat. I do have Hijackthis on my system if you want me to use that

Did you reboot the first time after trying mbr.exe -f? If not the next report can show a false detection. That's why its important to follow directions when someone is assiting you and now try doing other things on your own.

Rescan with DrWebCureIt and see if its still being detected.

I followed your directions exactly. I ran mbr.exe -f, exited out of the DOS prompt, rebooted, reran mbr.exe and posted the log. Reran DrWebCureIt and it came back clean, this was in normal mode, express scan. I do appreciate all the help you have given. How can I be 100% sure I'm clean? I was thinking about making a 'fake' ebay account with secondary email address.

I was referring to your running the tool before following my directions. As I said, if you don't reboot after running it (which I suspect was the case), subsequent runs will indicate false detections when that is not the case. If Dr.Web came up clean and you are no longer getting the ebay redirects, sounds like you're good to go.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Very, very appreciated. Thank you very much. I will create a new system restore point when I get home tonight.

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe and secure on the Internet.
• Your Guide To Staying Safe Online.
• Hardening Windows Security - Part 1 & Part 2.
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
• When is AUTORUN.INF really an AUTORUN.INF?.
• Please disable Autorun asap!.

Many security experts recommend disabling this feature as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

Edited by quietman7, 01 April 2009 - 07:50 AM.