jeepbug

Members
  • Content Count

    22
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jeepbug

  • Rank
    Member
  1. [quote name='CeciliaB' post='126099' date='Apr 14 2011, 11:50 AM']Hi jeepbug, The MBAM log only changed the settings regarding if Windows Security Center should display messages when the antivirus program, firewall or Windows Update isn't running. That alone is not an indication of an infection. Which version of Ad-Aware do you have? Have Ad-Aware opened up before? Did you install, uninstall or update anything last time Ad-Aware worked?[/quote] we have ad aware anniversary edition. we havent installed uninstalled or updated anything,
  2. [quote name='jeepbug' post='126092' date='Apr 14 2011, 09:47 AM']our adaware will not open up, it is saying it was shut down unexpetedly. we are unable to open up adaware as it says that it sending a report to adaware. any advise?[/quote] dont know if this helps but here is the log that we have from Malwarebytes
  3. our adaware will not open up, it is saying it was shut down unexpetedly. we are unable to open up adaware as it says that it sending a report to adaware. any advise?
  4. [quote name='CeciliaB' post='125449' date='Mar 9 2011, 04:28 PM']Cookies are small text files and they are never dangerous for the computer. When you visit web sites, they often store a cookie in the computer to be able to recognize you when you return the next time. Advertisement companies are interested in keeping track of what ads you have seen and clicked on and doing so by storing a cookie in the computer. Ad-Aware and some other security programs remove the tracking cookies since they consider that behaviour to be spying. In short, cookies are stored in the computer by most web sites. They are not dangerous but it is good to remove them now and then to protect your privacy. To improve Ad-Aware I want to send the files that ComboFix removed to Lavasoft. Do you know how to zip (pack) a folder or do you need a description? I want you to zip the C:\Qoobox folder and send it to me, for example by uploading the zip file to [url="http://sprend.com/?r=0kAe0"]http://sprend.com/?r=0kAe0[/url] and send the link to the uploaded file in a PM to me.[/quote] not sure if this is the correct file that you needed, please let us know. thanks
  5. [quote name='CeciliaB' post='125442' date='Mar 9 2011, 01:53 PM']What type of stuff does Ad-Aware find? You can post an Ad-Aware log if you want.[/quote] these are the items, Logfile created: 3/9/2011 14:06:59 Ad-Aware version: 9.0.2 Extended engine: 3 Extended engine version: 3.1.2770 User performing scan: Admin *********************** Definitions database information *********************** Lavasoft definition file: 150.314 Genotype definition file version: 2011/03/07 08:12:44 Extended engine definition file: 8637.0 ******************************** Scan results: ********************************* Scan profile name: Smart Scan (ID: smart) Objects scanned: 8624 Objects detected: 5 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 0 Folders.........: 0 LSPs............: 0 Cookies.........: 5 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0 Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0 Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0 Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0 Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0 Scan and cleaning complete: Finished correctly after 66 seconds *********************************** Settings *********************************** Scan profile: ID: smart, enabled:1, value: Smart Scan ID: folderstoscan, enabled:1, value: ID: useantivirus, enabled:1, value: true ID: sections, enabled:1 ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: false ID: onlyexecutables, enabled:1, value: true ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: true ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict ID: usespywareheuristics, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: ID: back, enabled:1, value: back ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: smart ID: auto_deal_with_infections, enabled:1, value: true Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily1, enabled:1, value: Daily 1 ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily2, enabled:1, value: Daily 2 ID: time, enabled:1, value: Mon May 10 15:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily3, enabled:1, value: Daily 3 ID: time, enabled:1, value: Mon May 10 21:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily4, enabled:1, value: Daily 4 ID: time, enabled:1, value: Mon May 10 03:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly1, enabled:1, value: Weekly ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: true ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: autoentertainmentmode, enabled:1, value: true ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant ID: modules, enabled:1 ID: processprotection, enabled:1, value: true ID: onaccessprotection, enabled:1, value: true ID: registryprotection, enabled:1, value: true ID: networkprotection, enabled:1, value: true ID: layers, enabled:1 ID: useantivirus, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: maintainbackup, enabled:1, value: true ****************************** System information ****************************** Computer name: PC2BACK Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz Processor identifier: x86 Family 6 Model 15 Stepping 13 Processor speed: ~2393MHZ Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2] Physical memory available: 2306064384 bytes Physical memory total: 3184435200 bytes Virtual memory available: 1817571328 bytes Virtual memory total: 2147352576 bytes Memory load: 27% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 676 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 1000 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1068 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1164 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1212 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1296 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1440 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1560 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1732 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 1976 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1912 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 264 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK PID: 1808 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK PID: 332 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK PID: 328 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK PID: 940 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK PID: 552 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK PID: 628 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK PID: 3296 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK PID: 3700 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK PID: 2728 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 2292 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK PID: 3004 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 3220 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK PID: 3240 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 3536 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 3876 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 3612 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 3760 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK PID: 4052 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK PID: 3684 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 968 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK Startup items: Name: RunNarrator imagepath: Narrator.exe Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: RTHDCPL imagepath: RTHDCPL.EXE Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Name: Adobe ARM imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Name: HP Software Update imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk imagepath: C:\Program Files\EzDental\eSyncReminder.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk imagepath: C:\Program Files\EzDental\WebSyncReminder.exe Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: Alerter displayname: Alerter Name: ALG displayname: Application Layer Gateway Service Name: AudioSrv displayname: Windows Audio Name: BITS displayname: Background Intelligent Transfer Service Name: Browser displayname: Computer Browser Name: CryptSvc displayname: CryptSvc Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HTTPFilter displayname: HTTP SSL Name: JavaQuickStarterService displayname: Java Quick Starter Name: LanmanServer displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration
  6. [quote name='CeciliaB' post='125440' date='Mar 9 2011, 11:53 AM']Very good! How is the computer behaving now?[/quote] when we scan we are still getting stuff on our ad aware. the computer seems to be running fine. is it fine that we are still having items being found?
  7. [quote name='CeciliaB' post='125438' date='Mar 9 2011, 11:08 AM']Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.[u]lnk[/u] You are dragging a shortcut and not a text file. Fetch this CFScript.txt: [url="http://www.sendspace.com/file/xbf5eh"]http://www.sendspace.com/file/xbf5eh[/url] Save it on the desktop and drag it to ComboFix.[/quote] ComboFix 11-03-08.07 - Admin 03/09/2011 11:28:27.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2376 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\bFgPdAb06300 c:\documents and settings\All Users\Application Data\bFgPdAb06300\bFgPdAb06300 . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_cerc6 . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-02-02 07:58 . 2010-05-08 15:32 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2010-05-08 15:32 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((( [email protected]_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 17:31 . 2011-03-09 17:31 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-04-14 12:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll - 2008-04-14 12:00 . 2008-04-14 12:00 270848 c:\windows\system32\dllcache\sbe.dll - 2010-05-08 15:32 . 2008-04-14 12:00 677888 c:\windows\system32\dllcache\lhmstsc.exe + 2010-05-08 15:32 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe + 2008-04-14 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll - 2008-04-14 12:00 . 2008-04-14 12:00 186880 c:\windows\system32\dllcache\encdec.dll + 2010-05-08 15:32 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll + 2010-05-08 18:48 . 2011-03-09 16:15 37943240 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 11:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2292) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2011-03-09 11:32:31 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-09 17:32 ComboFix2.txt 2011-03-09 15:18 ComboFix3.txt 2011-03-09 14:42 ComboFix4.txt 2011-03-08 19:20 ComboFix5.txt 2011-03-09 17:28 . Pre-Run: 197,870,215,168 bytes free Post-Run: 197,805,293,568 bytes free . - - End Of File - - 1552C8B32117F10CFB8EAF34FD39DA64
  8. [quote name='CeciliaB' post='125436' date='Mar 9 2011, 08:59 AM']This time ComboFix noticed the file but unfortunately it could not understand its content. Try once more to create CFScript. Be sure to use Notepad and that the content is exactly: Killall:: Driver:: cerc6 Folder:: c:\documents and settings\All Users\Application Data\bFgPdAb06300[/quote] ComboFix 11-03-08.07 - Admin 03/09/2011 9:16.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2413 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((( [email protected]8_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S0 cerc6;cerc6; [x] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 09:17 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2944) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-09 09:18:31 ComboFix-quarantined-files.txt 2011-03-09 15:18 ComboFix2.txt 2011-03-09 14:42 ComboFix3.txt 2011-03-08 19:20 ComboFix4.txt 2011-03-08 14:38 . Pre-Run: 197,953,257,472 bytes free Post-Run: 197,940,707,328 bytes free . - - End Of File - - 5C4B33059EC9860B8C46D1E9F827C313
  9. [quote name='CeciliaB' post='125419' date='Mar 8 2011, 04:11 PM']Sorry, ComboFix did not notice that you dropped a file on top of it. Maybe it is easier to understand what you should do with this picture: [img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img][/quote] okay that is what we did.... here it is again... hopefully this time it works! thanks ComboFix 11-03-08.07 - Admin 03/09/2011 8:39.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2399 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll . . ((((((((((((((((((((((((((((( [email protected]_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S0 cerc6;cerc6; [x] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 08:41 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2600) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-09 08:42:06 ComboFix-quarantined-files.txt 2011-03-09 14:42 ComboFix2.txt 2011-03-08 19:20 ComboFix3.txt 2011-03-08 14:38 . Pre-Run: 197,935,550,464 bytes free Post-Run: 197,935,759,360 bytes free . - - End Of File - - DF47015B21BD2EED7C3000CE932508FE
  10. [quote name='CeciliaB' post='125415' date='Mar 8 2011, 11:56 AM']I don't know, the result from virustotal is hard to interpret. The coupon file was stored in the computer 17th of February, while SelectRebates, that ComboFix removed, was stored 21th of February. There is a malicious folder from 28th of February that will be removed with the following instruction: Copy all lines in the box: [code]Killall:: Driver:: cerc6 Folder:: c:\documents and settings\All Users\Application Data\bFgPdAb06300[/code] and paste into Notepad. Save the file on the desktop with the name CFScript. Prepare the computer according to the instructions for running ComboFix. Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way. ComboFix 11-03-07.07 - Admin 03/08/2011 13:17:46.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2353 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 13:19 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2880) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-08 13:20:04 ComboFix-quarantined-files.txt 2011-03-08 19:20 ComboFix2.txt 2011-03-08 14:38 . Pre-Run: 197,988,220,928 bytes free Post-Run: 198,001,770,496 bytes free . - - End Of File - - 561927E8569C129C2A53AF77DBC35CC4 Paste the new ComboFix log into your answer.[/quote]
  11. [quote name='CeciliaB' post='125410' date='Mar 8 2011, 10:46 AM']The link is [url="http://www.virustotal.com/file-scan/report.html?id=e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703-1299521373"]http://www.virustotal.com/file-scan/report...5703-1299521373[/url] with the following information about the file:Is this something you recognize and want to have in the computer?[/quote] Is this what is causing our problem? if it is then we dont want it on the computer
  12. [quote name='CeciliaB' post='125408' date='Mar 8 2011, 09:25 AM']Nice that Ad-Aware can scan again! Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report: c:\windows\system32\cpnprt2.cid[/quote] here is what it says: MD5: 5d7882518f349aea63de2742339dd06f Date first seen: 2011-02-17 02:35:39 (UTC) Date last seen: 2011-03-07 18:09:33 (UTC) Detection ratio: 3/43 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: cpnprt2.cid Submission date: 2011-03-07 18:09:33 (UTC) Current status: finished Result: 3 /43 (7.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2011.03.07.06 2011.03.07 - AntiVir 7.11.4.100 2011.03.07 - Antiy-AVL 2.0.3.7 2011.03.06 - Avast 4.8.1351.0 2011.03.07 - Avast5 5.0.677.0 2011.03.07 - AVG 10.0.0.1190 2011.03.07 - BitDefender 7.2 2011.03.07 - CAT-QuickHeal 11.00 2011.03.07 - ClamAV 0.96.4.0 2011.03.07 - Commtouch 5.2.11.5 2011.03.07 - Comodo 7903 2011.03.07 - DrWeb 5.0.2.03300 2011.03.07 - Emsisoft 5.1.0.2 2011.03.07 - eSafe 7.0.17.0 2011.03.06 Win32.TRBuzy eTrust-Vet 36.1.8198 2011.03.04 - F-Prot 4.6.2.117 2011.03.07 - F-Secure 9.0.16440.0 2011.03.07 - Fortinet 4.2.254.0 2011.03.07 - GData 21 2011.03.07 - Ikarus T3.1.1.97.0 2011.03.07 - Jiangmin 13.0.900 2011.03.07 - K7AntiVirus 9.92.4048 2011.03.07 - Kaspersky 7.0.0.125 2011.03.07 - McAfee 5.400.0.1158 2011.03.07 Artemis!5D7882518F34 McAfee-GW-Edition 2010.1C 2011.03.07 Artemis!5D7882518F34 Microsoft 1.6603 2011.03.07 - NOD32 5934 2011.03.07 - Norman 6.07.03 2011.03.07 - nProtect 2011-02-10.01 2011.02.15 - Panda 10.0.3.5 2011.03.07 - PCTools 7.0.3.5 2011.03.07 - Prevx 3.0 2011.03.07 - Rising 23.48.00.06 2011.03.07 - Sophos 4.63.0 2011.03.07 - SUPERAntiSpyware 4.40.0.1006 2011.03.07 - Symantec 20101.3.0.103 2011.03.07 - TheHacker 6.7.0.1.145 2011.03.06 - TrendMicro 9.200.0.1012 2011.03.07 - TrendMicro-HouseCall 9.200.0.1012 2011.03.07 - VBA32 3.12.14.3 2011.03.04 - VIPRE 8629 2011.03.07 - ViRobot 2011.3.7.4345 2011.03.07 - VirusBuster 13.6.239.0 2011.03.07 - Additional informationShow all MD5 : 5d7882518f349aea63de2742339dd06f SHA1 : ba7b32ff5af8e28e72c4616cc85b6600690e24e3 SHA256: e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703
  13. [quote name='jeepbug' post='125405' date='Mar 8 2011, 08:39 AM']ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\My Documents\iexplore.exe c:\program files\Quicktime\QTTask.exe c:\program files\SelectRebates c:\program files\SelectRebates\FFToolbar\chrome.manifest c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js c:\program files\SelectRebates\FFToolbar\install.rdf c:\program files\SelectRebates\SahImages\alert.png c:\program files\SelectRebates\SahImages\check.png c:\program files\SelectRebates\SahImages\close.png c:\program files\SelectRebates\SelectAlerts.dat c:\program files\SelectRebates\SelectRebates.exe c:\program files\SelectRebates\SelectRebates.ini c:\program files\SelectRebates\SelectRebatesA.dat c:\program files\SelectRebates\SelectRebatesApi.exe c:\program files\SelectRebates\SelectRebatesB.dat c:\program files\SelectRebates\SelectRebatesBT.dat c:\program files\SelectRebates\SelectRebatesDownload.exe c:\program files\SelectRebates\SelectRebatesUninstall.exe c:\program files\SelectRebates\SRebates.dll c:\program files\SelectRebates\SRFF3.dll c:\program files\SelectRebates\Toolbar\AddtoList.bmp c:\program files\SelectRebates\Toolbar\basis.xml c:\program files\SelectRebates\Toolbar\Basis.xml.dym c:\program files\SelectRebates\Toolbar\Blank.bmp c:\program files\SelectRebates\Toolbar\CashBack.bmp c:\program files\SelectRebates\Toolbar\Coupons.bmp c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp c:\program files\SelectRebates\Toolbar\i_magnifying.bmp c:\program files\SelectRebates\Toolbar\icons.bmp c:\program files\SelectRebates\Toolbar\logo.bmp c:\program files\SelectRebates\Toolbar\logo_24.bmp c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp c:\program files\SelectRebates\Toolbar\ReviewSite.bmp c:\program files\SelectRebates\Toolbar\RightControls.dym c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp c:\program files\SelectRebates\Toolbar\sahtb-go.bmp c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp c:\program files\SelectRebates\Toolbar\Scissors.bmp c:\windows\jestertb.dll . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . - - - - ORPHANS REMOVED - - - - . HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 08:37 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-03-08 08:38:10 ComboFix-quarantined-files.txt 2011-03-08 14:38 . Pre-Run: 197,996,335,104 bytes free Post-Run: 197,955,928,064 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701[/quote] after we did this combo fix we ran another smart scan on the computer, the following log is from that scan . Logfile created: 3/8/2011 08:40:16 Ad-Aware version: 9.0.2 Extended engine: 3 Extended engine version: 3.1.2770 User performing scan: Admin *********************** Definitions database information *********************** Lavasoft definition file: 150.312 Genotype definition file version: 2011/03/07 08:12:44 Extended engine definition file: 8627.0 ******************************** Scan results: ********************************* Scan profile name: Smart Scan (ID: smart) Objects scanned: 7837 Objects detected: 5 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 0 Folders.........: 0 LSPs............: 0 Cookies.........: 5 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0 Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0 Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0 Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0 Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0 Scan and cleaning complete: Finished correctly after 65 seconds *********************************** Settings *********************************** Scan profile: ID: smart, enabled:1, value: Smart Scan ID: folderstoscan, enabled:1, value: ID: useantivirus, enabled:1, value: true ID: sections, enabled:1 ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: false ID: onlyexecutables, enabled:1, value: true ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: true ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict ID: usespywareheuristics, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: ID: back, enabled:1, value: back ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: smart ID: auto_deal_with_infections, enabled:1, value: true Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily1, enabled:1, value: Daily 1 ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily2, enabled:1, value: Daily 2 ID: time, enabled:1, value: Mon May 10 15:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily3, enabled:1, value: Daily 3 ID: time, enabled:1, value: Mon May 10 21:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily4, enabled:1, value: Daily 4 ID: time, enabled:1, value: Mon May 10 03:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly1, enabled:1, value: Weekly ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: true ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: autoentertainmentmode, enabled:1, value: true ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant ID: layers, enabled:1 ID: useantivirus, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: maintainbackup, enabled:1, value: true ID: modules, enabled:1 ID: processprotection, enabled:1, value: true ID: onaccessprotection, enabled:1, value: true ID: registryprotection, enabled:1, value: true ID: networkprotection, enabled:1, value: true ****************************** System information ****************************** Computer name: PC2BACK Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz Processor identifier: x86 Family 6 Model 15 Stepping 13 Processor speed: ~2395MHZ Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2] Physical memory available: 2500923392 bytes Physical memory total: 3184435200 bytes Virtual memory available: 1805524992 bytes Virtual memory total: 2147352576 bytes Memory load: 21% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 672 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 992 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1060 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1156 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1252 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1288 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1332 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1612 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1716 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1780 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 1896 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 732 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1476 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 1524 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 2088 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK PID: 2108 name: C:\WINDOWS\system32\igfxtray.exe owner: Admin domain: PC2BACK PID: 2116 name: C:\WINDOWS\system32\hkcmd.exe owner: Admin domain: PC2BACK PID: 2144 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK PID: 2208 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK PID: 2256 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK PID: 2280 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK PID: 2368 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK PID: 2392 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK PID: 2412 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK PID: 2488 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 3056 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK PID: 3164 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK PID: 3392 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK PID: 616 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK PID: 2968 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK PID: 444 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK Startup items: Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: RTHDCPL imagepath: RTHDCPL.EXE Name: IgfxTray imagepath: C:\WINDOWS\system32\igfxtray.exe Name: HotKeysCmds imagepath: C:\WINDOWS\system32\hkcmd.exe Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Name: Adobe ARM imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Name: HP Software Update imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Name: RunNarrator imagepath: Narrator.exe Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk imagepath: C:\Program Files\EzDental\eSyncReminder.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk imagepath: C:\Program Files\EzDental\WebSyncReminder.exe Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: Alerter displayname: Alerter Name: ALG displayname: Application Layer Gateway Service Name: AudioSrv displayname: Windows Audio Name: Browser displayname: Computer Browser Name: CryptSvc displayname: Cryptographic Services Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HTTPFilter displayname: HTTP SSL Name: JavaQuickStarterService displayname: Java Quick Starter Name: LanmanServer displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration
  14. [quote name='CeciliaB' post='125368' date='Mar 7 2011, 05:37 PM']Can you run ComboFix?[/quote] ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\My Documents\iexplore.exe c:\program files\Quicktime\QTTask.exe c:\program files\SelectRebates c:\program files\SelectRebates\FFToolbar\chrome.manifest c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js c:\program files\SelectRebates\FFToolbar\install.rdf c:\program files\SelectRebates\SahImages\alert.png c:\program files\SelectRebates\SahImages\check.png c:\program files\SelectRebates\SahImages\close.png c:\program files\SelectRebates\SelectAlerts.dat c:\program files\SelectRebates\SelectRebates.exe c:\program files\SelectRebates\SelectRebates.ini c:\program files\SelectRebates\SelectRebatesA.dat c:\program files\SelectRebates\SelectRebatesApi.exe c:\program files\SelectRebates\SelectRebatesB.dat c:\program files\SelectRebates\SelectRebatesBT.dat c:\program files\SelectRebates\SelectRebatesDownload.exe c:\program files\SelectRebates\SelectRebatesUninstall.exe c:\program files\SelectRebates\SRebates.dll c:\program files\SelectRebates\SRFF3.dll c:\program files\SelectRebates\Toolbar\AddtoList.bmp c:\program files\SelectRebates\Toolbar\basis.xml c:\program files\SelectRebates\Toolbar\Basis.xml.dym c:\program files\SelectRebates\Toolbar\Blank.bmp c:\program files\SelectRebates\Toolbar\CashBack.bmp c:\program files\SelectRebates\Toolbar\Coupons.bmp c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp c:\program files\SelectRebates\Toolbar\i_magnifying.bmp c:\program files\SelectRebates\Toolbar\icons.bmp c:\program files\SelectRebates\Toolbar\logo.bmp c:\program files\SelectRebates\Toolbar\logo_24.bmp c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp c:\program files\SelectRebates\Toolbar\ReviewSite.bmp c:\program files\SelectRebates\Toolbar\RightControls.dym c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp c:\program files\SelectRebates\Toolbar\sahtb-go.bmp c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp c:\program files\SelectRebates\Toolbar\Scissors.bmp c:\windows\jestertb.dll . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . - - - - ORPHANS REMOVED - - - - . HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 08:37 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-03-08 08:38:10 ComboFix-quarantined-files.txt 2011-03-08 14:38 . Pre-Run: 197,996,335,104 bytes free Post-Run: 197,955,928,064 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701
  15. [quote name='CeciliaB' post='125366' date='Mar 7 2011, 04:03 PM'][b]1. RKill[/b] Please, download RKill by Grinler to your Desktop: On the page [url="http://www.bleepingcomputer.com/download/anti-virus/rkill"]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please. Turn off your antivirus program and other security programs, if possible. How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url] Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again. Run RKill until the fake program is not visible but not more than ten times. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. If you restart the computer the fake program will start to run again and you have to repeat the above. [b]2. ComboFix[/b] Follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix. Read carefully and note the "Disclaimer of warranty"! Paste the content of the log into your answer.[/quote] This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 03/07/2011 at 16:13:41. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: Rkill completed on 03/07/2011 at 16:13:45.