jeepbug

Members
  • Content Count

    22
  • Joined

  • Last visited

Everything posted by jeepbug

  1. [quote name='CeciliaB' post='126099' date='Apr 14 2011, 11:50 AM']Hi jeepbug, The MBAM log only changed the settings regarding if Windows Security Center should display messages when the antivirus program, firewall or Windows Update isn't running. That alone is not an indication of an infection. Which version of Ad-Aware do you have? Have Ad-Aware opened up before? Did you install, uninstall or update anything last time Ad-Aware worked?[/quote] we have ad aware anniversary edition. we havent installed uninstalled or updated anything,
  2. [quote name='jeepbug' post='126092' date='Apr 14 2011, 09:47 AM']our adaware will not open up, it is saying it was shut down unexpetedly. we are unable to open up adaware as it says that it sending a report to adaware. any advise?[/quote] dont know if this helps but here is the log that we have from Malwarebytes
  3. our adaware will not open up, it is saying it was shut down unexpetedly. we are unable to open up adaware as it says that it sending a report to adaware. any advise?
  4. [quote name='CeciliaB' post='125449' date='Mar 9 2011, 04:28 PM']Cookies are small text files and they are never dangerous for the computer. When you visit web sites, they often store a cookie in the computer to be able to recognize you when you return the next time. Advertisement companies are interested in keeping track of what ads you have seen and clicked on and doing so by storing a cookie in the computer. Ad-Aware and some other security programs remove the tracking cookies since they consider that behaviour to be spying. In short, cookies are stored in the computer by most web sites. They are not dangerous but it is good to remove them now and then to protect your privacy. To improve Ad-Aware I want to send the files that ComboFix removed to Lavasoft. Do you know how to zip (pack) a folder or do you need a description? I want you to zip the C:\Qoobox folder and send it to me, for example by uploading the zip file to [url="http://sprend.com/?r=0kAe0"]http://sprend.com/?r=0kAe0[/url] and send the link to the uploaded file in a PM to me.[/quote] not sure if this is the correct file that you needed, please let us know. thanks
  5. [quote name='CeciliaB' post='125442' date='Mar 9 2011, 01:53 PM']What type of stuff does Ad-Aware find? You can post an Ad-Aware log if you want.[/quote] these are the items, Logfile created: 3/9/2011 14:06:59 Ad-Aware version: 9.0.2 Extended engine: 3 Extended engine version: 3.1.2770 User performing scan: Admin *********************** Definitions database information *********************** Lavasoft definition file: 150.314 Genotype definition file version: 2011/03/07 08:12:44 Extended engine definition file: 8637.0 ******************************** Scan results: ********************************* Scan profile name: Smart Scan (ID: smart) Objects scanned: 8624 Objects detected: 5 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 0 Folders.........: 0 LSPs............: 0 Cookies.........: 5 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0 Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0 Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0 Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0 Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0 Scan and cleaning complete: Finished correctly after 66 seconds *********************************** Settings *********************************** Scan profile: ID: smart, enabled:1, value: Smart Scan ID: folderstoscan, enabled:1, value: ID: useantivirus, enabled:1, value: true ID: sections, enabled:1 ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: false ID: onlyexecutables, enabled:1, value: true ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: true ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict ID: usespywareheuristics, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: ID: back, enabled:1, value: back ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: smart ID: auto_deal_with_infections, enabled:1, value: true Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily1, enabled:1, value: Daily 1 ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily2, enabled:1, value: Daily 2 ID: time, enabled:1, value: Mon May 10 15:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily3, enabled:1, value: Daily 3 ID: time, enabled:1, value: Mon May 10 21:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily4, enabled:1, value: Daily 4 ID: time, enabled:1, value: Mon May 10 03:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly1, enabled:1, value: Weekly ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: true ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: autoentertainmentmode, enabled:1, value: true ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant ID: modules, enabled:1 ID: processprotection, enabled:1, value: true ID: onaccessprotection, enabled:1, value: true ID: registryprotection, enabled:1, value: true ID: networkprotection, enabled:1, value: true ID: layers, enabled:1 ID: useantivirus, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: maintainbackup, enabled:1, value: true ****************************** System information ****************************** Computer name: PC2BACK Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz Processor identifier: x86 Family 6 Model 15 Stepping 13 Processor speed: ~2393MHZ Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2] Physical memory available: 2306064384 bytes Physical memory total: 3184435200 bytes Virtual memory available: 1817571328 bytes Virtual memory total: 2147352576 bytes Memory load: 27% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 676 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 1000 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1068 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1164 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1212 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1296 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1440 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1560 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1732 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 1976 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1912 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 264 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK PID: 1808 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK PID: 332 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK PID: 328 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK PID: 940 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK PID: 552 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK PID: 628 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK PID: 3296 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK PID: 3700 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK PID: 2728 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 2292 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK PID: 3004 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 3220 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK PID: 3240 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 3536 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 3876 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 3612 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 3760 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK PID: 4052 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK PID: 3684 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK PID: 968 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK Startup items: Name: RunNarrator imagepath: Narrator.exe Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: RTHDCPL imagepath: RTHDCPL.EXE Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Name: Adobe ARM imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Name: HP Software Update imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk imagepath: C:\Program Files\EzDental\eSyncReminder.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk imagepath: C:\Program Files\EzDental\WebSyncReminder.exe Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: Alerter displayname: Alerter Name: ALG displayname: Application Layer Gateway Service Name: AudioSrv displayname: Windows Audio Name: BITS displayname: Background Intelligent Transfer Service Name: Browser displayname: Computer Browser Name: CryptSvc displayname: CryptSvc Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HTTPFilter displayname: HTTP SSL Name: JavaQuickStarterService displayname: Java Quick Starter Name: LanmanServer displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration
  6. [quote name='CeciliaB' post='125440' date='Mar 9 2011, 11:53 AM']Very good! How is the computer behaving now?[/quote] when we scan we are still getting stuff on our ad aware. the computer seems to be running fine. is it fine that we are still having items being found?
  7. [quote name='CeciliaB' post='125438' date='Mar 9 2011, 11:08 AM']Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.[u]lnk[/u] You are dragging a shortcut and not a text file. Fetch this CFScript.txt: [url="http://www.sendspace.com/file/xbf5eh"]http://www.sendspace.com/file/xbf5eh[/url] Save it on the desktop and drag it to ComboFix.[/quote] ComboFix 11-03-08.07 - Admin 03/09/2011 11:28:27.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2376 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\bFgPdAb06300 c:\documents and settings\All Users\Application Data\bFgPdAb06300\bFgPdAb06300 . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_cerc6 . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-02-02 07:58 . 2010-05-08 15:32 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2010-05-08 15:32 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((( [email protected]_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 17:31 . 2011-03-09 17:31 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-04-14 12:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll - 2008-04-14 12:00 . 2008-04-14 12:00 270848 c:\windows\system32\dllcache\sbe.dll - 2010-05-08 15:32 . 2008-04-14 12:00 677888 c:\windows\system32\dllcache\lhmstsc.exe + 2010-05-08 15:32 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe + 2008-04-14 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll - 2008-04-14 12:00 . 2008-04-14 12:00 186880 c:\windows\system32\dllcache\encdec.dll + 2010-05-08 15:32 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll + 2010-05-08 18:48 . 2011-03-09 16:15 37943240 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 11:31 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2292) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2011-03-09 11:32:31 - machine was rebooted ComboFix-quarantined-files.txt 2011-03-09 17:32 ComboFix2.txt 2011-03-09 15:18 ComboFix3.txt 2011-03-09 14:42 ComboFix4.txt 2011-03-08 19:20 ComboFix5.txt 2011-03-09 17:28 . Pre-Run: 197,870,215,168 bytes free Post-Run: 197,805,293,568 bytes free . - - End Of File - - 1552C8B32117F10CFB8EAF34FD39DA64
  8. [quote name='CeciliaB' post='125436' date='Mar 9 2011, 08:59 AM']This time ComboFix noticed the file but unfortunately it could not understand its content. Try once more to create CFScript. Be sure to use Notepad and that the content is exactly: Killall:: Driver:: cerc6 Folder:: c:\documents and settings\All Users\Application Data\bFgPdAb06300[/quote] ComboFix 11-03-08.07 - Admin 03/09/2011 9:16.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2413 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((( [email protected]_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S0 cerc6;cerc6; [x] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 09:17 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2944) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-09 09:18:31 ComboFix-quarantined-files.txt 2011-03-09 15:18 ComboFix2.txt 2011-03-09 14:42 ComboFix3.txt 2011-03-08 19:20 ComboFix4.txt 2011-03-08 14:38 . Pre-Run: 197,953,257,472 bytes free Post-Run: 197,940,707,328 bytes free . - - End Of File - - 5C4B33059EC9860B8C46D1E9F827C313
  9. [quote name='CeciliaB' post='125419' date='Mar 8 2011, 04:11 PM']Sorry, ComboFix did not notice that you dropped a file on top of it. Maybe it is easier to understand what you should do with this picture: [img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img][/quote] okay that is what we did.... here it is again... hopefully this time it works! thanks ComboFix 11-03-08.07 - Admin 03/09/2011 8:39.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2399 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 ))))))))))))))))))))))))))))))) . . 2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering 2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll . . ((((((((((((((((((((((((((((( [email protected]_14.37.28 ))))))))))))))))))))))))))))))))))))))))) . + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2010-05-08 15:43 . 2011-03-08 13:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] S0 cerc6;cerc6; [x] . Contents of the 'Scheduled Tasks' folder . 2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-09 08:41 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2600) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-09 08:42:06 ComboFix-quarantined-files.txt 2011-03-09 14:42 ComboFix2.txt 2011-03-08 19:20 ComboFix3.txt 2011-03-08 14:38 . Pre-Run: 197,935,550,464 bytes free Post-Run: 197,935,759,360 bytes free . - - End Of File - - DF47015B21BD2EED7C3000CE932508FE
  10. [quote name='CeciliaB' post='125415' date='Mar 8 2011, 11:56 AM']I don't know, the result from virustotal is hard to interpret. The coupon file was stored in the computer 17th of February, while SelectRebates, that ComboFix removed, was stored 21th of February. There is a malicious folder from 28th of February that will be removed with the following instruction: Copy all lines in the box: [code]Killall:: Driver:: cerc6 Folder:: c:\documents and settings\All Users\Application Data\bFgPdAb06300[/code] and paste into Notepad. Save the file on the desktop with the name CFScript. Prepare the computer according to the instructions for running ComboFix. Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way. ComboFix 11-03-07.07 - Admin 03/08/2011 13:17:46.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2353 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 13:19 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2880) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2011-03-08 13:20:04 ComboFix-quarantined-files.txt 2011-03-08 19:20 ComboFix2.txt 2011-03-08 14:38 . Pre-Run: 197,988,220,928 bytes free Post-Run: 198,001,770,496 bytes free . - - End Of File - - 561927E8569C129C2A53AF77DBC35CC4 Paste the new ComboFix log into your answer.[/quote]
  11. [quote name='CeciliaB' post='125410' date='Mar 8 2011, 10:46 AM']The link is [url="http://www.virustotal.com/file-scan/report.html?id=e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703-1299521373"]http://www.virustotal.com/file-scan/report...5703-1299521373[/url] with the following information about the file:Is this something you recognize and want to have in the computer?[/quote] Is this what is causing our problem? if it is then we dont want it on the computer
  12. [quote name='CeciliaB' post='125408' date='Mar 8 2011, 09:25 AM']Nice that Ad-Aware can scan again! Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report: c:\windows\system32\cpnprt2.cid[/quote] here is what it says: MD5: 5d7882518f349aea63de2742339dd06f Date first seen: 2011-02-17 02:35:39 (UTC) Date last seen: 2011-03-07 18:09:33 (UTC) Detection ratio: 3/43 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: cpnprt2.cid Submission date: 2011-03-07 18:09:33 (UTC) Current status: finished Result: 3 /43 (7.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2011.03.07.06 2011.03.07 - AntiVir 7.11.4.100 2011.03.07 - Antiy-AVL 2.0.3.7 2011.03.06 - Avast 4.8.1351.0 2011.03.07 - Avast5 5.0.677.0 2011.03.07 - AVG 10.0.0.1190 2011.03.07 - BitDefender 7.2 2011.03.07 - CAT-QuickHeal 11.00 2011.03.07 - ClamAV 0.96.4.0 2011.03.07 - Commtouch 5.2.11.5 2011.03.07 - Comodo 7903 2011.03.07 - DrWeb 5.0.2.03300 2011.03.07 - Emsisoft 5.1.0.2 2011.03.07 - eSafe 7.0.17.0 2011.03.06 Win32.TRBuzy eTrust-Vet 36.1.8198 2011.03.04 - F-Prot 4.6.2.117 2011.03.07 - F-Secure 9.0.16440.0 2011.03.07 - Fortinet 4.2.254.0 2011.03.07 - GData 21 2011.03.07 - Ikarus T3.1.1.97.0 2011.03.07 - Jiangmin 13.0.900 2011.03.07 - K7AntiVirus 9.92.4048 2011.03.07 - Kaspersky 7.0.0.125 2011.03.07 - McAfee 5.400.0.1158 2011.03.07 Artemis!5D7882518F34 McAfee-GW-Edition 2010.1C 2011.03.07 Artemis!5D7882518F34 Microsoft 1.6603 2011.03.07 - NOD32 5934 2011.03.07 - Norman 6.07.03 2011.03.07 - nProtect 2011-02-10.01 2011.02.15 - Panda 10.0.3.5 2011.03.07 - PCTools 7.0.3.5 2011.03.07 - Prevx 3.0 2011.03.07 - Rising 23.48.00.06 2011.03.07 - Sophos 4.63.0 2011.03.07 - SUPERAntiSpyware 4.40.0.1006 2011.03.07 - Symantec 20101.3.0.103 2011.03.07 - TheHacker 6.7.0.1.145 2011.03.06 - TrendMicro 9.200.0.1012 2011.03.07 - TrendMicro-HouseCall 9.200.0.1012 2011.03.07 - VBA32 3.12.14.3 2011.03.04 - VIPRE 8629 2011.03.07 - ViRobot 2011.3.7.4345 2011.03.07 - VirusBuster 13.6.239.0 2011.03.07 - Additional informationShow all MD5 : 5d7882518f349aea63de2742339dd06f SHA1 : ba7b32ff5af8e28e72c4616cc85b6600690e24e3 SHA256: e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703
  13. [quote name='jeepbug' post='125405' date='Mar 8 2011, 08:39 AM']ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\My Documents\iexplore.exe c:\program files\Quicktime\QTTask.exe c:\program files\SelectRebates c:\program files\SelectRebates\FFToolbar\chrome.manifest c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js c:\program files\SelectRebates\FFToolbar\install.rdf c:\program files\SelectRebates\SahImages\alert.png c:\program files\SelectRebates\SahImages\check.png c:\program files\SelectRebates\SahImages\close.png c:\program files\SelectRebates\SelectAlerts.dat c:\program files\SelectRebates\SelectRebates.exe c:\program files\SelectRebates\SelectRebates.ini c:\program files\SelectRebates\SelectRebatesA.dat c:\program files\SelectRebates\SelectRebatesApi.exe c:\program files\SelectRebates\SelectRebatesB.dat c:\program files\SelectRebates\SelectRebatesBT.dat c:\program files\SelectRebates\SelectRebatesDownload.exe c:\program files\SelectRebates\SelectRebatesUninstall.exe c:\program files\SelectRebates\SRebates.dll c:\program files\SelectRebates\SRFF3.dll c:\program files\SelectRebates\Toolbar\AddtoList.bmp c:\program files\SelectRebates\Toolbar\basis.xml c:\program files\SelectRebates\Toolbar\Basis.xml.dym c:\program files\SelectRebates\Toolbar\Blank.bmp c:\program files\SelectRebates\Toolbar\CashBack.bmp c:\program files\SelectRebates\Toolbar\Coupons.bmp c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp c:\program files\SelectRebates\Toolbar\i_magnifying.bmp c:\program files\SelectRebates\Toolbar\icons.bmp c:\program files\SelectRebates\Toolbar\logo.bmp c:\program files\SelectRebates\Toolbar\logo_24.bmp c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp c:\program files\SelectRebates\Toolbar\ReviewSite.bmp c:\program files\SelectRebates\Toolbar\RightControls.dym c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp c:\program files\SelectRebates\Toolbar\sahtb-go.bmp c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp c:\program files\SelectRebates\Toolbar\Scissors.bmp c:\windows\jestertb.dll . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . - - - - ORPHANS REMOVED - - - - . HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 08:37 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-03-08 08:38:10 ComboFix-quarantined-files.txt 2011-03-08 14:38 . Pre-Run: 197,996,335,104 bytes free Post-Run: 197,955,928,064 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701[/quote] after we did this combo fix we ran another smart scan on the computer, the following log is from that scan . Logfile created: 3/8/2011 08:40:16 Ad-Aware version: 9.0.2 Extended engine: 3 Extended engine version: 3.1.2770 User performing scan: Admin *********************** Definitions database information *********************** Lavasoft definition file: 150.312 Genotype definition file version: 2011/03/07 08:12:44 Extended engine definition file: 8627.0 ******************************** Scan results: ********************************* Scan profile name: Smart Scan (ID: smart) Objects scanned: 7837 Objects detected: 5 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 0 Folders.........: 0 LSPs............: 0 Cookies.........: 5 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0 Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0 Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0 Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0 Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0 Scan and cleaning complete: Finished correctly after 65 seconds *********************************** Settings *********************************** Scan profile: ID: smart, enabled:1, value: Smart Scan ID: folderstoscan, enabled:1, value: ID: useantivirus, enabled:1, value: true ID: sections, enabled:1 ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: false ID: scanhostsfile, enabled:1, value: false ID: scanmru, enabled:1, value: false ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: false ID: onlyexecutables, enabled:1, value: true ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: true ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict ID: usespywareheuristics, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: ID: back, enabled:1, value: back ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: smart ID: auto_deal_with_infections, enabled:1, value: true Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily1, enabled:1, value: Daily 1 ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily2, enabled:1, value: Daily 2 ID: time, enabled:1, value: Mon May 10 15:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily3, enabled:1, value: Daily 3 ID: time, enabled:1, value: Mon May 10 21:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updatedaily4, enabled:1, value: Daily 4 ID: time, enabled:1, value: Mon May 10 03:17:00 2010 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly1, enabled:1, value: Weekly ID: time, enabled:1, value: Mon May 10 09:17:00 2010 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: true ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: autoentertainmentmode, enabled:1, value: true ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant ID: layers, enabled:1 ID: useantivirus, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: maintainbackup, enabled:1, value: true ID: modules, enabled:1 ID: processprotection, enabled:1, value: true ID: onaccessprotection, enabled:1, value: true ID: registryprotection, enabled:1, value: true ID: networkprotection, enabled:1, value: true ****************************** System information ****************************** Computer name: PC2BACK Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz Processor identifier: x86 Family 6 Model 15 Stepping 13 Processor speed: ~2395MHZ Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2] Physical memory available: 2500923392 bytes Physical memory total: 3184435200 bytes Virtual memory available: 1805524992 bytes Virtual memory total: 2147352576 bytes Memory load: 21% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 672 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 992 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1060 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1156 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1252 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1288 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1332 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1612 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1716 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1780 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 1896 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 732 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1476 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 1524 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 2088 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK PID: 2108 name: C:\WINDOWS\system32\igfxtray.exe owner: Admin domain: PC2BACK PID: 2116 name: C:\WINDOWS\system32\hkcmd.exe owner: Admin domain: PC2BACK PID: 2144 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK PID: 2208 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK PID: 2256 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK PID: 2280 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK PID: 2368 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK PID: 2392 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK PID: 2412 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK PID: 2488 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 3056 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK PID: 3164 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK PID: 3392 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK PID: 616 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK PID: 2968 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK PID: 444 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK Startup items: Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: RTHDCPL imagepath: RTHDCPL.EXE Name: IgfxTray imagepath: C:\WINDOWS\system32\igfxtray.exe Name: HotKeysCmds imagepath: C:\WINDOWS\system32\hkcmd.exe Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Name: Adobe ARM imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Name: HP Software Update imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Name: RunNarrator imagepath: Narrator.exe Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk imagepath: C:\Program Files\EzDental\eSyncReminder.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Name: location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk imagepath: C:\Program Files\EzDental\WebSyncReminder.exe Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: Alerter displayname: Alerter Name: ALG displayname: Application Layer Gateway Service Name: AudioSrv displayname: Windows Audio Name: Browser displayname: Computer Browser Name: CryptSvc displayname: Cryptographic Services Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HTTPFilter displayname: HTTP SSL Name: JavaQuickStarterService displayname: Java Quick Starter Name: LanmanServer displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: PlugPlay displayname: Plug and Play Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RemoteRegistry displayname: Remote Registry Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration
  14. [quote name='CeciliaB' post='125368' date='Mar 7 2011, 05:37 PM']Can you run ComboFix?[/quote] ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00] Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\My Documents\iexplore.exe c:\program files\Quicktime\QTTask.exe c:\program files\SelectRebates c:\program files\SelectRebates\FFToolbar\chrome.manifest c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js c:\program files\SelectRebates\FFToolbar\install.rdf c:\program files\SelectRebates\SahImages\alert.png c:\program files\SelectRebates\SahImages\check.png c:\program files\SelectRebates\SahImages\close.png c:\program files\SelectRebates\SelectAlerts.dat c:\program files\SelectRebates\SelectRebates.exe c:\program files\SelectRebates\SelectRebates.ini c:\program files\SelectRebates\SelectRebatesA.dat c:\program files\SelectRebates\SelectRebatesApi.exe c:\program files\SelectRebates\SelectRebatesB.dat c:\program files\SelectRebates\SelectRebatesBT.dat c:\program files\SelectRebates\SelectRebatesDownload.exe c:\program files\SelectRebates\SelectRebatesUninstall.exe c:\program files\SelectRebates\SRebates.dll c:\program files\SelectRebates\SRFF3.dll c:\program files\SelectRebates\Toolbar\AddtoList.bmp c:\program files\SelectRebates\Toolbar\basis.xml c:\program files\SelectRebates\Toolbar\Basis.xml.dym c:\program files\SelectRebates\Toolbar\Blank.bmp c:\program files\SelectRebates\Toolbar\CashBack.bmp c:\program files\SelectRebates\Toolbar\Coupons.bmp c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp c:\program files\SelectRebates\Toolbar\i_magnifying.bmp c:\program files\SelectRebates\Toolbar\icons.bmp c:\program files\SelectRebates\Toolbar\logo.bmp c:\program files\SelectRebates\Toolbar\logo_24.bmp c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp c:\program files\SelectRebates\Toolbar\ReviewSite.bmp c:\program files\SelectRebates\Toolbar\RightControls.dym c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp c:\program files\SelectRebates\Toolbar\sahtb-go.bmp c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp c:\program files\SelectRebates\Toolbar\Scissors.bmp c:\windows\jestertb.dll . . ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 ))))))))))))))))))))))))))))))) . . 2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392] . Contents of the 'Scheduled Tasks' folder . 2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06] . 2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31] . - - - - ORPHANS REMOVED - - - - . HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2011-03-08 08:37 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2011-03-08 08:38:10 ComboFix-quarantined-files.txt 2011-03-08 14:38 . Pre-Run: 197,996,335,104 bytes free Post-Run: 197,955,928,064 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701
  15. [quote name='CeciliaB' post='125366' date='Mar 7 2011, 04:03 PM'][b]1. RKill[/b] Please, download RKill by Grinler to your Desktop: On the page [url="http://www.bleepingcomputer.com/download/anti-virus/rkill"]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please. Turn off your antivirus program and other security programs, if possible. How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url] Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again. Run RKill until the fake program is not visible but not more than ten times. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. If you restart the computer the fake program will start to run again and you have to repeat the above. [b]2. ComboFix[/b] Follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix. Read carefully and note the "Disclaimer of warranty"! Paste the content of the log into your answer.[/quote] This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 03/07/2011 at 16:13:41. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: Rkill completed on 03/07/2011 at 16:13:45.
  16. [quote name='CeciliaB' post='125250' date='Mar 1 2011, 04:08 PM']I understand that you cannot run Ad-Aware. Is it possible to run TFC and OTL according to the instruction? If you cannot run OTL you can try this scanner instead: Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url] Double-click on the DDS tool to run it. When finished, DDS will open two (2) logs: 1. DDS.txt 2. Attach.txt Save them to your desktop and paste their content into your answer.[/quote] . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 5/8/2010 10:36:16 AM System Uptime: 3/7/2011 7:48:40 AM (8 hours ago) . Motherboard: Dell Inc. | | 0P301D Processor: Intel® Pentium® Dual CPU E2220 @ 2.40GHz | Socket 775 | 2393/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 195 GiB total, 184.445 GiB free. D: is CDROM () Z: is NetworkDisk (NTFS) - 233 GiB total, 209.824 GiB free. . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP135: 12/8/2010 11:50:48 AM - System Checkpoint RP136: 12/9/2010 12:09:39 PM - System Checkpoint RP137: 12/14/2010 8:24:14 AM - System Checkpoint RP138: 1/3/2011 10:55:33 AM - System Checkpoint RP139: 1/3/2011 11:00:12 AM - Software Distribution Service 3.0 RP140: 1/4/2011 1:55:10 PM - System Checkpoint RP141: 1/4/2011 3:53:43 PM - Software Distribution Service 3.0 RP142: 1/5/2011 2:15:52 PM - Restore Operation RP143: 1/5/2011 2:20:32 PM - Restore Operation RP144: 1/5/2011 2:26:16 PM - Restore Operation RP145: 1/5/2011 2:30:11 PM - Restore Operation RP146: 1/5/2011 2:54:44 PM - Restore Operation RP147: 1/5/2011 3:01:57 PM - Restore Operation RP148: 1/5/2011 3:06:52 PM - Restore Operation RP149: 1/5/2011 3:26:48 PM - Restore Operation RP150: 1/5/2011 3:53:40 PM - Restore Operation RP151: 1/6/2011 7:58:17 AM - Restore Operation RP152: 1/6/2011 8:02:05 AM - Restore Operation RP153: 1/11/2011 8:10:37 AM - System Checkpoint RP154: 1/11/2011 8:43:51 AM - Installed HiJackThis RP155: 1/11/2011 8:49:00 AM - OTM Restore Point RP156: 1/12/2011 9:12:50 AM - System Checkpoint RP157: 1/12/2011 4:23:56 PM - Software Distribution Service 3.0 RP158: 1/17/2011 8:18:04 AM - System Checkpoint RP159: 1/18/2011 9:34:56 AM - System Checkpoint RP160: 1/19/2011 9:57:25 AM - System Checkpoint RP161: 1/20/2011 10:06:29 AM - System Checkpoint RP162: 1/24/2011 8:16:33 AM - System Checkpoint RP163: 1/25/2011 8:37:23 AM - System Checkpoint RP164: 1/26/2011 8:50:18 AM - System Checkpoint RP165: 1/27/2011 9:40:34 AM - System Checkpoint RP166: 1/31/2011 8:24:09 AM - System Checkpoint RP167: 2/1/2011 10:15:28 AM - System Checkpoint RP168: 2/2/2011 10:52:46 AM - System Checkpoint RP169: 2/3/2011 11:19:11 AM - System Checkpoint RP170: 2/7/2011 8:17:15 AM - System Checkpoint RP171: 2/8/2011 8:58:27 AM - System Checkpoint RP172: 2/9/2011 11:36:22 AM - System Checkpoint RP173: 2/9/2011 4:04:48 PM - Software Distribution Service 3.0 RP174: 2/14/2011 8:24:21 AM - System Checkpoint RP175: 2/15/2011 8:34:20 AM - System Checkpoint RP176: 2/16/2011 9:49:19 AM - System Checkpoint RP177: 2/17/2011 10:31:35 AM - System Checkpoint RP178: 2/21/2011 8:54:33 AM - System Checkpoint RP179: 2/22/2011 9:01:54 AM - System Checkpoint RP180: 2/23/2011 9:33:00 AM - System Checkpoint RP181: 2/24/2011 9:36:20 AM - System Checkpoint RP182: 2/28/2011 8:20:46 AM - System Checkpoint RP183: 3/1/2011 2:43:26 PM - System Checkpoint RP184: 3/1/2011 3:16:03 PM - Ad-Aware Checkpoint RP185: 3/1/2011 3:42:04 PM - Software Distribution Service 3.0 RP186: 3/2/2011 3:59:47 PM - System Checkpoint RP187: 3/7/2011 8:56:14 AM - System Checkpoint . ==== Installed Programs ====================== . 5600 5600_Help 5600Trb Acrobat.com Ad-Aware Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 9 ActiveX Adobe Reader 9.3 AiO_Scan AiOSoftware BufferChm Compatibility Pack for the 2007 Office system Coupon Printer for Windows CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CustomerResearchQFolder Dell Resource CD Destinations DeviceManagementQFolder DocProc Easy Dental 2009 eSupportQFolder Fax Guru Limited Edition HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Extended Capabilities 5.3 HP Image Zone Express HP Imaging Device Functions 5.3 HP PSC & OfficeJet 5.3.B HP Software Update HP Solution Center & Imaging Support Tools 5.3 HPProductAssistant Intel® Graphics Media Accelerator Driver Java(tm) 6 Update 15 Malwarebytes' Anti-Malware MarketResearch Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft VC++8.0 SP1 redistributables Microsoft VC++9.0 redistributables MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) NewCopy ProductContext QuickTime Readme REALTEK GbE & FE Ethernet PCI-E NIC Driver Realtek High Definition Audio Driver Scan ScannerCopy Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player (KB979402) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981349) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) ShopAtHome.com Toolbar SolutionCenter Status TrayApp Unload Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Internet Explorer 8 (KB980302) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB898461) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update for Windows XP (KB980182) Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WebFldrs XP WebReg Windows Genuine Advantage Notifications (KB905474) Windows Internet Explorer 8 . ==== Event Viewer Messages From Past Week ======== . 3/1/2011 9:26:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 3/1/2011 3:23:51 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. 3/1/2011 3:09:52 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b7f210, parameter3 89b7f384, parameter4 805d29b4. 3/1/2011 3:08:58 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3b7808, parameter3 8a3b797c, parameter4 805d29b4. 3/1/2011 3:08:55 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3ab120, parameter3 8a3ab294, parameter4 805d29b4. 3/1/2011 2:25:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. 3/1/2011 2:25:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 3/1/2011 2:20:19 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b5b1c8, parameter3 89b5b33c, parameter4 805d29b4. 3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s). 3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). 3/1/2011 2:19:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 3/1/2011 2:10:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm 3/1/2011 2:07:44 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s). 3/1/2011 2:04:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 3/1/2011 12:55:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume. 3/1/2011 11:33:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip 3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. . ==== End Of File =========================== . DDS (Ver_11-03-05.01) - NTFSx86 Run by Admin at 15:19:34.20 on Mon 03/07/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2188 [GMT -6:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\EzDental\SystemTray.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\EzDental\eSyncReminder.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\EzDental\WebSyncReminder.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Documents and Settings\Admin\My Documents\dds.scr . ============== Pseudo HJT Report =============== . uSearch Page = uSearch Bar = mSearchAssistant = uURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll uRun: [SystemTray.exe] c:\program files\ezdental\SystemTray.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\esyncr~1.lnk - c:\program files\ezdental\eSyncReminder.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\websyn~1.lnk - c:\program files\ezdental\WebSyncReminder.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: igfxcui - igfxdev.dll . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-10 64288] R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-3-2 21464] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1405384] R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-3-2 69976] R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-5-8 110080] S0 cerc6;cerc6; [x] S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-10 98392] . =============== Created Last 30 ================ . 2011-03-02 14:00:06 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys 2011-03-02 14:00:06 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys 2011-03-01 17:32:57 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes 2011-03-01 17:32:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-01 17:32:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-03-01 17:32:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-01 17:32:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-28 22:48:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\bFgPdAb06300 2011-02-21 19:32:57 -------- d-----w- c:\program files\SelectRebates . ==================== Find3M ==================== . 2011-02-17 19:40:06 398760 ----a-r- c:\windows\system32\cpnprt2.cid 2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe 2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe . ============= FINISH: 15:21:37.87 ===============
  17. [quote name='CeciliaB' post='125235' date='Mar 1 2011, 08:50 AM']Please, to get help with cleaning your computer post in the forum [url="http://www.lavasoftsupport.com/index.php?showforum=36"]Help with Stubborn Infections - HijackThis Logs go here[/url] by following the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] as much as possible. It might be easier to run the tools/programs if you restart the computer in safe mode. You start the computer in Safe mode by tapping F8 key repeatedly during the start and select [b]Safe mode[/b] in the menu, see [url="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx"]http://www.microsoft.com/resources/documen...t_failsafe.mspx[/url]. Has the fake antivirus program a name?[/quote] We ran in safe mode and went to our regular computer page the spyware is still there. The name of it System Tool 2011. It will not us run adware to remove it, it said that adware is infected with a virus.
  18. HELP!! When we turned on our computer this morning it popped up with a blue screen that says "warning, your in danger! your computer is infected with spyware" we are not able to open our ad aware to run a scan, it says it is infected. we can not open any of our other tools to take virus/spyware off either. please help!
  19. i attached the files that you had said to. please let me know what i need to do now. thanks
  20. [quote name='CeciliaB' post='124635' date='Jan 6 2011, 06:30 AM']Since it is a work computer I wonder if there is a computer support at the work that can help you. It is rather common that companies dislike seeing logs from their computers on internet. I am not sure that all tools I use to clean a computer are safe to use on a computer configured for domain usage etc. If you want help to clean the computer you must be able to transfer tools and log files between the infected computer and a computer with internet access. Start by doing Step #1 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url] If you have Ad-Aware installed do Step #2. Do Step #3. Instead of Step #4 do: Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url] Double-click on the DDS tool to run it. When finished, DDS will open two (2) logs: 1. DDS.txt 2. Attach.txt Save them to your desktop and paste their content into your answer.[/quote]
  21. My work computer is infected. The computer is displaying windows cannot find 'C:\DOCUME~1\Admin\LOCALS~1\Temp\dwn.exe'. Could not load or run specified in the registry- make sure file exists. I googled this and it is saying it is malware. The computer will not connect to the internet. Please help!