jeepbug

Members
  • Content Count

    22
  • Joined

  • Last visited

Posts posted by jeepbug


  1. [quote name='CeciliaB' post='126099' date='Apr 14 2011, 11:50 AM']Hi jeepbug,

    The MBAM log only changed the settings regarding if Windows Security Center should display messages when the antivirus program, firewall or Windows Update isn't running. That alone is not an indication of an infection.

    Which version of Ad-Aware do you have?
    Have Ad-Aware opened up before?
    Did you install, uninstall or update anything last time Ad-Aware worked?[/quote]

    we have ad aware anniversary edition. we havent installed uninstalled or updated anything,

  2. [quote name='jeepbug' post='126092' date='Apr 14 2011, 09:47 AM']our adaware will not open up, it is saying it was shut down unexpetedly. we are unable to open up adaware as it says that it sending a report to adaware. any advise?[/quote]
    dont know if this helps but here is the log that we have from Malwarebytes

  3. [quote name='CeciliaB' post='125449' date='Mar 9 2011, 04:28 PM']Cookies are small text files and they are never dangerous for the computer. When you visit web sites, they often store a cookie in the computer to be able to recognize you when you return the next time. Advertisement companies are interested in keeping track of what ads you have seen and clicked on and doing so by storing a cookie in the computer. Ad-Aware and some other security programs remove the tracking cookies since they consider that behaviour to be spying.

    In short, cookies are stored in the computer by most web sites. They are not dangerous but it is good to remove them now and then to protect your privacy.

    To improve Ad-Aware I want to send the files that ComboFix removed to Lavasoft.
    Do you know how to zip (pack) a folder or do you need a description?
    I want you to zip the C:\Qoobox folder and send it to me, for example by uploading the zip file to [url="http://sprend.com/?r=0kAe0"]http://sprend.com/?r=0kAe0[/url] and send the link to the uploaded file in a PM to me.[/quote]

    not sure if this is the correct file that you needed, please let us know. thanks

  4. [quote name='CeciliaB' post='125442' date='Mar 9 2011, 01:53 PM']What type of stuff does Ad-Aware find?
    You can post an Ad-Aware log if you want.[/quote]


    these are the items,
    Logfile created: 3/9/2011 14:06:59
    Ad-Aware version: 9.0.2
    Extended engine: 3
    Extended engine version: 3.1.2770
    User performing scan: Admin

    *********************** Definitions database information ***********************
    Lavasoft definition file: 150.314
    Genotype definition file version: 2011/03/07 08:12:44
    Extended engine definition file: 8637.0

    ******************************** Scan results: *********************************
    Scan profile name: Smart Scan (ID: smart)
    Objects scanned: 8624
    Objects detected: 5


    Type Detected
    ==========================
    Processes.......: 0
    Registry entries: 0
    Hostfile entries: 0
    Files...........: 0
    Folders.........: 0
    LSPs............: 0
    Cookies.........: 5
    Browser hijacks.: 0
    MRU objects.....: 0



    Removed items:
    Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
    Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
    Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0
    Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
    Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0

    Scan and cleaning complete: Finished correctly after 66 seconds

    *********************************** Settings ***********************************

    Scan profile:
    ID: smart, enabled:1, value: Smart Scan
    ID: folderstoscan, enabled:1, value:
    ID: useantivirus, enabled:1, value: true
    ID: sections, enabled:1
    ID: scancriticalareas, enabled:1, value: true
    ID: scanrunningapps, enabled:1, value: true
    ID: scanregistry, enabled:1, value: true
    ID: scanlsp, enabled:1, value: true
    ID: scanads, enabled:1, value: false
    ID: scanhostsfile, enabled:1, value: false
    ID: scanmru, enabled:1, value: false
    ID: scanbrowserhijacks, enabled:1, value: true
    ID: scantrackingcookies, enabled:1, value: true
    ID: closebrowsers, enabled:1, value: false
    ID: filescanningoptions, enabled:1
    ID: archives, enabled:1, value: false
    ID: onlyexecutables, enabled:1, value: true
    ID: skiplargerthan, enabled:1, value: 20480
    ID: scanrootkits, enabled:1, value: true
    ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict
    ID: usespywareheuristics, enabled:1, value: true

    Scan global:
    ID: global, enabled:1
    ID: addtocontextmenu, enabled:1, value: true
    ID: playsoundoninfection, enabled:1, value: false
    ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

    Scheduled scan settings:
    ID: back, enabled:1, value: back
    ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value: smart
    ID: auto_deal_with_infections, enabled:1, value: true

    Update settings:
    ID: updates, enabled:1
    ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
    ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
    ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
    ID: schedules, enabled:1, value: true
    ID: updatedaily1, enabled:1, value: Daily 1
    ID: time, enabled:1, value: Mon May 10 09:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily2, enabled:1, value: Daily 2
    ID: time, enabled:1, value: Mon May 10 15:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily3, enabled:1, value: Daily 3
    ID: time, enabled:1, value: Mon May 10 21:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily4, enabled:1, value: Daily 4
    ID: time, enabled:1, value: Mon May 10 03:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updateweekly1, enabled:1, value: Weekly
    ID: time, enabled:1, value: Mon May 10 09:17:00 2010
    ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: true
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: true
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false

    Appearance settings:
    ID: appearance, enabled:1
    ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
    ID: showtrayicon, enabled:1, value: true
    ID: autoentertainmentmode, enabled:1, value: true
    ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
    ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

    Realtime protection settings:
    ID: realtime, enabled:1
    ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant
    ID: modules, enabled:1
    ID: processprotection, enabled:1, value: true
    ID: onaccessprotection, enabled:1, value: true
    ID: registryprotection, enabled:1, value: true
    ID: networkprotection, enabled:1, value: true
    ID: layers, enabled:1
    ID: useantivirus, enabled:1, value: true
    ID: usespywareheuristics, enabled:1, value: true
    ID: maintainbackup, enabled:1, value: true


    ****************************** System information ******************************
    Computer name: PC2BACK
    Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz
    Processor identifier: x86 Family 6 Model 15 Stepping 13
    Processor speed: ~2393MHZ
    Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2]
    Physical memory available: 2306064384 bytes
    Physical memory total: 3184435200 bytes
    Virtual memory available: 1817571328 bytes
    Virtual memory total: 2147352576 bytes
    Memory load: 27%
    Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Windows startup mode:

    Running processes:
    PID: 676 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1000 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1068 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
    PID: 1164 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1212 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
    PID: 1296 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 1440 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1560 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 1732 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1976 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1912 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 264 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK
    PID: 1808 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK
    PID: 332 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK
    PID: 328 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK
    PID: 940 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK
    PID: 552 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK
    PID: 628 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK
    PID: 3296 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK
    PID: 3700 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK
    PID: 2728 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 2292 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK
    PID: 3004 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK
    PID: 3220 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK
    PID: 3240 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK
    PID: 3536 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 3876 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 3612 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 3760 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK
    PID: 4052 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK
    PID: 3684 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Admin domain: PC2BACK
    PID: 968 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK

    Startup items:
    Name: RunNarrator
    imagepath: Narrator.exe
    Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
    imagepath: Browseui preloader
    Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
    imagepath: Component Categories cache daemon
    Name: PostBootReminder
    imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
    Name: CDBurn
    imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
    Name: WebCheck
    imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    Name: SysTray
    imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
    Name: RTHDCPL
    imagepath: RTHDCPL.EXE
    Name: Adobe Reader Speed Launcher
    imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Name: Adobe ARM
    imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    Name: HP Software Update
    imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    Name:
    imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk
    imagepath: C:\Program Files\EzDental\eSyncReminder.exe
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk
    imagepath: C:\Program Files\EzDental\WebSyncReminder.exe
    Name:
    imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

    Bootexecute items:
    Name:
    imagepath: autocheck autochk *
    Name:
    imagepath: lsdelete

    Running services:
    Name: Alerter
    displayname: Alerter
    Name: ALG
    displayname: Application Layer Gateway Service
    Name: AudioSrv
    displayname: Windows Audio
    Name: BITS
    displayname: Background Intelligent Transfer Service
    Name: Browser
    displayname: Computer Browser
    Name: CryptSvc
    displayname: CryptSvc
    Name: DcomLaunch
    displayname: DCOM Server Process Launcher
    Name: Dhcp
    displayname: DHCP Client
    Name: dmserver
    displayname: Logical Disk Manager
    Name: Dnscache
    displayname: DNS Client
    Name: ERSvc
    displayname: Error Reporting Service
    Name: Eventlog
    displayname: Event Log
    Name: EventSystem
    displayname: COM+ Event System
    Name: FastUserSwitchingCompatibility
    displayname: Fast User Switching Compatibility
    Name: helpsvc
    displayname: Help and Support
    Name: HTTPFilter
    displayname: HTTP SSL
    Name: JavaQuickStarterService
    displayname: Java Quick Starter
    Name: LanmanServer
    displayname: Server
    Name: lanmanworkstation
    displayname: Workstation
    Name: Lavasoft Ad-Aware Service
    displayname: Lavasoft Ad-Aware Service
    Name: LmHosts
    displayname: TCP/IP NetBIOS Helper
    Name: Netman
    displayname: Network Connections
    Name: Nla
    displayname: Network Location Awareness (NLA)
    Name: PlugPlay
    displayname: Plug and Play
    Name: PolicyAgent
    displayname: IPSEC Services
    Name: ProtectedStorage
    displayname: Protected Storage
    Name: RasMan
    displayname: Remote Access Connection Manager
    Name: RemoteRegistry
    displayname: Remote Registry
    Name: RpcSs
    displayname: Remote Procedure Call (RPC)
    Name: SamSs
    displayname: Security Accounts Manager
    Name: Schedule
    displayname: Task Scheduler
    Name: seclogon
    displayname: Secondary Logon
    Name: SENS
    displayname: System Event Notification
    Name: SharedAccess
    displayname: Windows Firewall/Internet Connection Sharing (ICS)
    Name: ShellHWDetection
    displayname: Shell Hardware Detection
    Name: Spooler
    displayname: Print Spooler
    Name: srservice
    displayname: System Restore Service
    Name: SSDPSRV
    displayname: SSDP Discovery Service
    Name: stisvc
    displayname: Windows Image Acquisition (WIA)
    Name: TapiSrv
    displayname: Telephony
    Name: TermService
    displayname: Terminal Services
    Name: Themes
    displayname: Themes
    Name: TrkWks
    displayname: Distributed Link Tracking Client
    Name: W32Time
    displayname: Windows Time
    Name: WebClient
    displayname: WebClient
    Name: winmgmt
    displayname: Windows Management Instrumentation
    Name: wscsvc
    displayname: Security Center
    Name: wuauserv
    displayname: Automatic Updates
    Name: WZCSVC
    displayname: Wireless Zero Configuration

  5. [quote name='CeciliaB' post='125438' date='Mar 9 2011, 11:08 AM']Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.[u]lnk[/u]

    You are dragging a shortcut and not a text file.

    Fetch this CFScript.txt: [url="http://www.sendspace.com/file/xbf5eh"]http://www.sendspace.com/file/xbf5eh[/url]
    Save it on the desktop and drag it to ComboFix.[/quote]
    ComboFix 11-03-08.07 - Admin 03/09/2011 11:28:27.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2376 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\bFgPdAb06300
    c:\documents and settings\All Users\Application Data\bFgPdAb06300\bFgPdAb06300
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_cerc6
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-02-02 07:58 . 2010-05-08 15:32 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-05-08 15:32 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-09 17:31 . 2011-03-09 17:31 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
    - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-04-14 12:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
    - 2008-04-14 12:00 . 2008-04-14 12:00 270848 c:\windows\system32\dllcache\sbe.dll
    - 2010-05-08 15:32 . 2008-04-14 12:00 677888 c:\windows\system32\dllcache\lhmstsc.exe
    + 2010-05-08 15:32 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
    + 2008-04-14 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
    - 2008-04-14 12:00 . 2008-04-14 12:00 186880 c:\windows\system32\dllcache\encdec.dll
    + 2010-05-08 15:32 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
    + 2010-05-08 18:48 . 2011-03-09 16:15 37943240 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-09 11:31
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2292)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-09 11:32:31 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-09 17:32
    ComboFix2.txt 2011-03-09 15:18
    ComboFix3.txt 2011-03-09 14:42
    ComboFix4.txt 2011-03-08 19:20
    ComboFix5.txt 2011-03-09 17:28
    .
    Pre-Run: 197,870,215,168 bytes free
    Post-Run: 197,805,293,568 bytes free
    .
    - - End Of File - - 1552C8B32117F10CFB8EAF34FD39DA64

  6. [quote name='CeciliaB' post='125436' date='Mar 9 2011, 08:59 AM']This time ComboFix noticed the file :) but unfortunately it could not understand its content. Try once more to create CFScript. Be sure to use Notepad and that the content is exactly:

    Killall::
    Driver::
    cerc6
    Folder::
    c:\documents and settings\All Users\Application Data\bFgPdAb06300[/quote]

    ComboFix 11-03-08.07 - Admin 03/09/2011 9:16.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2413 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
    - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    S0 cerc6;cerc6; [x]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-09 09:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2944)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-03-09 09:18:31
    ComboFix-quarantined-files.txt 2011-03-09 15:18
    ComboFix2.txt 2011-03-09 14:42
    ComboFix3.txt 2011-03-08 19:20
    ComboFix4.txt 2011-03-08 14:38
    .
    Pre-Run: 197,953,257,472 bytes free
    Post-Run: 197,940,707,328 bytes free
    .
    - - End Of File - - 5C4B33059EC9860B8C46D1E9F827C313

  7. [quote name='CeciliaB' post='125419' date='Mar 8 2011, 04:11 PM']Sorry, ComboFix did not notice that you dropped a file on top of it. Maybe it is easier to understand what you should do with this picture:
    [img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img][/quote]


    okay that is what we did.... here it is again... hopefully this time it works! thanks
    ComboFix 11-03-08.07 - Admin 03/09/2011 8:39.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2399 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
    2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    .
    .
    ((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
    - 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2010-05-08 15:43 . 2011-03-08 13:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    S0 cerc6;cerc6; [x]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-09 08:41
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2600)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-03-09 08:42:06
    ComboFix-quarantined-files.txt 2011-03-09 14:42
    ComboFix2.txt 2011-03-08 19:20
    ComboFix3.txt 2011-03-08 14:38
    .
    Pre-Run: 197,935,550,464 bytes free
    Post-Run: 197,935,759,360 bytes free
    .
    - - End Of File - - DF47015B21BD2EED7C3000CE932508FE

  8. [quote name='CeciliaB' post='125415' date='Mar 8 2011, 11:56 AM']I don't know, the result from virustotal is hard to interpret. The coupon file was stored in the computer 17th of February, while SelectRebates, that ComboFix removed, was stored 21th of February.

    There is a malicious folder from 28th of February that will be removed with the following instruction:

    Copy all lines in the box:
    [code]Killall::
    Driver::
    cerc6
    Folder::
    c:\documents and settings\All Users\Application Data\bFgPdAb06300[/code]
    and paste into Notepad.
    Save the file on the desktop with the name CFScript.

    Prepare the computer according to the instructions for running ComboFix.
    Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.

    ComboFix 11-03-07.07 - Admin 03/08/2011 13:17:46.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2353 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
    S0 cerc6;cerc6; [x]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-08 13:19
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2880)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-03-08 13:20:04
    ComboFix-quarantined-files.txt 2011-03-08 19:20
    ComboFix2.txt 2011-03-08 14:38
    .
    Pre-Run: 197,988,220,928 bytes free
    Post-Run: 198,001,770,496 bytes free
    .
    - - End Of File - - 561927E8569C129C2A53AF77DBC35CC4

    Paste the new ComboFix log into your answer.[/quote]

  9. [quote name='CeciliaB' post='125410' date='Mar 8 2011, 10:46 AM']The link is [url="http://www.virustotal.com/file-scan/report.html?id=e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703-1299521373"]http://www.virustotal.com/file-scan/report...5703-1299521373[/url]
    with the following information about the file:Is this something you recognize and want to have in the computer?[/quote]

    Is this what is causing our problem? if it is then we dont want it on the computer

  10. [quote name='CeciliaB' post='125408' date='Mar 8 2011, 09:25 AM']Nice that Ad-Aware can scan again!

    Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report:
    c:\windows\system32\cpnprt2.cid[/quote]


    here is what it says:
    MD5: 5d7882518f349aea63de2742339dd06f
    Date first seen: 2011-02-17 02:35:39 (UTC)
    Date last seen: 2011-03-07 18:09:33 (UTC)
    Detection ratio: 3/43
    VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
    File name: cpnprt2.cid
    Submission date: 2011-03-07 18:09:33 (UTC)
    Current status: finished
    Result: 3 /43 (7.0%)
    VT Community

    not reviewed
    Safety score: -
    Compact Print results Antivirus Version Last Update Result
    AhnLab-V3 2011.03.07.06 2011.03.07 -
    AntiVir 7.11.4.100 2011.03.07 -
    Antiy-AVL 2.0.3.7 2011.03.06 -
    Avast 4.8.1351.0 2011.03.07 -
    Avast5 5.0.677.0 2011.03.07 -
    AVG 10.0.0.1190 2011.03.07 -
    BitDefender 7.2 2011.03.07 -
    CAT-QuickHeal 11.00 2011.03.07 -
    ClamAV 0.96.4.0 2011.03.07 -
    Commtouch 5.2.11.5 2011.03.07 -
    Comodo 7903 2011.03.07 -
    DrWeb 5.0.2.03300 2011.03.07 -
    Emsisoft 5.1.0.2 2011.03.07 -
    eSafe 7.0.17.0 2011.03.06 Win32.TRBuzy
    eTrust-Vet 36.1.8198 2011.03.04 -
    F-Prot 4.6.2.117 2011.03.07 -
    F-Secure 9.0.16440.0 2011.03.07 -
    Fortinet 4.2.254.0 2011.03.07 -
    GData 21 2011.03.07 -
    Ikarus T3.1.1.97.0 2011.03.07 -
    Jiangmin 13.0.900 2011.03.07 -
    K7AntiVirus 9.92.4048 2011.03.07 -
    Kaspersky 7.0.0.125 2011.03.07 -
    McAfee 5.400.0.1158 2011.03.07 Artemis!5D7882518F34
    McAfee-GW-Edition 2010.1C 2011.03.07 Artemis!5D7882518F34
    Microsoft 1.6603 2011.03.07 -
    NOD32 5934 2011.03.07 -
    Norman 6.07.03 2011.03.07 -
    nProtect 2011-02-10.01 2011.02.15 -
    Panda 10.0.3.5 2011.03.07 -
    PCTools 7.0.3.5 2011.03.07 -
    Prevx 3.0 2011.03.07 -
    Rising 23.48.00.06 2011.03.07 -
    Sophos 4.63.0 2011.03.07 -
    SUPERAntiSpyware 4.40.0.1006 2011.03.07 -
    Symantec 20101.3.0.103 2011.03.07 -
    TheHacker 6.7.0.1.145 2011.03.06 -
    TrendMicro 9.200.0.1012 2011.03.07 -
    TrendMicro-HouseCall 9.200.0.1012 2011.03.07 -
    VBA32 3.12.14.3 2011.03.04 -
    VIPRE 8629 2011.03.07 -
    ViRobot 2011.3.7.4345 2011.03.07 -
    VirusBuster 13.6.239.0 2011.03.07 -
    Additional informationShow all
    MD5 : 5d7882518f349aea63de2742339dd06f
    SHA1 : ba7b32ff5af8e28e72c4616cc85b6600690e24e3
    SHA256: e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703

  11. [quote name='jeepbug' post='125405' date='Mar 8 2011, 08:39 AM']ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Admin\My Documents\iexplore.exe
    c:\program files\Quicktime\QTTask.exe
    c:\program files\SelectRebates
    c:\program files\SelectRebates\FFToolbar\chrome.manifest
    c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
    c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
    c:\program files\SelectRebates\FFToolbar\install.rdf
    c:\program files\SelectRebates\SahImages\alert.png
    c:\program files\SelectRebates\SahImages\check.png
    c:\program files\SelectRebates\SahImages\close.png
    c:\program files\SelectRebates\SelectAlerts.dat
    c:\program files\SelectRebates\SelectRebates.exe
    c:\program files\SelectRebates\SelectRebates.ini
    c:\program files\SelectRebates\SelectRebatesA.dat
    c:\program files\SelectRebates\SelectRebatesApi.exe
    c:\program files\SelectRebates\SelectRebatesB.dat
    c:\program files\SelectRebates\SelectRebatesBT.dat
    c:\program files\SelectRebates\SelectRebatesDownload.exe
    c:\program files\SelectRebates\SelectRebatesUninstall.exe
    c:\program files\SelectRebates\SRebates.dll
    c:\program files\SelectRebates\SRFF3.dll
    c:\program files\SelectRebates\Toolbar\AddtoList.bmp
    c:\program files\SelectRebates\Toolbar\basis.xml
    c:\program files\SelectRebates\Toolbar\Basis.xml.dym
    c:\program files\SelectRebates\Toolbar\Blank.bmp
    c:\program files\SelectRebates\Toolbar\CashBack.bmp
    c:\program files\SelectRebates\Toolbar\Coupons.bmp
    c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
    c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
    c:\program files\SelectRebates\Toolbar\icons.bmp
    c:\program files\SelectRebates\Toolbar\logo.bmp
    c:\program files\SelectRebates\Toolbar\logo_24.bmp
    c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
    c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
    c:\program files\SelectRebates\Toolbar\RightControls.dym
    c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
    c:\program files\SelectRebates\Toolbar\Scissors.bmp
    c:\windows\jestertb.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
    S0 cerc6;cerc6; [x]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-08 08:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-03-08 08:38:10
    ComboFix-quarantined-files.txt 2011-03-08 14:38
    .
    Pre-Run: 197,996,335,104 bytes free
    Post-Run: 197,955,928,064 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701[/quote]



    after we did this combo fix we ran another smart scan on the computer, the following log is from that scan .
    Logfile created: 3/8/2011 08:40:16
    Ad-Aware version: 9.0.2
    Extended engine: 3
    Extended engine version: 3.1.2770
    User performing scan: Admin

    *********************** Definitions database information ***********************
    Lavasoft definition file: 150.312
    Genotype definition file version: 2011/03/07 08:12:44
    Extended engine definition file: 8627.0

    ******************************** Scan results: *********************************
    Scan profile name: Smart Scan (ID: smart)
    Objects scanned: 7837
    Objects detected: 5


    Type Detected
    ==========================
    Processes.......: 0
    Registry entries: 0
    Hostfile entries: 0
    Files...........: 0
    Folders.........: 0
    LSPs............: 0
    Cookies.........: 5
    Browser hijacks.: 0
    MRU objects.....: 0



    Removed items:
    Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
    Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
    Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
    Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
    Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0

    Scan and cleaning complete: Finished correctly after 65 seconds

    *********************************** Settings ***********************************

    Scan profile:
    ID: smart, enabled:1, value: Smart Scan
    ID: folderstoscan, enabled:1, value:
    ID: useantivirus, enabled:1, value: true
    ID: sections, enabled:1
    ID: scancriticalareas, enabled:1, value: true
    ID: scanrunningapps, enabled:1, value: true
    ID: scanregistry, enabled:1, value: true
    ID: scanlsp, enabled:1, value: true
    ID: scanads, enabled:1, value: false
    ID: scanhostsfile, enabled:1, value: false
    ID: scanmru, enabled:1, value: false
    ID: scanbrowserhijacks, enabled:1, value: true
    ID: scantrackingcookies, enabled:1, value: true
    ID: closebrowsers, enabled:1, value: false
    ID: filescanningoptions, enabled:1
    ID: archives, enabled:1, value: false
    ID: onlyexecutables, enabled:1, value: true
    ID: skiplargerthan, enabled:1, value: 20480
    ID: scanrootkits, enabled:1, value: true
    ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict
    ID: usespywareheuristics, enabled:1, value: true

    Scan global:
    ID: global, enabled:1
    ID: addtocontextmenu, enabled:1, value: true
    ID: playsoundoninfection, enabled:1, value: false
    ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

    Scheduled scan settings:
    ID: back, enabled:1, value: back
    ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value: smart
    ID: auto_deal_with_infections, enabled:1, value: true

    Update settings:
    ID: updates, enabled:1
    ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
    ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
    ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
    ID: schedules, enabled:1, value: true
    ID: updatedaily1, enabled:1, value: Daily 1
    ID: time, enabled:1, value: Mon May 10 09:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily2, enabled:1, value: Daily 2
    ID: time, enabled:1, value: Mon May 10 15:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily3, enabled:1, value: Daily 3
    ID: time, enabled:1, value: Mon May 10 21:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updatedaily4, enabled:1, value: Daily 4
    ID: time, enabled:1, value: Mon May 10 03:17:00 2010
    ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: false
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: false
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false
    ID: updateweekly1, enabled:1, value: Weekly
    ID: time, enabled:1, value: Mon May 10 09:17:00 2010
    ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
    ID: weekdays, enabled:1
    ID: monday, enabled:1, value: true
    ID: tuesday, enabled:1, value: false
    ID: wednesday, enabled:1, value: false
    ID: thursday, enabled:1, value: true
    ID: friday, enabled:1, value: false
    ID: saturday, enabled:1, value: false
    ID: sunday, enabled:1, value: false
    ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
    ID: scanprofile, enabled:1, value:
    ID: auto_deal_with_infections, enabled:1, value: false

    Appearance settings:
    ID: appearance, enabled:1
    ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
    ID: showtrayicon, enabled:1, value: true
    ID: autoentertainmentmode, enabled:1, value: true
    ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
    ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

    Realtime protection settings:
    ID: realtime, enabled:1
    ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant
    ID: layers, enabled:1
    ID: useantivirus, enabled:1, value: true
    ID: usespywareheuristics, enabled:1, value: true
    ID: maintainbackup, enabled:1, value: true
    ID: modules, enabled:1
    ID: processprotection, enabled:1, value: true
    ID: onaccessprotection, enabled:1, value: true
    ID: registryprotection, enabled:1, value: true
    ID: networkprotection, enabled:1, value: true


    ****************************** System information ******************************
    Computer name: PC2BACK
    Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz
    Processor identifier: x86 Family 6 Model 15 Stepping 13
    Processor speed: ~2395MHZ
    Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2]
    Physical memory available: 2500923392 bytes
    Physical memory total: 3184435200 bytes
    Virtual memory available: 1805524992 bytes
    Virtual memory total: 2147352576 bytes
    Memory load: 21%
    Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Windows startup mode:

    Running processes:
    PID: 672 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 992 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1060 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
    PID: 1156 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1252 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
    PID: 1288 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 1332 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1612 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1716 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 1780 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1896 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 732 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
    PID: 1476 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 1524 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 2088 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK
    PID: 2108 name: C:\WINDOWS\system32\igfxtray.exe owner: Admin domain: PC2BACK
    PID: 2116 name: C:\WINDOWS\system32\hkcmd.exe owner: Admin domain: PC2BACK
    PID: 2144 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK
    PID: 2208 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK
    PID: 2256 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK
    PID: 2280 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK
    PID: 2368 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK
    PID: 2392 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK
    PID: 2412 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK
    PID: 2488 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
    PID: 3056 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK
    PID: 3164 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK
    PID: 3392 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK
    PID: 616 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK
    PID: 2968 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK
    PID: 444 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK

    Startup items:
    Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
    imagepath: Browseui preloader
    Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
    imagepath: Component Categories cache daemon
    Name: RTHDCPL
    imagepath: RTHDCPL.EXE
    Name: IgfxTray
    imagepath: C:\WINDOWS\system32\igfxtray.exe
    Name: HotKeysCmds
    imagepath: C:\WINDOWS\system32\hkcmd.exe
    Name: Adobe Reader Speed Launcher
    imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Name: Adobe ARM
    imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    Name: HP Software Update
    imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    Name: RunNarrator
    imagepath: Narrator.exe
    Name: PostBootReminder
    imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
    Name: CDBurn
    imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
    Name: WebCheck
    imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    Name: SysTray
    imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
    Name:
    imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk
    imagepath: C:\Program Files\EzDental\eSyncReminder.exe
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    Name:
    location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk
    imagepath: C:\Program Files\EzDental\WebSyncReminder.exe
    Name:
    imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

    Bootexecute items:
    Name:
    imagepath: autocheck autochk *
    Name:
    imagepath: lsdelete

    Running services:
    Name: Alerter
    displayname: Alerter
    Name: ALG
    displayname: Application Layer Gateway Service
    Name: AudioSrv
    displayname: Windows Audio
    Name: Browser
    displayname: Computer Browser
    Name: CryptSvc
    displayname: Cryptographic Services
    Name: DcomLaunch
    displayname: DCOM Server Process Launcher
    Name: Dhcp
    displayname: DHCP Client
    Name: dmserver
    displayname: Logical Disk Manager
    Name: Dnscache
    displayname: DNS Client
    Name: ERSvc
    displayname: Error Reporting Service
    Name: Eventlog
    displayname: Event Log
    Name: EventSystem
    displayname: COM+ Event System
    Name: FastUserSwitchingCompatibility
    displayname: Fast User Switching Compatibility
    Name: helpsvc
    displayname: Help and Support
    Name: HTTPFilter
    displayname: HTTP SSL
    Name: JavaQuickStarterService
    displayname: Java Quick Starter
    Name: LanmanServer
    displayname: Server
    Name: lanmanworkstation
    displayname: Workstation
    Name: Lavasoft Ad-Aware Service
    displayname: Lavasoft Ad-Aware Service
    Name: LmHosts
    displayname: TCP/IP NetBIOS Helper
    Name: Netman
    displayname: Network Connections
    Name: Nla
    displayname: Network Location Awareness (NLA)
    Name: PlugPlay
    displayname: Plug and Play
    Name: PolicyAgent
    displayname: IPSEC Services
    Name: ProtectedStorage
    displayname: Protected Storage
    Name: RasMan
    displayname: Remote Access Connection Manager
    Name: RemoteRegistry
    displayname: Remote Registry
    Name: RpcSs
    displayname: Remote Procedure Call (RPC)
    Name: SamSs
    displayname: Security Accounts Manager
    Name: Schedule
    displayname: Task Scheduler
    Name: seclogon
    displayname: Secondary Logon
    Name: SENS
    displayname: System Event Notification
    Name: SharedAccess
    displayname: Windows Firewall/Internet Connection Sharing (ICS)
    Name: ShellHWDetection
    displayname: Shell Hardware Detection
    Name: Spooler
    displayname: Print Spooler
    Name: srservice
    displayname: System Restore Service
    Name: SSDPSRV
    displayname: SSDP Discovery Service
    Name: stisvc
    displayname: Windows Image Acquisition (WIA)
    Name: TapiSrv
    displayname: Telephony
    Name: TermService
    displayname: Terminal Services
    Name: Themes
    displayname: Themes
    Name: TrkWks
    displayname: Distributed Link Tracking Client
    Name: W32Time
    displayname: Windows Time
    Name: WebClient
    displayname: WebClient
    Name: winmgmt
    displayname: Windows Management Instrumentation
    Name: wscsvc
    displayname: Security Center
    Name: wuauserv
    displayname: Automatic Updates
    Name: WZCSVC
    displayname: Wireless Zero Configuration

  12. [quote name='CeciliaB' post='125368' date='Mar 7 2011, 05:37 PM']Can you run ComboFix?[/quote]

    ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00]
    Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Admin\My Documents\iexplore.exe
    c:\program files\Quicktime\QTTask.exe
    c:\program files\SelectRebates
    c:\program files\SelectRebates\FFToolbar\chrome.manifest
    c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
    c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
    c:\program files\SelectRebates\FFToolbar\install.rdf
    c:\program files\SelectRebates\SahImages\alert.png
    c:\program files\SelectRebates\SahImages\check.png
    c:\program files\SelectRebates\SahImages\close.png
    c:\program files\SelectRebates\SelectAlerts.dat
    c:\program files\SelectRebates\SelectRebates.exe
    c:\program files\SelectRebates\SelectRebates.ini
    c:\program files\SelectRebates\SelectRebatesA.dat
    c:\program files\SelectRebates\SelectRebatesApi.exe
    c:\program files\SelectRebates\SelectRebatesB.dat
    c:\program files\SelectRebates\SelectRebatesBT.dat
    c:\program files\SelectRebates\SelectRebatesDownload.exe
    c:\program files\SelectRebates\SelectRebatesUninstall.exe
    c:\program files\SelectRebates\SRebates.dll
    c:\program files\SelectRebates\SRFF3.dll
    c:\program files\SelectRebates\Toolbar\AddtoList.bmp
    c:\program files\SelectRebates\Toolbar\basis.xml
    c:\program files\SelectRebates\Toolbar\Basis.xml.dym
    c:\program files\SelectRebates\Toolbar\Blank.bmp
    c:\program files\SelectRebates\Toolbar\CashBack.bmp
    c:\program files\SelectRebates\Toolbar\Coupons.bmp
    c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
    c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
    c:\program files\SelectRebates\Toolbar\icons.bmp
    c:\program files\SelectRebates\Toolbar\logo.bmp
    c:\program files\SelectRebates\Toolbar\logo_24.bmp
    c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
    c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
    c:\program files\SelectRebates\Toolbar\RightControls.dym
    c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
    c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
    c:\program files\SelectRebates\Toolbar\Scissors.bmp
    c:\windows\jestertb.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
    WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
    R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
    S0 cerc6;cerc6; [x]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
    .
    2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2011-03-08 08:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-03-08 08:38:10
    ComboFix-quarantined-files.txt 2011-03-08 14:38
    .
    Pre-Run: 197,996,335,104 bytes free
    Post-Run: 197,955,928,064 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701

  13. [quote name='CeciliaB' post='125366' date='Mar 7 2011, 04:03 PM'][b]1. RKill[/b]
    Please, download RKill by Grinler to your Desktop:
    On the page [url="http://www.bleepingcomputer.com/download/anti-virus/rkill"]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please.

    Turn off your antivirus program and other security programs, if possible.
    How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

    Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

    If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again.

    Run RKill until the fake program is not visible but not more than ten times.

    If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead.

    If you restart the computer the fake program will start to run again and you have to repeat the above.

    [b]2. ComboFix[/b]
    Follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

    Read carefully and note the "Disclaimer of warranty"!

    Paste the content of the log into your answer.[/quote]
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/07/2011 at 16:13:41.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/07/2011 at 16:13:45.

  14. [quote name='CeciliaB' post='125250' date='Mar 1 2011, 04:08 PM']I understand that you cannot run Ad-Aware.
    Is it possible to run TFC and OTL according to the instruction?

    If you cannot run OTL you can try this scanner instead:

    Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]

    Double-click on the DDS tool to run it.

    When finished, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    Save them to your desktop and paste their content into your answer.[/quote]
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/8/2010 10:36:16 AM
    System Uptime: 3/7/2011 7:48:40 AM (8 hours ago)
    .
    Motherboard: Dell Inc. | | 0P301D
    Processor: Intel® Pentium® Dual CPU E2220 @ 2.40GHz | Socket 775 | 2393/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 195 GiB total, 184.445 GiB free.
    D: is CDROM ()
    Z: is NetworkDisk (NTFS) - 233 GiB total, 209.824 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP135: 12/8/2010 11:50:48 AM - System Checkpoint
    RP136: 12/9/2010 12:09:39 PM - System Checkpoint
    RP137: 12/14/2010 8:24:14 AM - System Checkpoint
    RP138: 1/3/2011 10:55:33 AM - System Checkpoint
    RP139: 1/3/2011 11:00:12 AM - Software Distribution Service 3.0
    RP140: 1/4/2011 1:55:10 PM - System Checkpoint
    RP141: 1/4/2011 3:53:43 PM - Software Distribution Service 3.0
    RP142: 1/5/2011 2:15:52 PM - Restore Operation
    RP143: 1/5/2011 2:20:32 PM - Restore Operation
    RP144: 1/5/2011 2:26:16 PM - Restore Operation
    RP145: 1/5/2011 2:30:11 PM - Restore Operation
    RP146: 1/5/2011 2:54:44 PM - Restore Operation
    RP147: 1/5/2011 3:01:57 PM - Restore Operation
    RP148: 1/5/2011 3:06:52 PM - Restore Operation
    RP149: 1/5/2011 3:26:48 PM - Restore Operation
    RP150: 1/5/2011 3:53:40 PM - Restore Operation
    RP151: 1/6/2011 7:58:17 AM - Restore Operation
    RP152: 1/6/2011 8:02:05 AM - Restore Operation
    RP153: 1/11/2011 8:10:37 AM - System Checkpoint
    RP154: 1/11/2011 8:43:51 AM - Installed HiJackThis
    RP155: 1/11/2011 8:49:00 AM - OTM Restore Point
    RP156: 1/12/2011 9:12:50 AM - System Checkpoint
    RP157: 1/12/2011 4:23:56 PM - Software Distribution Service 3.0
    RP158: 1/17/2011 8:18:04 AM - System Checkpoint
    RP159: 1/18/2011 9:34:56 AM - System Checkpoint
    RP160: 1/19/2011 9:57:25 AM - System Checkpoint
    RP161: 1/20/2011 10:06:29 AM - System Checkpoint
    RP162: 1/24/2011 8:16:33 AM - System Checkpoint
    RP163: 1/25/2011 8:37:23 AM - System Checkpoint
    RP164: 1/26/2011 8:50:18 AM - System Checkpoint
    RP165: 1/27/2011 9:40:34 AM - System Checkpoint
    RP166: 1/31/2011 8:24:09 AM - System Checkpoint
    RP167: 2/1/2011 10:15:28 AM - System Checkpoint
    RP168: 2/2/2011 10:52:46 AM - System Checkpoint
    RP169: 2/3/2011 11:19:11 AM - System Checkpoint
    RP170: 2/7/2011 8:17:15 AM - System Checkpoint
    RP171: 2/8/2011 8:58:27 AM - System Checkpoint
    RP172: 2/9/2011 11:36:22 AM - System Checkpoint
    RP173: 2/9/2011 4:04:48 PM - Software Distribution Service 3.0
    RP174: 2/14/2011 8:24:21 AM - System Checkpoint
    RP175: 2/15/2011 8:34:20 AM - System Checkpoint
    RP176: 2/16/2011 9:49:19 AM - System Checkpoint
    RP177: 2/17/2011 10:31:35 AM - System Checkpoint
    RP178: 2/21/2011 8:54:33 AM - System Checkpoint
    RP179: 2/22/2011 9:01:54 AM - System Checkpoint
    RP180: 2/23/2011 9:33:00 AM - System Checkpoint
    RP181: 2/24/2011 9:36:20 AM - System Checkpoint
    RP182: 2/28/2011 8:20:46 AM - System Checkpoint
    RP183: 3/1/2011 2:43:26 PM - System Checkpoint
    RP184: 3/1/2011 3:16:03 PM - Ad-Aware Checkpoint
    RP185: 3/1/2011 3:42:04 PM - Software Distribution Service 3.0
    RP186: 3/2/2011 3:59:47 PM - System Checkpoint
    RP187: 3/7/2011 8:56:14 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    5600
    5600_Help
    5600Trb
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 9 ActiveX
    Adobe Reader 9.3
    AiO_Scan
    AiOSoftware
    BufferChm
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CustomerResearchQFolder
    Dell Resource CD
    Destinations
    DeviceManagementQFolder
    DocProc
    Easy Dental 2009
    eSupportQFolder
    Fax
    Guru Limited Edition
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Extended Capabilities 5.3
    HP Image Zone Express
    HP Imaging Device Functions 5.3
    HP PSC & OfficeJet 5.3.B
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    HPProductAssistant
    Intel® Graphics Media Accelerator Driver
    Java(tm) 6 Update 15
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft VC++8.0 SP1 redistributables
    Microsoft VC++9.0 redistributables
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NewCopy
    ProductContext
    QuickTime
    Readme
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Scan
    ScannerCopy
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    ShopAtHome.com Toolbar
    SolutionCenter
    Status
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/1/2011 9:26:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    3/1/2011 3:23:51 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    3/1/2011 3:09:52 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b7f210, parameter3 89b7f384, parameter4 805d29b4.
    3/1/2011 3:08:58 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3b7808, parameter3 8a3b797c, parameter4 805d29b4.
    3/1/2011 3:08:55 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3ab120, parameter3 8a3ab294, parameter4 805d29b4.
    3/1/2011 2:25:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    3/1/2011 2:25:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/1/2011 2:20:19 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b5b1c8, parameter3 89b5b33c, parameter4 805d29b4.
    3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    3/1/2011 2:19:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/1/2011 2:10:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    3/1/2011 2:07:44 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
    3/1/2011 2:04:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    3/1/2011 12:55:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    3/1/2011 11:33:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    .
    ==== End Of File ===========================
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Admin at 15:19:34.20 on Mon 03/07/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2188 [GMT -6:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\EzDental\SystemTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\EzDental\eSyncReminder.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\EzDental\WebSyncReminder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Documents and Settings\Admin\My Documents\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uSearch Bar =
    mSearchAssistant =
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
    uRun: [SystemTray.exe] c:\program files\ezdental\SystemTray.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\esyncr~1.lnk - c:\program files\ezdental\eSyncReminder.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\websyn~1.lnk - c:\program files\ezdental\WebSyncReminder.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-10 64288]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-3-2 21464]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1405384]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-3-2 69976]
    R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-5-8 110080]
    S0 cerc6;cerc6; [x]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-10 98392]
    .
    =============== Created Last 30 ================
    .
    2011-03-02 14:00:06 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
    2011-03-02 14:00:06 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
    2011-03-01 17:32:57 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
    2011-03-01 17:32:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-01 17:32:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-01 17:32:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-01 17:32:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-28 22:48:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\bFgPdAb06300
    2011-02-21 19:32:57 -------- d-----w- c:\program files\SelectRebates
    .
    ==================== Find3M ====================
    .
    2011-02-17 19:40:06 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .
    ============= FINISH: 15:21:37.87 ===============

  15. [quote name='CeciliaB' post='125235' date='Mar 1 2011, 08:50 AM']Please, to get help with cleaning your computer post in the forum [url="http://www.lavasoftsupport.com/index.php?showforum=36"]Help with Stubborn Infections - HijackThis Logs go here[/url] by following the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] as much as possible. It might be easier to run the tools/programs if you restart the computer in safe mode. You start the computer in Safe mode by tapping F8 key repeatedly during the start and select [b]Safe mode[/b] in the menu, see [url="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx"]http://www.microsoft.com/resources/documen...t_failsafe.mspx[/url].

    Has the fake antivirus program a name?[/quote]

    We ran in safe mode and went to our regular computer page the spyware is still there. The name of it System Tool 2011. It will not us run adware to remove it, it said that adware is infected with a virus.

  16. [quote name='CeciliaB' post='124635' date='Jan 6 2011, 06:30 AM']Since it is a work computer I wonder if there is a computer support at the work that can help you. It is rather common that companies dislike seeing logs from their computers on internet. I am not sure that all tools I use to clean a computer are safe to use on a computer configured for domain usage etc.

    If you want help to clean the computer you must be able to transfer tools and log files between the infected computer and a computer with internet access.

    Start by doing Step #1 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url]
    If you have Ad-Aware installed do Step #2.
    Do Step #3.

    Instead of Step #4 do:

    Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
    Double-click on the DDS tool to run it.

    When finished, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    Save them to your desktop and paste their content into your answer.[/quote]