Sign in to follow this  
jeepbug

fake spyware warning

Recommended Posts

HELP!! When we turned on our computer this morning it popped up with a blue screen that says "warning, your in danger! your computer is infected with spyware" we are not able to open our ad aware to run a scan, it says it is infected. we can not open any of our other tools to take virus/spyware off either. please help!

Share this post


Link to post
Share on other sites
Please, to get help with cleaning your computer post in the forum [url="http://www.lavasoftsupport.com/index.php?showforum=36"]Help with Stubborn Infections - HijackThis Logs go here[/url] by following the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] as much as possible. It might be easier to run the tools/programs if you restart the computer in safe mode. You start the computer in Safe mode by tapping F8 key repeatedly during the start and select [b]Safe mode[/b] in the menu, see [url="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx"]http://www.microsoft.com/resources/documen...t_failsafe.mspx[/url].

Has the fake antivirus program a name?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125235' date='Mar 1 2011, 08:50 AM']Please, to get help with cleaning your computer post in the forum [url="http://www.lavasoftsupport.com/index.php?showforum=36"]Help with Stubborn Infections - HijackThis Logs go here[/url] by following the instructions in the topic [url="http://www.lavasoftsupport.com/index.php?showtopic=30823"]Read This Before You Post![/url] as much as possible. It might be easier to run the tools/programs if you restart the computer in safe mode. You start the computer in Safe mode by tapping F8 key repeatedly during the start and select [b]Safe mode[/b] in the menu, see [url="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx"]http://www.microsoft.com/resources/documen...t_failsafe.mspx[/url].

Has the fake antivirus program a name?[/quote]

We ran in safe mode and went to our regular computer page the spyware is still there. The name of it System Tool 2011. It will not us run adware to remove it, it said that adware is infected with a virus.

Share this post


Link to post
Share on other sites
I understand that you cannot run Ad-Aware.
Is it possible to run TFC and OTL according to the instruction?

If you cannot run OTL you can try this scanner instead:

Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]

Double-click on the DDS tool to run it.

When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save them to your desktop and paste their content into your answer.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125250' date='Mar 1 2011, 04:08 PM']I understand that you cannot run Ad-Aware.
Is it possible to run TFC and OTL according to the instruction?

If you cannot run OTL you can try this scanner instead:

Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]

Double-click on the DDS tool to run it.

When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save them to your desktop and paste their content into your answer.[/quote]
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/8/2010 10:36:16 AM
System Uptime: 3/7/2011 7:48:40 AM (8 hours ago)
.
Motherboard: Dell Inc. | | 0P301D
Processor: Intel® Pentium® Dual CPU E2220 @ 2.40GHz | Socket 775 | 2393/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 195 GiB total, 184.445 GiB free.
D: is CDROM ()
Z: is NetworkDisk (NTFS) - 233 GiB total, 209.824 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP135: 12/8/2010 11:50:48 AM - System Checkpoint
RP136: 12/9/2010 12:09:39 PM - System Checkpoint
RP137: 12/14/2010 8:24:14 AM - System Checkpoint
RP138: 1/3/2011 10:55:33 AM - System Checkpoint
RP139: 1/3/2011 11:00:12 AM - Software Distribution Service 3.0
RP140: 1/4/2011 1:55:10 PM - System Checkpoint
RP141: 1/4/2011 3:53:43 PM - Software Distribution Service 3.0
RP142: 1/5/2011 2:15:52 PM - Restore Operation
RP143: 1/5/2011 2:20:32 PM - Restore Operation
RP144: 1/5/2011 2:26:16 PM - Restore Operation
RP145: 1/5/2011 2:30:11 PM - Restore Operation
RP146: 1/5/2011 2:54:44 PM - Restore Operation
RP147: 1/5/2011 3:01:57 PM - Restore Operation
RP148: 1/5/2011 3:06:52 PM - Restore Operation
RP149: 1/5/2011 3:26:48 PM - Restore Operation
RP150: 1/5/2011 3:53:40 PM - Restore Operation
RP151: 1/6/2011 7:58:17 AM - Restore Operation
RP152: 1/6/2011 8:02:05 AM - Restore Operation
RP153: 1/11/2011 8:10:37 AM - System Checkpoint
RP154: 1/11/2011 8:43:51 AM - Installed HiJackThis
RP155: 1/11/2011 8:49:00 AM - OTM Restore Point
RP156: 1/12/2011 9:12:50 AM - System Checkpoint
RP157: 1/12/2011 4:23:56 PM - Software Distribution Service 3.0
RP158: 1/17/2011 8:18:04 AM - System Checkpoint
RP159: 1/18/2011 9:34:56 AM - System Checkpoint
RP160: 1/19/2011 9:57:25 AM - System Checkpoint
RP161: 1/20/2011 10:06:29 AM - System Checkpoint
RP162: 1/24/2011 8:16:33 AM - System Checkpoint
RP163: 1/25/2011 8:37:23 AM - System Checkpoint
RP164: 1/26/2011 8:50:18 AM - System Checkpoint
RP165: 1/27/2011 9:40:34 AM - System Checkpoint
RP166: 1/31/2011 8:24:09 AM - System Checkpoint
RP167: 2/1/2011 10:15:28 AM - System Checkpoint
RP168: 2/2/2011 10:52:46 AM - System Checkpoint
RP169: 2/3/2011 11:19:11 AM - System Checkpoint
RP170: 2/7/2011 8:17:15 AM - System Checkpoint
RP171: 2/8/2011 8:58:27 AM - System Checkpoint
RP172: 2/9/2011 11:36:22 AM - System Checkpoint
RP173: 2/9/2011 4:04:48 PM - Software Distribution Service 3.0
RP174: 2/14/2011 8:24:21 AM - System Checkpoint
RP175: 2/15/2011 8:34:20 AM - System Checkpoint
RP176: 2/16/2011 9:49:19 AM - System Checkpoint
RP177: 2/17/2011 10:31:35 AM - System Checkpoint
RP178: 2/21/2011 8:54:33 AM - System Checkpoint
RP179: 2/22/2011 9:01:54 AM - System Checkpoint
RP180: 2/23/2011 9:33:00 AM - System Checkpoint
RP181: 2/24/2011 9:36:20 AM - System Checkpoint
RP182: 2/28/2011 8:20:46 AM - System Checkpoint
RP183: 3/1/2011 2:43:26 PM - System Checkpoint
RP184: 3/1/2011 3:16:03 PM - Ad-Aware Checkpoint
RP185: 3/1/2011 3:42:04 PM - Software Distribution Service 3.0
RP186: 3/2/2011 3:59:47 PM - System Checkpoint
RP187: 3/7/2011 8:56:14 AM - System Checkpoint
.
==== Installed Programs ======================
.
5600
5600_Help
5600Trb
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Reader 9.3
AiO_Scan
AiOSoftware
BufferChm
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Dell Resource CD
Destinations
DeviceManagementQFolder
DocProc
Easy Dental 2009
eSupportQFolder
Fax
Guru Limited Edition
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Intel® Graphics Media Accelerator Driver
Java(tm) 6 Update 15
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft VC++8.0 SP1 redistributables
Microsoft VC++9.0 redistributables
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy
ProductContext
QuickTime
Readme
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
ShopAtHome.com Toolbar
SolutionCenter
Status
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
3/1/2011 9:26:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/1/2011 3:23:51 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/1/2011 3:09:52 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b7f210, parameter3 89b7f384, parameter4 805d29b4.
3/1/2011 3:08:58 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3b7808, parameter3 8a3b797c, parameter4 805d29b4.
3/1/2011 3:08:55 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 8a3ab120, parameter3 8a3ab294, parameter4 805d29b4.
3/1/2011 2:25:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
3/1/2011 2:25:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/1/2011 2:20:19 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 89b5b1c8, parameter3 89b5b33c, parameter4 805d29b4.
3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
3/1/2011 2:20:19 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/1/2011 2:19:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/1/2011 2:10:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
3/1/2011 2:07:44 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
3/1/2011 2:04:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/1/2011 12:55:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/1/2011 11:33:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/1/2011 11:33:58 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Admin at 15:19:34.20 on Mon 03/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2188 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\EzDental\SystemTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EzDental\eSyncReminder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\EzDental\WebSyncReminder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Admin\My Documents\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
uRun: [SystemTray.exe] c:\program files\ezdental\SystemTray.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\esyncr~1.lnk - c:\program files\ezdental\eSyncReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\websyn~1.lnk - c:\program files\ezdental\WebSyncReminder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-10 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-3-2 21464]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1405384]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-3-2 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-5-8 110080]
S0 cerc6;cerc6; [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-10 98392]
.
=============== Created Last 30 ================
.
2011-03-02 14:00:06 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00:06 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32:57 -------- d-----w- c:\docume~1\admin\applic~1\Malwarebytes
2011-03-01 17:32:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-01 17:32:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 17:32:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-28 22:48:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\bFgPdAb06300
2011-02-21 19:32:57 -------- d-----w- c:\program files\SelectRebates
.
==================== Find3M ====================
.
2011-02-17 19:40:06 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 15:21:37.87 ===============

Share this post


Link to post
Share on other sites
[b]1. RKill[/b]
Please, download RKill by Grinler to your Desktop:
On the page [url="http://www.bleepingcomputer.com/download/anti-virus/rkill"]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please.

Turn off your antivirus program and other security programs, if possible.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again.

Run RKill until the fake program is not visible but not more than ten times.

If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead.

If you restart the computer the fake program will start to run again and you have to repeat the above.

[b]2. ComboFix[/b]
Follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125366' date='Mar 7 2011, 04:03 PM'][b]1. RKill[/b]
Please, download RKill by Grinler to your Desktop:
On the page [url="http://www.bleepingcomputer.com/download/anti-virus/rkill"]http://www.bleepingcomputer.com/download/anti-virus/rkill[/url] click the link [b]iExplore.exe Download Link[/b] and save it to your desktop, please.

Turn off your antivirus program and other security programs, if possible.
How? See [url="http://www.bleepingcomputer.com/forums/topic114351.html"]http://www.bleepingcomputer.com/forums/topic114351.html[/url]

Double-click on the iExplore.exe icon to start RKill. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that RKill is an infection, that is a fake warning given by the infection. The trick is to leave the warning on the screen and then run RKill again.

Run RKill until the fake program is not visible but not more than ten times.

If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead.

If you restart the computer the fake program will start to run again and you have to repeat the above.

[b]2. ComboFix[/b]
Follow the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.[/quote]
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/07/2011 at 16:13:41.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 03/07/2011 at 16:13:45.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125368' date='Mar 7 2011, 05:37 PM']Can you run ComboFix?[/quote]

ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\My Documents\iexplore.exe
c:\program files\Quicktime\QTTask.exe
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\windows\jestertb.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
S0 cerc6;cerc6; [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-08 08:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-08 08:38:10
ComboFix-quarantined-files.txt 2011-03-08 14:38
.
Pre-Run: 197,996,335,104 bytes free
Post-Run: 197,955,928,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701

Share this post


Link to post
Share on other sites
[quote name='jeepbug' post='125405' date='Mar 8 2011, 08:39 AM']ComboFix 11-03-07.06 - Admin 03/08/2011 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2344 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\My Documents\iexplore.exe
c:\program files\Quicktime\QTTask.exe
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\windows\jestertb.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
S0 cerc6;cerc6; [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-08 08:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-08 08:38:10
ComboFix-quarantined-files.txt 2011-03-08 14:38
.
Pre-Run: 197,996,335,104 bytes free
Post-Run: 197,955,928,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6CFC4D78DB68624DB0CFE8919AB29701[/quote]



after we did this combo fix we ran another smart scan on the computer, the following log is from that scan .
Logfile created: 3/8/2011 08:40:16
Ad-Aware version: 9.0.2
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Admin

*********************** Definitions database information ***********************
Lavasoft definition file: 150.312
Genotype definition file version: 2011/03/07 08:12:44
Extended engine definition file: 8627.0

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 7837
Objects detected: 5


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 5
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0

Scan and cleaning complete: Finished correctly after 65 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: folderstoscan, enabled:1, value:
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: strict, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
ID: back, enabled:1, value: back
ID: time, enabled:1, value: Tue Jan 11 13:50:01 2011
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value: smart
ID: auto_deal_with_infections, enabled:1, value: true

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Mon May 10 09:17:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Mon May 10 15:17:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Mon May 10 21:17:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Mon May 10 03:17:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon May 10 09:17:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: infomessages, enabled:1, value: display, domain: display,dontnotify,onlyimportant
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: maintainbackup, enabled:1, value: true
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: true
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: PC2BACK
Processor name: Intel® Pentium® Dual CPU E2220 @ 2.40GHz
Processor identifier: x86 Family 6 Model 15 Stepping 13
Processor speed: ~2395MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 2500923392 bytes
Physical memory total: 3184435200 bytes
Virtual memory available: 1805524992 bytes
Virtual memory total: 2147352576 bytes
Memory load: 21%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 672 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 740 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 764 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 808 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 820 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 992 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1060 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1156 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1252 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1288 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1332 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1612 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1716 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1780 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1896 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 732 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1476 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1524 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2088 name: C:\WINDOWS\RTHDCPL.EXE owner: Admin domain: PC2BACK
PID: 2108 name: C:\WINDOWS\system32\igfxtray.exe owner: Admin domain: PC2BACK
PID: 2116 name: C:\WINDOWS\system32\hkcmd.exe owner: Admin domain: PC2BACK
PID: 2144 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Admin domain: PC2BACK
PID: 2208 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Admin domain: PC2BACK
PID: 2256 name: C:\Program Files\EzDental\SystemTray.exe owner: Admin domain: PC2BACK
PID: 2280 name: C:\WINDOWS\system32\ctfmon.exe owner: Admin domain: PC2BACK
PID: 2368 name: C:\Program Files\EzDental\eSyncReminder.exe owner: Admin domain: PC2BACK
PID: 2392 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Admin domain: PC2BACK
PID: 2412 name: C:\Program Files\EzDental\WebSyncReminder.exe owner: Admin domain: PC2BACK
PID: 2488 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3056 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Admin domain: PC2BACK
PID: 3164 name: C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe owner: Admin domain: PC2BACK
PID: 3392 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Admin domain: PC2BACK
PID: 616 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Admin domain: PC2BACK
PID: 2968 name: C:\WINDOWS\explorer.exe owner: Admin domain: PC2BACK
PID: 444 name: C:\WINDOWS\system32\wscntfy.exe owner: Admin domain: PC2BACK

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: RTHDCPL
imagepath: RTHDCPL.EXE
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: HP Software Update
imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Name: RunNarrator
imagepath: Narrator.exe
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eSync Reminder.lnk
imagepath: C:\Program Files\EzDental\eSyncReminder.exe
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebSync Reminder.lnk
imagepath: C:\Program Files\EzDental\WebSyncReminder.exe
Name:
imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete

Running services:
Name: Alerter
displayname: Alerter
Name: ALG
displayname: Application Layer Gateway Service
Name: AudioSrv
displayname: Windows Audio
Name: Browser
displayname: Computer Browser
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: helpsvc
displayname: Help and Support
Name: HTTPFilter
displayname: HTTP SSL
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: LanmanServer
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RemoteRegistry
displayname: Remote Registry
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration

Share this post


Link to post
Share on other sites
Nice that Ad-Aware can scan again!

Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report:
c:\windows\system32\cpnprt2.cid

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125408' date='Mar 8 2011, 09:25 AM']Nice that Ad-Aware can scan again!

Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report:
c:\windows\system32\cpnprt2.cid[/quote]


here is what it says:
MD5: 5d7882518f349aea63de2742339dd06f
Date first seen: 2011-02-17 02:35:39 (UTC)
Date last seen: 2011-03-07 18:09:33 (UTC)
Detection ratio: 3/43
VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: cpnprt2.cid
Submission date: 2011-03-07 18:09:33 (UTC)
Current status: finished
Result: 3 /43 (7.0%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.03.07.06 2011.03.07 -
AntiVir 7.11.4.100 2011.03.07 -
Antiy-AVL 2.0.3.7 2011.03.06 -
Avast 4.8.1351.0 2011.03.07 -
Avast5 5.0.677.0 2011.03.07 -
AVG 10.0.0.1190 2011.03.07 -
BitDefender 7.2 2011.03.07 -
CAT-QuickHeal 11.00 2011.03.07 -
ClamAV 0.96.4.0 2011.03.07 -
Commtouch 5.2.11.5 2011.03.07 -
Comodo 7903 2011.03.07 -
DrWeb 5.0.2.03300 2011.03.07 -
Emsisoft 5.1.0.2 2011.03.07 -
eSafe 7.0.17.0 2011.03.06 Win32.TRBuzy
eTrust-Vet 36.1.8198 2011.03.04 -
F-Prot 4.6.2.117 2011.03.07 -
F-Secure 9.0.16440.0 2011.03.07 -
Fortinet 4.2.254.0 2011.03.07 -
GData 21 2011.03.07 -
Ikarus T3.1.1.97.0 2011.03.07 -
Jiangmin 13.0.900 2011.03.07 -
K7AntiVirus 9.92.4048 2011.03.07 -
Kaspersky 7.0.0.125 2011.03.07 -
McAfee 5.400.0.1158 2011.03.07 Artemis!5D7882518F34
McAfee-GW-Edition 2010.1C 2011.03.07 Artemis!5D7882518F34
Microsoft 1.6603 2011.03.07 -
NOD32 5934 2011.03.07 -
Norman 6.07.03 2011.03.07 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.07 -
PCTools 7.0.3.5 2011.03.07 -
Prevx 3.0 2011.03.07 -
Rising 23.48.00.06 2011.03.07 -
Sophos 4.63.0 2011.03.07 -
SUPERAntiSpyware 4.40.0.1006 2011.03.07 -
Symantec 20101.3.0.103 2011.03.07 -
TheHacker 6.7.0.1.145 2011.03.06 -
TrendMicro 9.200.0.1012 2011.03.07 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.07 -
VBA32 3.12.14.3 2011.03.04 -
VIPRE 8629 2011.03.07 -
ViRobot 2011.3.7.4345 2011.03.07 -
VirusBuster 13.6.239.0 2011.03.07 -
Additional informationShow all
MD5 : 5d7882518f349aea63de2742339dd06f
SHA1 : ba7b32ff5af8e28e72c4616cc85b6600690e24e3
SHA256: e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703

Share this post


Link to post
Share on other sites
The link is [url="http://www.virustotal.com/file-scan/report.html?id=e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703-1299521373"]http://www.virustotal.com/file-scan/report...5703-1299521373[/url]
with the following information about the file:[quote]publisher....: Coupons, Inc.
copyright....: Copyright © 2008
product......: Coupon Format Type 1
description..: cpnprt2 DLL
original name: cpnprt2.DLL
internal name: Coupon Print Master[/quote]Is this something you recognize and want to have in the computer?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125410' date='Mar 8 2011, 10:46 AM']The link is [url="http://www.virustotal.com/file-scan/report.html?id=e266a685d95f3c412463298ac1cc25094b4c31ab32e2c30d6bb55cd773d35703-1299521373"]http://www.virustotal.com/file-scan/report...5703-1299521373[/url]
with the following information about the file:Is this something you recognize and want to have in the computer?[/quote]

Is this what is causing our problem? if it is then we dont want it on the computer

Share this post


Link to post
Share on other sites
I don't know, the result from virustotal is hard to interpret. The coupon file was stored in the computer 17th of February, while SelectRebates, that ComboFix removed, was stored 21th of February.

There is a malicious folder from 28th of February that will be removed with the following instruction:

Copy all lines in the box:
[code]Killall::
Driver::
cerc6
Folder::
c:\documents and settings\All Users\Application Data\bFgPdAb06300[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125415' date='Mar 8 2011, 11:56 AM']I don't know, the result from virustotal is hard to interpret. The coupon file was stored in the computer 17th of February, while SelectRebates, that ComboFix removed, was stored 21th of February.

There is a malicious folder from 28th of February that will be removed with the following instruction:

Copy all lines in the box:
[code]Killall::
Driver::
cerc6
Folder::
c:\documents and settings\All Users\Application Data\bFgPdAb06300[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.

ComboFix 11-03-07.07 - Admin 03/08/2011 13:17:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2353 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-15 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-15 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
S0 cerc6;cerc6; [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-08 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-08 13:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-08 13:20:04
ComboFix-quarantined-files.txt 2011-03-08 19:20
ComboFix2.txt 2011-03-08 14:38
.
Pre-Run: 197,988,220,928 bytes free
Post-Run: 198,001,770,496 bytes free
.
- - End Of File - - 561927E8569C129C2A53AF77DBC35CC4

Paste the new ComboFix log into your answer.[/quote]

Share this post


Link to post
Share on other sites
Sorry, ComboFix did not notice that you dropped a file on top of it. Maybe it is easier to understand what you should do with this picture:
[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125419' date='Mar 8 2011, 04:11 PM']Sorry, ComboFix did not notice that you dropped a file on top of it. Maybe it is easier to understand what you should do with this picture:
[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img][/quote]


okay that is what we did.... here it is again... hopefully this time it works! thanks
ComboFix 11-03-08.07 - Admin 03/09/2011 8:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2399 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2008-04-14 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
.
.
((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
- 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-05-08 15:43 . 2011-03-08 13:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-08 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-09 08:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-09 08:42:06
ComboFix-quarantined-files.txt 2011-03-09 14:42
ComboFix2.txt 2011-03-08 19:20
ComboFix3.txt 2011-03-08 14:38
.
Pre-Run: 197,935,550,464 bytes free
Post-Run: 197,935,759,360 bytes free
.
- - End Of File - - DF47015B21BD2EED7C3000CE932508FE

Share this post


Link to post
Share on other sites
This time ComboFix noticed the file :) but unfortunately it could not understand its content. Try once more to create CFScript. Be sure to use Notepad and that the content is exactly:

Killall::
Driver::
cerc6
Folder::
c:\documents and settings\All Users\Application Data\bFgPdAb06300

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125436' date='Mar 9 2011, 08:59 AM']This time ComboFix noticed the file :) but unfortunately it could not understand its content. Try once more to create CFScript. Be sure to use Notepad and that the content is exactly:

Killall::
Driver::
cerc6
Folder::
c:\documents and settings\All Users\Application Data\bFgPdAb06300[/quote]

ComboFix 11-03-08.07 - Admin 03/09/2011 9:16.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2413 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.lnk
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-09 14:04 . 2011-03-09 14:04 -------- d-----w- c:\windows\LastGood
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 22:48 . 2011-03-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\bFgPdAb06300
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-09 14:03 . 2011-03-09 14:03 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
- 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-09 09:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-09 09:18:31
ComboFix-quarantined-files.txt 2011-03-09 15:18
ComboFix2.txt 2011-03-09 14:42
ComboFix3.txt 2011-03-08 19:20
ComboFix4.txt 2011-03-08 14:38
.
Pre-Run: 197,953,257,472 bytes free
Post-Run: 197,940,707,328 bytes free
.
- - End Of File - - 5C4B33059EC9860B8C46D1E9F827C313

Share this post


Link to post
Share on other sites
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.[u]lnk[/u]

You are dragging a shortcut and not a text file.

Fetch this CFScript.txt: [url="http://www.sendspace.com/file/xbf5eh"]http://www.sendspace.com/file/xbf5eh[/url]
Save it on the desktop and drag it to ComboFix.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125438' date='Mar 9 2011, 11:08 AM']Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.[u]lnk[/u]

You are dragging a shortcut and not a text file.

Fetch this CFScript.txt: [url="http://www.sendspace.com/file/xbf5eh"]http://www.sendspace.com/file/xbf5eh[/url]
Save it on the desktop and drag it to ComboFix.[/quote]
ComboFix 11-03-08.07 - Admin 03/09/2011 11:28:27.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2376 [GMT -6:00]
Running from: c:\documents and settings\Admin\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bFgPdAb06300
c:\documents and settings\All Users\Application Data\bFgPdAb06300\bFgPdAb06300
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cerc6
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Reality_Engineering
2011-03-08 19:50 . 2011-03-08 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Reality Engineering
2011-03-02 14:00 . 2010-11-22 15:42 69976 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-03-02 14:00 . 2010-11-22 15:42 21464 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-03-01 17:32 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 17:32 . 2011-03-01 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 17:32 . 2011-03-01 21:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 17:32 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 19:40 . 2010-05-10 21:34 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 12:55 . 2010-11-17 22:13 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-02 07:58 . 2010-05-08 15:32 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-05-08 15:32 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 14:43 . 2011-01-11 14:43 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-14 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( [email protected]_14.37.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-09 17:31 . 2011-03-09 17:31 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
- 2011-03-08 13:56 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-09 14:03 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-08 15:43 . 2011-03-08 13:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-08 15:43 . 2011-03-09 14:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 12:00 . 2011-02-09 13:53 270848 c:\windows\system32\dllcache\sbe.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 270848 c:\windows\system32\dllcache\sbe.dll
- 2010-05-08 15:32 . 2008-04-14 12:00 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2010-05-08 15:32 . 2011-01-27 11:57 677888 c:\windows\system32\dllcache\lhmstsc.exe
+ 2008-04-14 12:00 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 186880 c:\windows\system32\dllcache\encdec.dll
+ 2010-05-08 15:32 . 2011-02-02 07:58 2067456 c:\windows\system32\dllcache\lhmstscx.dll
+ 2010-05-08 18:48 . 2011-03-09 16:15 37943240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray.exe"="c:\program files\EzDental\SystemTray.exe" [2009-06-25 132368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eSync Reminder.lnk - c:\program files\EzDental\eSyncReminder.exe [2010-5-10 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
WebSync Reminder.lnk - c:\program files\EzDental\WebSyncReminder.exe [2010-5-10 66832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2010 8:40 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/2/2011 8:00 AM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/10/2010 8:40 AM 98392]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/2/2011 8:00 AM 69976]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [5/8/2010 9:51 AM 110080]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1405384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/22/2010 9:43 AM 15232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-09 c:\windows\Tasks\Ad-Aware Scan (back).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 13:06]
.
2011-03-09 c:\windows\Tasks\User_Feed_Synchronization-{62121871-1389-4E47-8611-1BA446B4B709}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-03-09 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2011-03-09 11:32:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-09 17:32
ComboFix2.txt 2011-03-09 15:18
ComboFix3.txt 2011-03-09 14:42
ComboFix4.txt 2011-03-08 19:20
ComboFix5.txt 2011-03-09 17:28
.
Pre-Run: 197,870,215,168 bytes free
Post-Run: 197,805,293,568 bytes free
.
- - End Of File - - 1552C8B32117F10CFB8EAF34FD39DA64

Share this post


Link to post
Share on other sites
Very good! :)

How is the computer behaving now?

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='125440' date='Mar 9 2011, 11:53 AM']Very good! :)

How is the computer behaving now?[/quote]


when we scan we are still getting stuff on our ad aware. the computer seems to be running fine. is it fine that we are still having items being found?

Share this post


Link to post
Share on other sites
What type of stuff does Ad-Aware find?
You can post an Ad-Aware log if you want.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this