Inactive Smart Engine picked up

[hlratliff]

My son picked up a whole lot of bad stuff playing on the computer last night. I immediately did a scan with malwarebytes, adaware and my antivirus. Did the 8 steps and will attach logs. Want to make sure that everything is gone and we are okay. Thanks for the help, Hailey

 

[Bobbye]

Hailey, we now have all logs pasted into the replies. Okay to use multiple posts if needed.

After you finish with DDS, please run the following:

Download bootkitremover.rar and save it to your desktop.

• Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
• Double-click on the remover.exe file to run the program.
• Paste the output in your next reply.

 

[hlratliff]

Here's the output. Hope I did this right. Thank you for you help.

 

[Bobbye]

I'm going to have to check the dowmload link for this in the morning. You shouldn't be getting the debugger. Will get back to you in SM.

 

[hlratliff]

Once I downloaded 7 zip I was able to zip the dds and attach. I have added them here because I wasn't sure if you had gotten them before.

 

[Bobbye]

Please re-post with both of the DDS logs pasted into the next reply. No zipped files please- ignore that instruction for Attach.exe.

Follow with Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=======================================
Then download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Paste all logs please. Use multiple posts if needed

 

[hlratliff]

Okay Bobbye, here you go.


DDS (Ver_10-11-03.01) - NTFSx86
Run by Hailey at 14:18:56.48 on Fri 11/05/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.216 [GMT -4:00]

AV: Smart Engine *On-access scanning enabled* (Updated) {354EAC0D-F85C-4D83-AABF-ABFD3E13E9DD}
AV: avast! antivirus 4.8.1368 [VPS 101105-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Smart Engine *enabled* {555C4353-8A5E-4094-927F-B60C9B7EFDF8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Documents and Settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Hailey\My Documents\Downloads\dds(4).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\hailey\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
StartupFolder: c:\docume~1\hailey\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: &Search
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hailey\applic~1\mozilla\firefox\profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\hailey\application data\mozilla\firefox\profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\hailey\application data\mozilla\firefox\profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\hailey\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-14 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-9-14 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-17 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-17 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-17 352920]
S3 ftsbvcap;ftsbvcap;\??\c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys --> c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys [?]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\hailey\locals~1\temp\isffp_sd.sys --> c:\docume~1\hailey\locals~1\temp\isffp_sd.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\hailey\locals~1\temp\lredbooo.sys --> c:\docume~1\hailey\locals~1\temp\lredbooo.sys [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2010-11-04 19:24:20 -------- d-----w- c:\program files\CCleaner
2010-11-04 01:34:03 -------- d-sh--w- c:\docume~1\hailey\applic~1\Smart Engine
2010-11-04 01:34:02 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SMWBSJMZDAE
2010-11-04 01:33:14 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\088357
2010-10-31 12:12:28 -------- d-----w- c:\docume~1\hailey\locals~1\applic~1\HP
2010-10-31 12:11:52 -------- d-----w- c:\docume~1\hailey\locals~1\applic~1\ApplicationHistory
2010-10-28 22:56:38 -------- d-----w- c:\program files\common files\HP
2010-10-28 22:54:23 -------- d-----w- c:\program files\common files\Hewlett-Packard
2010-10-28 22:53:17 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48:52 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48:52 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38:40 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38:40 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38:40 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:38:40 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38:40 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38:40 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:37:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19:10 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19:10 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19:09 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18:47 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18:46 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18:46 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18:45 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17:50 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17:46 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17:46 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10:34 -------- d-----w- c:\docume~1\hailey\applic~1\Malwarebytes
2010-10-17 23:10:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-17 23:10:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-17 23:10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 10:56:26 -------- d-----w- c:\program files\iPod
2010-10-15 10:56:22 -------- d-----w- c:\program files\iTunes
2010-10-11 10:29:02 -------- d-----w- c:\docume~1\hailey\applic~1\Registry Mechanic
2010-10-08 20:57:13 -------- d-----w- c:\docume~1\hailey\applic~1\Unity

==================== Find3M ====================

2010-09-20 11:38:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 14:19:25.23 ===============



DDS (Ver_10-11-03.01) - NTFSx86
Run by Hailey at 14:18:56.48 on Fri 11/05/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.216 [GMT -4:00]

AV: Smart Engine *On-access scanning enabled* (Updated) {354EAC0D-F85C-4D83-AABF-ABFD3E13E9DD}
AV: avast! antivirus 4.8.1368 [VPS 101105-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Smart Engine *enabled* {555C4353-8A5E-4094-927F-B60C9B7EFDF8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\Documents and Settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Hailey\My Documents\Downloads\dds(4).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\hailey\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
StartupFolder: c:\docume~1\hailey\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: &Search
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hailey\applic~1\mozilla\firefox\profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\hailey\application data\mozilla\firefox\profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\hailey\application data\mozilla\firefox\profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\hailey\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-14 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-9-14 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-17 138680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2002-10-2 13532]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-17 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-17 352920]
S3 ftsbvcap;ftsbvcap;\??\c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys --> c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys [?]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\hailey\locals~1\temp\isffp_sd.sys --> c:\docume~1\hailey\locals~1\temp\isffp_sd.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\hailey\locals~1\temp\lredbooo.sys --> c:\docume~1\hailey\locals~1\temp\lredbooo.sys [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2010-11-04 19:24:20 -------- d-----w- c:\program files\CCleaner
2010-11-04 01:34:03 -------- d-sh--w- c:\docume~1\hailey\applic~1\Smart Engine
2010-11-04 01:34:02 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SMWBSJMZDAE
2010-11-04 01:33:14 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\088357
2010-10-31 12:12:28 -------- d-----w- c:\docume~1\hailey\locals~1\applic~1\HP
2010-10-31 12:11:52 -------- d-----w- c:\docume~1\hailey\locals~1\applic~1\ApplicationHistory
2010-10-28 22:56:38 -------- d-----w- c:\program files\common files\HP
2010-10-28 22:54:23 -------- d-----w- c:\program files\common files\Hewlett-Packard
2010-10-28 22:53:17 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48:52 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48:52 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38:40 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38:40 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38:40 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:38:40 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38:40 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38:40 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:37:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19:10 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19:10 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19:09 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18:47 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18:46 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18:46 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18:45 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17:50 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17:46 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17:46 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10:34 -------- d-----w- c:\docume~1\hailey\applic~1\Malwarebytes
2010-10-17 23:10:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-17 23:10:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-17 23:10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 10:56:26 -------- d-----w- c:\program files\iPod
2010-10-15 10:56:22 -------- d-----w- c:\program files\iTunes
2010-10-11 10:29:02 -------- d-----w- c:\docume~1\hailey\applic~1\Registry Mechanic
2010-10-08 20:57:13 -------- d-----w- c:\docume~1\hailey\applic~1\Unity

==================== Find3M ====================

2010-09-20 11:38:26 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 14:19:25.23 ===============

 

[hlratliff]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=41912f8cea9d8d418fc20ebf26fcb992
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-05 07:20:28
# local_time=2010-11-05 03:20:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775141 100 98 0 224349844 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=66055
# found=2
# cleaned=0
# scan_time=1741
C:\Documents and Settings\All Users\Application Data\088357\86.mof Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan 00000000000000000000000000000000 I


ComboFix 10-11-05.01 - Hailey 11/05/2010 15:28:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.362 [GMT -4:00]
Running from: c:\documents and settings\Hailey\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101105-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\088357
c:\documents and settings\All Users\Application Data\088357\08835717c0dfae528fe8a022051fdcd3.ocx
c:\documents and settings\All Users\Application Data\088357\86.mof
c:\documents and settings\All Users\Application Data\088357\8dxvbw2p45e7k8orku8bxwg.dll
c:\documents and settings\All Users\Application Data\088357\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\088357\BackUp\HP Image Zone Fast Start.lnk
c:\documents and settings\All Users\Application Data\088357\BackUp\OpenOffice.org 3.2.lnk
c:\documents and settings\All Users\Application Data\088357\BackUp\Wireless Configuration Utility HW.15.lnk
c:\documents and settings\All Users\Application Data\088357\mozcrt19.dll
c:\documents and settings\All Users\Application Data\088357\SME.ico
c:\documents and settings\All Users\Application Data\088357\sqlite3.dll
c:\documents and settings\Hailey\Application Data\Smart Engine
c:\documents and settings\Hailey\Application Data\Smart Engine\cookies.sqlite
c:\documents and settings\Hailey\Application Data\Smart Engine\Instructions.ini
c:\documents and settings\Hailey\Start Menu\Smart Engine.lnk

.
((((((((((((((((((((((((( Files Created from 2010-10-05 to 2010-11-05 )))))))))))))))))))))))))))))))
.

2010-11-05 18:44 . 2010-11-05 18:44 -------- d-----w- c:\program files\ESET
2010-11-05 02:03 . 2010-11-05 02:03 -------- d-----w- c:\program files\7-Zip
2010-11-04 19:24 . 2010-11-04 19:26 -------- d-----w- c:\program files\CCleaner
2010-11-04 01:34 . 2010-11-04 01:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMWBSJMZDAE
2010-10-31 12:12 . 2010-10-31 12:12 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\HP
2010-10-31 12:11 . 2010-11-04 20:10 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\ApplicationHistory
2010-10-28 22:58 . 2010-10-28 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-10-28 22:56 . 2010-10-28 22:57 -------- d-----w- c:\program files\Common Files\HP
2010-10-28 22:55 . 2010-10-28 22:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-28 22:54 . 2010-10-28 22:54 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-28 22:53 . 2010-10-28 22:53 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38 . 2004-09-29 16:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:38 . 2004-09-29 16:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38 . 2004-09-29 16:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38 . 2004-09-29 16:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38 . 2004-09-29 16:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:37 . 2010-10-28 22:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19 . 2004-12-15 07:07 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19 . 2004-12-15 07:07 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19 . 2004-12-15 07:07 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18 . 2004-12-15 07:07 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18 . 2004-12-15 07:07 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18 . 2004-12-15 07:07 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18 . 2004-12-15 07:07 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17 . 2004-12-15 07:07 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17 . 2004-12-15 07:07 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17 . 2004-12-15 07:07 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\Hailey\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 23:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 10:56 . 2010-10-15 10:56 -------- d-----w- c:\program files\iPod
2010-10-15 10:56 . 2010-10-15 10:57 -------- d-----w- c:\program files\iTunes
2010-10-11 10:29 . 2010-10-11 10:29 -------- d-----w- c:\documents and settings\Hailey\Application Data\Registry Mechanic
2010-10-10 15:38 . 2010-10-28 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-10-08 20:57 . 2010-10-08 20:57 -------- d-----w- c:\documents and settings\Hailey\Application Data\Unity
2010-10-08 10:59 . 2010-10-08 10:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 11:38 . 2009-11-07 18:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 11:38 . 2009-03-14 21:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-20 11:38 . 2009-03-14 21:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]
"nwiz"="nwiz.exe" [2006-07-25 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
"AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-06-27 540672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-20 864112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

c:\documents and settings\Hailey\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2009 5:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2010 7:43 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 7:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 9:57 AM 13532]
S3 ftsbvcap;ftsbvcap;\??\c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys [?]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGPYYPOD
*Deregistered* - kgpyypod
.
Contents of the 'Scheduled Tasks' folder

2010-11-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:37]

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004Core.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]

2010-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004UA.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 15:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-05 15:34:53
ComboFix-quarantined-files.txt 2010-11-05 19:34

Pre-Run: 49,203,355,648 bytes free
Post-Run: 49,166,700,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5492474331E764D98E6CC1BAFA54F25A

 

[hlratliff]

Have I posted all the logs you need? Have not heard from anyone since yesterday and was wondering what I needed to do next. Thank you for all your help.

 

[Bobbye]

This is the weekend and I'm not as active because I like to spend time with my family. We are all volunteers here.

Let's remove Smart Engine then we'll deal with anything else that is left:

Step One:Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

(A tip: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Smart Engine when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again.)

Step Two: Update Mbam> On the Scanner tab, make sure the the Perform full scan option is selected

Step Three: Access, Delete, Replace Hosts files
Please download the following batch file and save it to your desktop: Hostsperm.bat

• Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
  [o]Once it starts you will see a small black window that opens, then goes away. This is normal. You should now be able to access your HOSTS file.
• We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.
• Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.
  [o]Windows XP HOSTS File Download Link
• If the contents of the HOSTS file opens in your browser when you click on the link, then right-click the link and select:
  [o]Save Target As if in Internet Explorer
  [o] Save Link Asif in Firefox, to download the file.
• Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
• Now reboot your computer.

======================================
When finished, please repeat the Eset online scan and the Combofix scan. We'll see what's left to deal with.

 

[hlratliff]

I have pasted the rkill log. Not sure if it ran right, I never got a prompt to reboot. Tried all of them and got the same thing. Let me know if you want me to continue on with the additional instructions. Thank you.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Hailey on 11/07/2010 at 14:30:32.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Hailey\My Documents\Downloads\rkill.com


Rkill completed on 11/07/2010 at 14:30:35.

 

[Bobbye]

The purpose of rkill is to kill the processes that are preventing a program from running. It would be like if you opened the Task Manager> highlighted a process> did End Task. But you can't do that in this case because 1. you don't know what the processes are and 2. the malware might not allow the processes to be stopped using End Task.

The reason you don't want to reboot after running rkill is because if you do, the processes will; be launched again and you're right back where you started.

So the rkill log isn't the primary interest here, but rather the results of the scan that follows.

 

[hlratliff]

Okay Bobbye. Below are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5067

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

11/7/2010 3:27:00 PM
mbam-log-2010-11-07 (15-27-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 201645
Time elapsed: 40 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[hlratliff]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=41912f8cea9d8d418fc20ebf26fcb992
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-05 07:20:28
# local_time=2010-11-05 03:20:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775141 100 98 0 224349844 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=66055
# found=2
# cleaned=0
# scan_time=1741
C:\Documents and Settings\All Users\Application Data\088357\86.mof Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=41912f8cea9d8d418fc20ebf26fcb992
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-07 10:44:52
# local_time=2010-11-07 05:44:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775141 100 98 0 224534006 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=74119
# found=2
# cleaned=0
# scan_time=2642
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\088357\86.mof.vir Win32/RogueAV.A trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{30E8BBE2-8211-46D4-A884-03D6E03FBA38}\RP642\A0272197.mof Win32/RogueAV.A trojan 00000000000000000000000000000000 I

 

[hlratliff]

ComboFix 10-11-05.01 - Hailey 11/07/2010 17:48:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.463 [GMT -5:00]
Running from: c:\documents and settings\Hailey\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101107-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-05 18:44 . 2010-11-05 18:44 -------- d-----w- c:\program files\ESET
2010-11-05 02:03 . 2010-11-05 02:03 -------- d-----w- c:\program files\7-Zip
2010-11-04 19:24 . 2010-11-04 19:26 -------- d-----w- c:\program files\CCleaner
2010-11-04 01:34 . 2010-11-04 01:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMWBSJMZDAE
2010-10-31 12:12 . 2010-10-31 12:12 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\HP
2010-10-31 12:11 . 2010-11-07 21:53 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\ApplicationHistory
2010-10-28 22:58 . 2010-10-28 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-10-28 22:56 . 2010-10-28 22:57 -------- d-----w- c:\program files\Common Files\HP
2010-10-28 22:55 . 2010-10-28 22:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-28 22:54 . 2010-10-28 22:54 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-28 22:53 . 2010-10-28 22:53 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38 . 2004-09-29 16:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:38 . 2004-09-29 16:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38 . 2004-09-29 16:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38 . 2004-09-29 16:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38 . 2004-09-29 16:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:37 . 2010-10-28 22:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19 . 2004-12-15 07:07 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19 . 2004-12-15 07:07 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19 . 2004-12-15 07:07 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18 . 2004-12-15 07:07 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18 . 2004-12-15 07:07 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18 . 2004-12-15 07:07 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18 . 2004-12-15 07:07 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17 . 2004-12-15 07:07 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17 . 2004-12-15 07:07 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17 . 2004-12-15 07:07 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\Hailey\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 23:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 10:56 . 2010-10-15 10:56 -------- d-----w- c:\program files\iPod
2010-10-15 10:56 . 2010-10-15 10:57 -------- d-----w- c:\program files\iTunes
2010-10-11 10:29 . 2010-10-11 10:29 -------- d-----w- c:\documents and settings\Hailey\Application Data\Registry Mechanic
2010-10-10 15:38 . 2010-10-28 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 11:38 . 2009-11-07 18:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 11:38 . 2009-03-14 21:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-20 11:38 . 2009-03-14 21:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot@2010-11-05_19.32.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-07 21:52 . 2010-11-07 21:52 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2010-11-07 21:53 . 2010-11-07 21:53 16384 c:\windows\Temp\Perflib_Perfdata_398.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 71002 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 71002 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 440684 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 440684 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]
"nwiz"="nwiz.exe" [2006-07-25 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
"AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-06-27 540672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-20 864112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

c:\documents and settings\Hailey\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2009 4:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2010 6:43 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 6:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S3 ftsbvcap;ftsbvcap;\??\c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys [?]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:37]

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004Core.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004UA.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-07 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-11-07 17:55:02
ComboFix-quarantined-files.txt 2010-11-07 22:55
ComboFix2.txt 2010-11-05 19:34

Pre-Run: 49,063,305,216 bytes free
Post-Run: 49,055,408,128 bytes free

- - End Of File - - F2DB76D0E9E465551EF48621C9D27A55

 

[Bobbye]

Getting there!

Have you done Step 3 for the Smart Engine removal- the Hosts files? If not, please do that now
When finished, do the following:

Please run this Custom CFScrip

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\URTTEMP
c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys
c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys
c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys
d:\pcicon.sys 

Folder::
c:\documents and settings\LocalService\Application Data\McAfee
DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uInternet Settings,ProxyServer = http=127.0.0.1:25579
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
mRun: [AudioDeck] c:\program files\via\viaudioi\sbadeck\ADeck.exe 1
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: &Search
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Registry::
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck =-

Driver::
ftsbvcap
lredbooo
PciCon

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[hlratliff]

I'm not sure if I did the host thing right. There was a backup host file in that folder also but I didn't know whether or not to delete it, so I left it there. I downloaded the new one and a box came up and asked me what to open it with and I just picked firefox and then saved it back into the C:\Windows etc. file. Hope that was right. As soon as combo fix is done I will post the report.

 

[hlratliff]

Here's the combofix report. Hope this does it. Thank you for your patience and all your help.

ComboFix 10-11-05.01 - Hailey 11/07/2010 17:48:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.463 [GMT -5:00]
Running from: c:\documents and settings\Hailey\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101107-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-05 18:44 . 2010-11-05 18:44 -------- d-----w- c:\program files\ESET
2010-11-05 02:03 . 2010-11-05 02:03 -------- d-----w- c:\program files\7-Zip
2010-11-04 19:24 . 2010-11-04 19:26 -------- d-----w- c:\program files\CCleaner
2010-11-04 01:34 . 2010-11-04 01:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SMWBSJMZDAE
2010-10-31 12:12 . 2010-10-31 12:12 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\HP
2010-10-31 12:11 . 2010-11-07 21:53 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\ApplicationHistory
2010-10-28 22:58 . 2010-10-28 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-10-28 22:56 . 2010-10-28 22:57 -------- d-----w- c:\program files\Common Files\HP
2010-10-28 22:55 . 2010-10-28 22:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-28 22:54 . 2010-10-28 22:54 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-28 22:53 . 2010-10-28 22:53 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38 . 2004-09-29 16:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:38 . 2004-09-29 16:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38 . 2004-09-29 16:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38 . 2004-09-29 16:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38 . 2004-09-29 16:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:37 . 2010-10-28 22:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19 . 2004-12-15 07:07 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19 . 2004-12-15 07:07 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19 . 2004-12-15 07:07 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18 . 2004-12-15 07:07 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18 . 2004-12-15 07:07 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18 . 2004-12-15 07:07 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18 . 2004-12-15 07:07 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17 . 2004-12-15 07:07 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17 . 2004-12-15 07:07 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17 . 2004-12-15 07:07 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\Hailey\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 23:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 10:56 . 2010-10-15 10:56 -------- d-----w- c:\program files\iPod
2010-10-15 10:56 . 2010-10-15 10:57 -------- d-----w- c:\program files\iTunes
2010-10-11 10:29 . 2010-10-11 10:29 -------- d-----w- c:\documents and settings\Hailey\Application Data\Registry Mechanic
2010-10-10 15:38 . 2010-10-28 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 11:38 . 2009-11-07 18:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 11:38 . 2009-03-14 21:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-20 11:38 . 2009-03-14 21:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot@2010-11-05_19.32.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-07 21:52 . 2010-11-07 21:52 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2010-11-07 21:53 . 2010-11-07 21:53 16384 c:\windows\Temp\Perflib_Perfdata_398.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 71002 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 71002 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 440684 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 440684 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]
"nwiz"="nwiz.exe" [2006-07-25 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
"AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-06-27 540672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-20 864112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

c:\documents and settings\Hailey\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2009 4:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2010 6:43 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 6:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S3 ftsbvcap;ftsbvcap;\??\c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\ftsbvcap.sys [?]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\lredbooo.sys [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder

2010-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:37]

2010-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004Core.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]

2010-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004UA.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-07 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-11-07 17:55:02
ComboFix-quarantined-files.txt 2010-11-07 22:55
ComboFix2.txt 2010-11-05 19:34

Pre-Run: 49,063,305,216 bytes free
Post-Run: 49,055,408,128 bytes free

- - End Of File - - F2DB76D0E9E465551EF48621C9D27A55

 

[hlratliff]

Good morning Bobbye. Where would you like to go from here?

 

[Bobbye]

Sorry, I started on this last night but had internet connections keep going down!

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys
c:\docume~1\hailey\locals~1\temp\isffp_sd.sys
c:\docume~1\hailey\locals~1\temp\lredbooo.sys
c:\documents and settings\All Users\Application Data\TEMP
d:\PciCon.sys 

Folder::
c:\docume~1\hailey\applic~1\Smart Engine
c:\docume~1\alluse~1\applic~1\SMWBSJMZDAE
c:\docume~1\alluse~1\applic~1\088357

DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCfox000&ptb=CftqMQZLQGZ8.nq1HwPEmg
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25579

Registry::
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe

Driver::
ftsbvcap
sffp_sd
lredbooo
PciCon

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

 

[hlratliff]

Good morning Bobbye. Sorry to hear about your internet connection problems. That can be very frustrating. I really appreciate your help and figured you must be having problems because you are usually right on top of things. Anyway, below you will find the combofix log. I await to hear from you.

ComboFix 10-11-10.03 - Hailey 11/11/2010 10:57:53.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.361 [GMT -5:00]
Running from: c:\documents and settings\Hailey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hailey\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 101111-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\docume~1\hailey\locals~1\temp\ftsbvcap.sys"
"c:\docume~1\hailey\locals~1\temp\isffp_sd.sys"
"c:\docume~1\hailey\locals~1\temp\lredbooo.sys"
"c:\documents and settings\All Users\Application Data\TEMP"
"d:\PciCon.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\SMWBSJMZDAE
c:\docume~1\alluse~1\applic~1\SMWBSJMZDAE\SMBQUEBBE.cfg

.
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
.

2010-11-05 18:44 . 2010-11-05 18:44 -------- d-----w- c:\program files\ESET
2010-11-05 02:03 . 2010-11-05 02:03 -------- d-----w- c:\program files\7-Zip
2010-11-04 19:24 . 2010-11-04 19:26 -------- d-----w- c:\program files\CCleaner
2010-10-31 12:12 . 2010-10-31 12:12 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\HP
2010-10-31 12:11 . 2010-11-11 12:59 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\ApplicationHistory
2010-10-28 22:58 . 2010-10-28 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-10-28 22:56 . 2010-10-28 22:57 -------- d-----w- c:\program files\Common Files\HP
2010-10-28 22:55 . 2010-10-28 22:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-28 22:54 . 2010-10-28 22:54 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-28 22:53 . 2010-10-28 22:53 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38 . 2004-09-29 16:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:38 . 2004-09-29 16:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38 . 2004-09-29 16:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38 . 2004-09-29 16:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38 . 2004-09-29 16:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:37 . 2010-10-28 22:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19 . 2004-12-15 07:07 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19 . 2004-12-15 07:07 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19 . 2004-12-15 07:07 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18 . 2004-12-15 07:07 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18 . 2004-12-15 07:07 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18 . 2004-12-15 07:07 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18 . 2004-12-15 07:07 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17 . 2004-12-15 07:07 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17 . 2004-12-15 07:07 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17 . 2004-12-15 07:07 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\Hailey\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 23:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 10:56 . 2010-10-15 10:56 -------- d-----w- c:\program files\iPod
2010-10-15 10:56 . 2010-10-15 10:57 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 11:38 . 2009-11-07 18:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 11:38 . 2009-03-14 21:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-20 11:38 . 2009-03-14 21:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot@2010-11-05_19.32.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-11 12:59 . 2010-11-11 12:59 16384 c:\windows\Temp\Perflib_Perfdata_6dc.dat
+ 2010-11-11 12:59 . 2010-11-11 12:59 16384 c:\windows\Temp\Perflib_Perfdata_288.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 71002 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 71002 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-07 21:54 440684 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-10-28 22:53 440684 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]
"nwiz"="nwiz.exe" [2006-07-25 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-20 864112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

c:\documents and settings\Hailey\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2009 4:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2010 6:43 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 6:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
S3 isffp_sd;isffp_sd;\??\c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:37]

2010-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004Core.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004UA.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 11:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-11 11:04:54
ComboFix-quarantined-files.txt 2010-11-11 16:04
ComboFix2.txt 2010-11-09 03:06
ComboFix3.txt 2010-11-07 22:55
ComboFix4.txt 2010-11-05 19:34

Pre-Run: 49,045,602,304 bytes free
Post-Run: 49,035,489,280 bytes free

- - End Of File - - 5171EB988B66DB5F772C26CA5E144C57

 

[Bobbye]

Thanks for the patience. The problem started again this morning but there was already a tech on the way. I "think" he resolved the problem- which we couldn't find!!

Do you have any idea what this is?
c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys
I removed it with script, it shows deleted but it's back on this Combofix log. I'm going to try and get some info on it: The closet I came for an ID was related to the Forrestry Service Symposium in Malysia which did not ppear to be computer related.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :file
  c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys
  
  :service
  isffp_sd

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[hlratliff]

I have no idea what c:\docume~1\Hailey etc... is. Below is the log.



SystemLook 04.09.10 by jpshortstuff
Log created at 14:09 on 11/11/2010 by Hailey
Administrator - Elevation successful

========== file ==========

c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys - Unable to find/read file.

========== service ==========

isffp_sd
isffp_sd
(No Description)
Current Status: Stopped
Startup Type: Demand
Error Control: Critical
Binary: \??\C:\DOCUME~1\Hailey\LOCALS~1\Temp\isffp_sd.sys
Group: (none)
SafeBoot:
Dependencies:
(none)
Dependant Services:
(none)

-= EOF =-

 

[Bobbye]

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys 

Driver::
isffp_sd

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
The Service is stopped, set to run on Demand. When you finish running the script again, Please do the following:
Use Windows Exxplorer: Windows key + E> with WE open> click on Tools> Folder Options> View tab> Check 'show hidden files and folders'> uncheck 'hide operating system files (Recommended)> Apply> OK
Now click on My Computer> Local Drive (C)> Documents and Settings> Hailey documents and settings> look for the following> delete if found:
\c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys --> c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys.
Go back and rehide the files and folders

 

[hlratliff]

Good evening Bobbye. I ran the script and will post the log. I also unhid the files and folders and the operating system files. I did not find the document or file. I will await to hear from you as to what we are going to do next. Thank you again for all your help.

ComboFix 10-11-12.01 - Hailey 11/12/2010 18:27:41.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.426 [GMT -5:00]
Running from: c:\documents and settings\Hailey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hailey\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 101112-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\docume~1\Hailey\LOCALS~1\Temp\isffp_sd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_isffp_sd


((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-05 18:44 . 2010-11-05 18:44 -------- d-----w- c:\program files\ESET
2010-11-05 02:03 . 2010-11-05 02:03 -------- d-----w- c:\program files\7-Zip
2010-11-04 19:24 . 2010-11-04 19:26 -------- d-----w- c:\program files\CCleaner
2010-10-31 12:12 . 2010-10-31 12:12 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\HP
2010-10-31 12:11 . 2010-11-12 23:32 -------- d-----w- c:\documents and settings\Hailey\Local Settings\Application Data\ApplicationHistory
2010-10-28 22:58 . 2010-10-28 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-10-28 22:56 . 2010-10-28 22:57 -------- d-----w- c:\program files\Common Files\HP
2010-10-28 22:55 . 2010-10-28 22:55 -------- d-----w- c:\program files\Hewlett-Packard
2010-10-28 22:54 . 2010-10-28 22:54 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-10-28 22:53 . 2010-10-28 22:53 -------- d-----w- c:\windows\system32\URTTEMP
2010-10-28 22:48 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-28 22:48 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-28 22:38 . 2007-08-09 07:27 73728 ----a-w- c:\windows\system32\HPZipm12.exe
2010-10-28 22:38 . 2004-09-29 16:15 204800 ----a-w- c:\windows\system32\HPZipr12.dll
2010-10-28 22:38 . 2004-09-29 16:12 278584 ----a-w- c:\windows\system32\HPZidr12.dll
2010-10-28 22:38 . 2004-09-29 16:09 57344 ----a-w- c:\windows\system32\HPZisn12.dll
2010-10-28 22:38 . 2004-09-29 16:09 94208 ----a-w- c:\windows\system32\HPZipt12.dll
2010-10-28 22:38 . 2004-09-29 16:08 61440 ----a-w- c:\windows\system32\HPZinw12.exe
2010-10-28 22:37 . 2010-10-28 22:58 -------- d-----w- c:\program files\HP
2010-10-28 22:19 . 2004-12-15 07:07 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2010-10-28 22:19 . 2004-12-15 07:07 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2010-10-28 22:19 . 2004-12-15 07:07 51120 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2010-10-28 22:18 . 2004-12-15 07:07 274432 ----a-w- c:\windows\system32\HPZc3212.dll
2010-10-28 22:18 . 2004-12-15 07:07 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-10-28 22:18 . 2004-12-15 07:07 229376 ----a-w- c:\windows\system32\hpovst08.dll
2010-10-28 22:18 . 2004-12-15 07:07 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-10-28 22:17 . 2004-12-15 07:07 139345 ----a-w- c:\windows\system32\hpzlnt12.dll
2010-10-28 22:17 . 2004-12-15 07:07 393216 ----a-w- c:\windows\system32\hpzcon12.dll
2010-10-28 22:17 . 2004-12-15 07:07 196608 ----a-w- c:\windows\system32\hpzcoi12.dll
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\Hailey\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-17 23:10 . 2010-10-17 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-17 23:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 10:56 . 2010-10-15 10:56 -------- d-----w- c:\program files\iPod
2010-10-15 10:56 . 2010-10-15 10:57 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 11:38 . 2009-11-07 18:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-20 11:38 . 2009-03-14 21:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-20 11:38 . 2009-03-14 21:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 5898240]
"nwiz"="nwiz.exe" [2006-07-25 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-09-20 864112]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

c:\documents and settings\Hailey\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Wireless Configuration Utility HW.15.lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2007-1-30 577536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2009 4:09 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2010 6:43 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 6:43 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1352832]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 8:57 AM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 11:37]

2010-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004Core.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]

2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1275210071-839522115-1004UA.job
- c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-04 11:39]
.
.
------- Supplementary Scan -------
.
IE: &Search
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Hailey\Application Data\Mozilla\Firefox\Profiles\mbvfz1x4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-12 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RUNDLL32.EXE
c:\documents and settings\Hailey\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-11-12 18:46:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-12 23:46
ComboFix2.txt 2010-11-11 16:04
ComboFix3.txt 2010-11-09 03:06
ComboFix4.txt 2010-11-07 22:55
ComboFix5.txt 2010-11-12 23:23

Pre-Run: 49,041,879,040 bytes free
Post-Run: 49,031,966,720 bytes free

- - End Of File - - 2392808DE67CFC998D577315F7AFA5FA