My son browsed to a website this past weekend (October 17th @ 12:07am) that contained a malicious ad that attempted a driveby install of SmitFraud on our Dell laptop via an old Adobe Reader exploit (now updated to v9.2.0

But the system isn't clean.

I've tried everything I can think of to cleanup this problem, and am now admitting defeat.

OS: WinXP/SP3 w/all patches
Browser: IE7 w/all patches
A/V: ZoneAlarm Security Suite v8.0.400.020 w/up-to-date signatures
Thanks in advance,
Propeller Head
Edit: For what it's worth, I just tested Yahoo and Bing and they also get redirected like Google does.
************ Contents of the DDS.txt log ************
DDS (Ver_09-10-13.01) - NTFSx86
Run by Owner at 19:02:48.51 on Tue 10/20/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.470 [GMT -5:00]
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193947031277
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {576B191F-974F-4789-BE69-A7F1F182075F} = 142.161.2.155,142.161.130.155
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 74480]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2008-7-7 2368]
S3 PD91Agent;PD91Agent;c:\program files\perfectdisk\PD91Agent.exe [2008-1-16 664840]
S3 PD91Engine;PD91Engine;c:\program files\perfectdisk\PD91Engine.exe [2008-1-16 894216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
=============== Created Last 30 ================
2009-10-19 18:59 <DIR> --d----- c:\program files\ComboFix
2009-10-19 18:33 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-10-19 18:33 50,176 a------- c:\windows\system32\proquota.exe
2009-10-19 18:11 236,544 a------- c:\windows\PEV.exe
2009-10-19 18:11 161,792 a------- c:\windows\SWREG.exe
2009-10-19 18:11 98,816 a------- c:\windows\sed.exe
2009-10-18 11:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-18 11:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-18 00:09 <DIR> --d----- c:\program files\Sysinternals
2009-10-17 18:45 <DIR> --d----- c:\program files\SmitfraudFix
2009-10-17 18:44 <DIR> --d----- c:\program files\smitRem
2009-10-17 17:56 <DIR> --d----- c:\program files\BlackLight
2009-10-17 15:44 <DIR> --d----- c:\program files\CWShredder
2009-10-17 13:05 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-10-17 13:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-17 13:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-17 13:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 19:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-10-13 18:52 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-13 17:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-13 17:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-13 17:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-13 17:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-13 17:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-13 17:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-13 17:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-13 17:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-09-24 21:36 <DIR> --d----- c:\program files\VirtualDub
==================== Find3M ====================
2009-10-20 19:02 422,507,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-10-19 22:23 5,659,136 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-10-13 15:39 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 -------- c:\windows\system32\wininet.dll
2009-08-29 02:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 09:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2008-06-30 21:50 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2007-11-02 17:44 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-02 17:44 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-02 17:44 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-02 17:44 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-02 17:44 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-02 17:44 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-02 17:44 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-02 17:44 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-02 17:44 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2008-07-01 00:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070120080702\index.dat
============= FINISH: 19:04:20.32 ===============
Attached Files
Edited by Propeller Head, 22 October 2009 - 08:08 AM.