Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Security Tool malvare using guide now with Informationgetter.com pop-up


  • This topic is locked This topic is locked
8 replies to this topic

#1 nobrainer

nobrainer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 03 March 2010 - 05:18 PM

I was having Security Tool pop-ups and used the bleepingcomputer.com virus removal thrillead and followed all the steps. I still have pop-ups for informationgetter.com. I have used malwarebytes anti-malware and still have problems. Please help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jessica Garza at 14:43:28.79 on Wed 03/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1011 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\All Users\Desktop\Support\connection_mon\ConnectionMonitor.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jessica Garza\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = https://www.newphysicianlink.org/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Yrafugiyel] rundll32.exe "c:\windows\eqaziwesi.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Trusted Zone: newphysicianlink.org
Trusted Zone: preview.newphysicianlink.org
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} - hxxps://www.newphysicianlink.org/DSK_LOGINProj1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxps://mhhswebpacsdmz.mhhs.org/ami/install/amiviewer.cab
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://www.newphysicianlink.org/MHHS_Portal_Login_09.cab
DPF: {C9AB7412-4FA3-40FC-993F-AA12BD65AB6E} - hxxps://www.newphysicianlink.org/sso_launch_proj.cab
DPF: {CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {F4B4D5AF-AB15-4A91-8AB3-566345E60010} - hxxps://www.newphysicianlink.org/phyapps/facesheetplnew/mhhsprint.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\program files\eclinicalworks\wowctl2.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessic~1\applic~1\mozilla\firefox\profiles\y4fpebnb.default\
FF - prefs.js: browser.startup.homepage - hxxps://pcgcapone.physiciancapitalgroup.com/gba
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB} - c:\documents and settings\jessica garza\local settings\application data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2008-11-16 24888]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-1 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-16 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-16 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-16 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-16 297752]
R2 ConnectionMonitor;ConnectionMonitor;c:\documents and settings\all users\desktop\support\connection_mon\ConnectionMonitor.exe [2008-11-18 74077]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-1 38224]
S0 ewjfzb;ewjfzb; [x]
S2 gupdate1ca5bf186fa5d62;Google Update Service (gupdate1ca5bf186fa5d62);c:\program files\google\update\GoogleUpdate.exe [2009-11-2 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-03-03 20:36:44 0 ----a-w- c:\documents and settings\jessica garza\defogger_reenable
2010-03-03 18:49:30 120 ----a-w- c:\windows\Rpolabafit.dat
2010-03-03 18:49:30 0 ----a-w- c:\windows\Yhefafuzacanuv.bin
2010-03-01 23:36:35 0 dc-h--w- c:\windows\ie8
2010-03-01 21:12:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-01 21:11:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 21:11:43 0 d-----w- c:\docume~1\jessic~1\applic~1\SUPERAntiSpyware.com
2010-03-01 21:09:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-01 20:45:07 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-01 20:45:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 20:43:59 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-01 20:43:41 0 d-----w- c:\program files\Lavasoft
2010-03-01 19:37:13 0 d-----w- c:\docume~1\jessic~1\applic~1\Malwarebytes
2010-03-01 19:37:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 19:37:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-01 19:37:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 19:37:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 17:03:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-01 17:03:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-22 20:06:45 0 d-sh--w- c:\documents and settings\jessica garza\IECompatCache

==================== Find3M ====================

2010-03-01 18:55:56 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26:15 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:51 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-12-03 15:03:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111020081117\index.dat
2008-12-03 15:03:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120320081204\index.dat

============= FINISH: 14:48:31.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 04 March 2010 - 11:09 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 nobrainer

nobrainer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 05 March 2010 - 11:42 AM

Here is the TDSSKiller report:

10:03:22:906 1652 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
10:03:22:906 1652 ================================================================================
10:03:22:906 1652 SystemInfo:

10:03:22:906 1652 OS Version: 5.1.2600 ServicePack: 3.0
10:03:22:906 1652 Product type: Workstation
10:03:22:906 1652 ComputerName: FALL-D530
10:03:22:906 1652 UserName: Jessica Garza
10:03:22:906 1652 Windows directory: C:\WINDOWS
10:03:22:906 1652 Processor architecture: Intel x86
10:03:22:906 1652 Number of processors: 2
10:03:22:906 1652 Page size: 0x1000
10:03:22:906 1652 Boot type: Normal boot
10:03:22:906 1652 ================================================================================
10:03:22:937 1652 UnloadDriverW: NtUnloadDriver error 2
10:03:22:937 1652 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:03:23:000 1652 Initialize success
10:03:23:000 1652
10:03:23:000 1652 Scanning Services ...
10:03:23:000 1652 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:03:23:000 1652 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:03:23:000 1652 wfopen_ex: Trying to KLMD file open
10:03:23:000 1652 wfopen_ex: File opened ok (Flags 2)
10:03:23:000 1652 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:03:23:000 1652 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:03:23:000 1652 wfopen_ex: Trying to KLMD file open
10:03:23:000 1652 wfopen_ex: File opened ok (Flags 2)
10:03:23:937 1652 GetAdvancedServicesInfo: Raw services enum returned 336 services
10:03:23:953 1652 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:03:23:953 1652 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:03:23:953 1652
10:03:23:953 1652 Scanning Kernel memory ...
10:03:23:953 1652 Devices to scan: 3
10:03:23:953 1652
10:03:23:953 1652 Driver Name: Disk
10:03:23:953 1652 IRP_MJ_CREATE : BA11EBB0
10:03:23:953 1652 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
10:03:23:953 1652 IRP_MJ_CLOSE : BA11EBB0
10:03:23:953 1652 IRP_MJ_READ : BA118D1F
10:03:23:953 1652 IRP_MJ_WRITE : BA118D1F
10:03:23:953 1652 IRP_MJ_QUERY_INFORMATION : 804F4562
10:03:23:953 1652 IRP_MJ_SET_INFORMATION : 804F4562
10:03:23:953 1652 IRP_MJ_QUERY_EA : 804F4562
10:03:23:953 1652 IRP_MJ_SET_EA : 804F4562
10:03:23:953 1652 IRP_MJ_FLUSH_BUFFERS : BA1192E2
10:03:23:953 1652 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
10:03:23:953 1652 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
10:03:23:953 1652 IRP_MJ_DIRECTORY_CONTROL : 804F4562
10:03:23:953 1652 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
10:03:23:953 1652 IRP_MJ_DEVICE_CONTROL : BA1193BB
10:03:23:953 1652 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA11CF28
10:03:23:953 1652 IRP_MJ_SHUTDOWN : BA1192E2
10:03:23:953 1652 IRP_MJ_LOCK_CONTROL : 804F4562
10:03:23:953 1652 IRP_MJ_CLEANUP : 804F4562
10:03:23:953 1652 IRP_MJ_CREATE_MAILSLOT : 804F4562
10:03:23:953 1652 IRP_MJ_QUERY_SECURITY : 804F4562
10:03:23:953 1652 IRP_MJ_SET_SECURITY : 804F4562
10:03:23:953 1652 IRP_MJ_POWER : BA11AC82
10:03:23:953 1652 IRP_MJ_SYSTEM_CONTROL : BA11F99E
10:03:23:953 1652 IRP_MJ_DEVICE_CHANGE : 804F4562
10:03:23:953 1652 IRP_MJ_QUERY_QUOTA : 804F4562
10:03:23:953 1652 IRP_MJ_SET_QUOTA : 804F4562
10:03:23:968 1652 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
10:03:23:968 1652 sion
10:03:23:968 1652 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:03:23:968 1652
10:03:23:968 1652 Driver Name: Disk
10:03:23:968 1652 IRP_MJ_CREATE : BA11EBB0
10:03:23:968 1652 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
10:03:23:968 1652 IRP_MJ_CLOSE : BA11EBB0
10:03:23:968 1652 IRP_MJ_READ : BA118D1F
10:03:23:968 1652 IRP_MJ_WRITE : BA118D1F
10:03:23:968 1652 IRP_MJ_QUERY_INFORMATION : 804F4562
10:03:23:968 1652 IRP_MJ_SET_INFORMATION : 804F4562
10:03:23:968 1652 IRP_MJ_QUERY_EA : 804F4562
10:03:23:968 1652 IRP_MJ_SET_EA : 804F4562
10:03:23:968 1652 IRP_MJ_FLUSH_BUFFERS : BA1192E2
10:03:23:968 1652 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
10:03:23:968 1652 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
10:03:23:968 1652 IRP_MJ_DIRECTORY_CONTROL : 804F4562
10:03:23:968 1652 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
10:03:23:968 1652 IRP_MJ_DEVICE_CONTROL : BA1193BB
10:03:23:968 1652 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA11CF28
10:03:23:968 1652 IRP_MJ_SHUTDOWN : BA1192E2
10:03:23:968 1652 IRP_MJ_LOCK_CONTROL : 804F4562
10:03:23:968 1652 IRP_MJ_CLEANUP : 804F4562
10:03:23:968 1652 IRP_MJ_CREATE_MAILSLOT : 804F4562
10:03:23:968 1652 IRP_MJ_QUERY_SECURITY : 804F4562
10:03:23:968 1652 IRP_MJ_SET_SECURITY : 804F4562
10:03:23:968 1652 IRP_MJ_POWER : BA11AC82
10:03:23:968 1652 IRP_MJ_SYSTEM_CONTROL : BA11F99E
10:03:23:968 1652 IRP_MJ_DEVICE_CHANGE : 804F4562
10:03:23:968 1652 IRP_MJ_QUERY_QUOTA : 804F4562
10:03:23:968 1652 IRP_MJ_SET_QUOTA : 804F4562
10:03:23:968 1652 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
10:03:23:968 1652 sion
10:03:23:968 1652 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:03:23:968 1652
10:03:23:968 1652 Driver Name: atapi
10:03:23:968 1652 IRP_MJ_CREATE : 89CBEA9A
10:03:23:968 1652 IRP_MJ_CREATE_NAMED_PIPE : 89CBEA9A
10:03:23:968 1652 IRP_MJ_CLOSE : 89CBEA9A
10:03:23:968 1652 IRP_MJ_READ : 89CBEA9A
10:03:23:968 1652 IRP_MJ_WRITE : 89CBEA9A
10:03:23:968 1652 IRP_MJ_QUERY_INFORMATION : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SET_INFORMATION : 89CBEA9A
10:03:23:968 1652 IRP_MJ_QUERY_EA : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SET_EA : 89CBEA9A
10:03:23:968 1652 IRP_MJ_FLUSH_BUFFERS : 89CBEA9A
10:03:23:968 1652 IRP_MJ_QUERY_VOLUME_INFORMATION : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SET_VOLUME_INFORMATION : 89CBEA9A
10:03:23:968 1652 IRP_MJ_DIRECTORY_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_FILE_SYSTEM_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_DEVICE_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SHUTDOWN : 89CBEA9A
10:03:23:968 1652 IRP_MJ_LOCK_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_CLEANUP : 89CBEA9A
10:03:23:968 1652 IRP_MJ_CREATE_MAILSLOT : 89CBEA9A
10:03:23:968 1652 IRP_MJ_QUERY_SECURITY : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SET_SECURITY : 89CBEA9A
10:03:23:968 1652 IRP_MJ_POWER : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SYSTEM_CONTROL : 89CBEA9A
10:03:23:968 1652 IRP_MJ_DEVICE_CHANGE : 89CBEA9A
10:03:23:968 1652 IRP_MJ_QUERY_QUOTA : 89CBEA9A
10:03:23:968 1652 IRP_MJ_SET_QUOTA : 89CBEA9A
10:03:23:984 1652 ihd: 0, 0, 607, 138, 3, 120, 1
10:03:23:984 1652 Driver "atapi" Irp handler infected by TDSS rootkit ... 10:03:23:984 1652 cured
10:03:23:984 1652 Driver "atapi" StartIo handler infected by TDSS rootkit ... 10:03:23:984 1652 cured
10:03:23:984 1652 siohd: 1
10:03:23:984 1652 Driver "atapi" StartIo handler infected by TDSS rootkit ... 10:03:23:984 1652 cured
10:03:23:984 1652 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
10:03:23:984 1652 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 10:03:23:984 1652 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:03:23:984 1652 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:03:24:218 1652 vfvi6
10:03:24:328 1652 !dsvbh1
10:03:26:562 1652 dsvbh2
10:03:26:562 1652 fdfb2
10:03:26:562 1652 Backup copy found, using it..
10:03:26:687 1652 will be cured on next reboot
10:03:26:687 1652 Reboot required for cure complete..
10:03:26:734 1652 Cure on reboot scheduled successfully
10:03:26:734 1652
10:03:26:734 1652 Completed
10:03:26:734 1652
10:03:26:734 1652 Results:
10:03:26:734 1652 Memory objects infected / cured / cured on reboot: 3 / 3 / 0
10:03:26:734 1652 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:03:26:734 1652 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:03:26:734 1652
10:03:26:734 1652 UnloadDriverW: NtUnloadDriver error 1
10:03:26:734 1652 KLMD_Unload: UnloadDriverW(klmd21) error 1
10:03:26:734 1652 KLMD(ARK) unloaded successfully

Here is the Combo-Fix Log:

ComboFix 10-03-04.05 - Jessica Garza 03/05/2010 10:32:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1359 [GMT -6:00]
Running from: c:\documents and settings\Jessica Garza\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jessica Garza\Local Settings\Application Data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}
c:\documents and settings\Jessica Garza\Local Settings\Application Data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}\chrome.manifest
c:\documents and settings\Jessica Garza\Local Settings\Application Data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}\chrome\content\_cfg.js
c:\documents and settings\Jessica Garza\Local Settings\Application Data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}\chrome\content\overlay.xul
c:\documents and settings\Jessica Garza\Local Settings\Application Data\{BF63A6C3-7429-4BD9-82E1-CD0F70C1FBBB}\install.rdf
c:\documents and settings\Jessica Garza\Local Settings\Temporary Internet Files\0PBA8yBB.jpg
c:\documents and settings\Jessica Garza\Local Settings\Temporary Internet Files\10j70Mmbp.jpg
c:\documents and settings\Jessica Garza\Local Settings\Temporary Internet Files\5MN88b8L.jpg
c:\documents and settings\Jessica Garza\Local Settings\Temporary Internet Files\x8PX6.jpg
c:\documents and settings\LocalService\Local Settings\Application Data\av.exe
c:\windows\AegisP.inf
c:\windows\eqaziwesi.dll
c:\windows\system32\136648.exe
c:\windows\system32\15076.exe
c:\windows\system32\201946.exe
c:\windows\system32\228290.exe
c:\windows\system32\261151.exe
c:\windows\system32\273620.exe
c:\windows\system32\294093.exe
c:\windows\system32\295084.exe
c:\windows\system32\295382.exe
c:\windows\system32\353343.exe
c:\windows\system32\368283.exe
c:\windows\system32\413463.exe
c:\windows\system32\464199.exe
c:\windows\system32\47556.exe
c:\windows\system32\511111.exe
c:\windows\system32\637317.exe
c:\windows\system32\654689.exe
c:\windows\system32\705280.exe
c:\windows\system32\729387.exe
c:\windows\system32\736713.exe
c:\windows\system32\844416.exe
c:\windows\system32\849856.exe
c:\windows\system32\854941.exe
c:\windows\system32\903658.exe
c:\windows\system32\908485.exe
c:\windows\system32\908682.exe
c:\windows\system32\91521.exe
c:\windows\system32\93479.exe
c:\windows\system32\94350.exe
c:\windows\system32\973470.exe
c:\windows\system32\977958.exe
c:\windows\system32\979531.exe
c:\windows\system32\config\systemprofile\Application Data\avdrn.dat
c:\windows\system32\kr_done1

.
((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
.

2010-03-04 19:26 . 2010-03-04 19:26 57856 ---h--w- c:\documents and settings\NetworkService\sqxntx.exe
2010-03-04 19:26 . 2010-03-04 19:26 57856 ----a-w- c:\windows\system32\ibt.exe
2010-03-03 19:37 . 2010-03-03 19:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-03 18:49 . 2010-03-05 15:57 0 ----a-w- c:\windows\Yhefafuzacanuv.bin
2010-03-03 18:49 . 2010-03-03 23:15 120 ----a-w- c:\windows\Rpolabafit.dat
2010-03-01 23:36 . 2010-03-03 22:07 -------- dc-h--w- c:\windows\ie8
2010-03-01 21:13 . 2010-03-01 21:13 52224 ----a-w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 21:13 . 2010-03-01 21:13 117760 ----a-w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 21:12 . 2010-03-01 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-01 21:11 . 2010-03-01 21:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 21:11 . 2010-03-01 21:11 -------- d-----w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com
2010-03-01 21:09 . 2010-03-01 21:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-01 20:45 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-01 20:45 . 2010-03-01 20:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 20:45 . 2010-03-01 20:45 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-01 20:45 . 2010-03-01 20:45 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-01 20:45 . 2010-03-01 20:45 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-01 20:45 . 2010-03-01 20:45 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-01 20:45 . 2010-03-01 20:45 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-01 20:45 . 2010-03-01 20:45 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-01 20:45 . 2010-03-01 20:45 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-01 20:43 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-01 20:43 . 2010-03-01 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 20:43 . 2010-03-01 20:44 -------- d-----w- c:\program files\Lavasoft
2010-03-01 19:37 . 2010-03-01 19:37 -------- d-----w- c:\documents and settings\Jessica Garza\Application Data\Malwarebytes
2010-03-01 19:37 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 19:37 . 2010-03-01 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 19:37 . 2010-03-03 19:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 19:37 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 17:34 . 2010-03-01 17:34 -------- d-sh--w- c:\documents and settings\Gregg Castillo\PrivacIE
2010-03-01 17:03 . 2010-03-01 17:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-01 17:03 . 2010-03-01 17:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-22 20:06 . 2010-02-22 20:06 -------- d-sh--w- c:\documents and settings\Jessica Garza\IECompatCache
2010-02-19 18:14 . 2010-02-19 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-17 19:11 . 2010-02-17 19:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-17 18:25 . 2010-02-17 18:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 16:29 . 2008-11-16 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-05 16:05 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-04 15:10 . 2008-11-18 16:35 -------- d-----w- c:\program files\eClinicalWorks
2010-03-03 18:45 . 2010-03-03 18:45 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\capmfe.dat
2010-03-01 20:45 . 2010-03-01 20:44 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-01 17:30 . 2008-11-18 16:18 13664 ----a-w- c:\documents and settings\Gregg Castillo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-11-16 21:39 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2008-02-08 03:46 . 2008-02-08 03:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 03:46 . 2008-02-08 03:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 03:46 . 2008-02-08 03:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 03:46 . 2008-02-08 03:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 03:46 . 2008-02-08 03:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 03:46 . 2008-02-08 03:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 03:46 . 2008-02-08 03:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-03-16 23:27 . 2007-03-16 23:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 23:27 . 2007-03-16 23:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 23:27 . 2007-03-16 23:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-20 18:47 . 2007-07-20 18:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 03:46 . 2008-02-08 03:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibt"="c:\windows\system32\ibt.exe \u" [X]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-30 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-28 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 14:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-12 20:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
iexping6 REG_SZ c:\windows\system32\hostdump.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\ibt.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [11/16/2008 4:43 PM 24888]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/1/2010 2:45 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/16/2008 4:19 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/16/2008 4:19 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/16/2008 4:19 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/16/2008 4:19 PM 297752]
R2 ConnectionMonitor;ConnectionMonitor;c:\documents and settings\All Users\Desktop\Support\connection_mon\ConnectionMonitor.exe [11/18/2008 10:44 AM 74077]
S0 ewjfzb;ewjfzb; [x]
S2 gupdate1ca5bf186fa5d62;Google Update Service (gupdate1ca5bf186fa5d62);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 1:20 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:44]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 19:20]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = https://www.newphysicianlink.org/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: newphysicianlink.org
Trusted Zone: preview.newphysicianlink.org
DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} - hxxps://www.newphysicianlink.org/DSK_LOGINProj1.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxps://mhhswebpacsdmz.mhhs.org/ami/install/amiviewer.cab
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://www.newphysicianlink.org/MHHS_Portal_Login_09.cab
DPF: {C9AB7412-4FA3-40FC-993F-AA12BD65AB6E} - hxxps://www.newphysicianlink.org/sso_launch_proj.cab
DPF: {F4B4D5AF-AB15-4A91-8AB3-566345E60010} - hxxps://www.newphysicianlink.org/phyapps/facesheetplnew/mhhsprint.cab
FF - ProfilePath - c:\documents and settings\Jessica Garza\Application Data\Mozilla\Firefox\Profiles\y4fpebnb.default\
FF - prefs.js: browser.startup.homepage - hxxps://pcgcapone.physiciancapitalgroup.com/gba
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Yrafugiyel - c:\windows\eqaziwesi.dll
SafeBoot-klmdb.sys



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-03-05 10:37:16
ComboFix-quarantined-files.txt 2010-03-05 16:37

Pre-Run: 104,140,009,472 bytes free
Post-Run: 104,724,348,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3C1D887D56E68D2D8524FE93E9C1D739



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 06 March 2010 - 12:43 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

Driver::
ewjfzb

Collect::
c:\documents and settings\NetworkService\sqxntx.exe
c:\windows\system32\ibt.exe
c:\windows\Yhefafuzacanuv.bin
c:\windows\Rpolabafit.dat

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibt"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ibt.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 nobrainer

nobrainer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 06 March 2010 - 06:59 PM

Thanks for all your help. I'm not sure if Combofix submitted the requested zip file so I sent it through the link you provided via the Qoobox foleder. Here are the logs:

ComboFix 10-03-06.03 - Jessica Garza 03/06/2010 17:28:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1468 [GMT -6:00]
Running from: c:\documents and settings\Jessica Garza\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jessica Garza\Desktop\CFScript.txt

file zipped: c:\documents and settings\NetworkService\sqxntx.exe
file zipped: c:\windows\Rpolabafit.dat
file zipped: c:\windows\system32\ibt.exe
file zipped: c:\windows\Yhefafuzacanuv.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\sqxntx.exe
c:\windows\Rpolabafit.dat
c:\windows\system32\156671.exe
c:\windows\system32\699252.exe
c:\windows\system32\83931.exe
c:\windows\system32\93118.exe
c:\windows\system32\ibt.exe
c:\windows\Yhefafuzacanuv.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ewjfzb


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-05 16:29 . 2010-03-05 16:37 -------- d-----w- C:\Combo-Fix
2010-03-01 23:36 . 2010-03-03 22:07 -------- dc-h--w- c:\windows\ie8
2010-03-01 21:12 . 2010-03-01 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-01 21:11 . 2010-03-01 21:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 21:11 . 2010-03-01 21:11 -------- d-----w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com
2010-03-01 21:09 . 2010-03-01 21:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-01 20:45 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-01 20:45 . 2010-03-01 20:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-01 20:43 . 2010-03-01 20:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-01 20:43 . 2010-03-01 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-01 20:43 . 2010-03-01 20:44 -------- d-----w- c:\program files\Lavasoft
2010-03-01 19:37 . 2010-03-01 19:37 -------- d-----w- c:\documents and settings\Jessica Garza\Application Data\Malwarebytes
2010-03-01 19:37 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 19:37 . 2010-03-01 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 19:37 . 2010-03-03 19:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 19:37 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 17:34 . 2010-03-01 17:34 -------- d-sh--w- c:\documents and settings\Gregg Castillo\PrivacIE
2010-03-01 17:03 . 2010-03-01 17:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-01 17:03 . 2010-03-01 17:03 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-22 20:06 . 2010-02-22 20:06 -------- d-sh--w- c:\documents and settings\Jessica Garza\IECompatCache
2010-02-19 18:14 . 2010-02-19 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-17 19:11 . 2010-02-17 19:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-17 18:25 . 2010-02-17 18:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-05 16:05 . 2004-08-04 10:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-04 15:10 . 2008-11-18 16:35 -------- d-----w- c:\program files\eClinicalWorks
2010-03-03 19:37 . 2010-03-03 19:37 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-03 18:45 . 2010-03-03 18:45 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\capmfe.dat
2010-03-01 21:13 . 2010-03-01 21:13 52224 ----a-w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 21:13 . 2010-03-01 21:13 117760 ----a-w- c:\documents and settings\Jessica Garza\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 20:45 . 2010-03-01 20:45 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-01 20:45 . 2010-03-01 20:45 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-01 20:45 . 2010-03-01 20:45 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-01 20:45 . 2010-03-01 20:45 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-01 20:45 . 2010-03-01 20:45 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-01 20:45 . 2010-03-01 20:45 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-01 20:45 . 2010-03-01 20:45 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-01 20:45 . 2010-03-01 20:44 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-01 17:30 . 2008-11-18 16:18 13664 ----a-w- c:\documents and settings\Gregg Castillo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-04 15:53 . 2010-03-01 20:43 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-11-16 21:39 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2008-02-08 03:46 . 2008-02-08 03:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 03:46 . 2008-02-08 03:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 03:46 . 2008-02-08 03:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 03:46 . 2008-02-08 03:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 03:46 . 2008-02-08 03:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 03:46 . 2008-02-08 03:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 03:46 . 2008-02-08 03:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-03-16 23:27 . 2007-03-16 23:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 23:27 . 2007-03-16 23:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 23:27 . 2007-03-16 23:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-07-20 18:47 . 2007-07-20 18:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 03:46 . 2008-02-08 03:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-30 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-30 137752]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2007-05-06 405504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-07-28 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-12 20:53 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
iexping6 REG_SZ c:\windows\system32\hostdump.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [11/16/2008 4:43 PM 24888]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/1/2010 2:45 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 ConnectionMonitor;ConnectionMonitor;c:\documents and settings\All Users\Desktop\Support\connection_mon\ConnectionMonitor.exe [11/18/2008 10:44 AM 74077]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 9:52 AM 1229232]
S2 gupdate1ca5bf186fa5d62;Google Update Service (gupdate1ca5bf186fa5d62);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 1:20 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 20:44]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 19:20]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 19:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = https://www.newphysicianlink.org/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: newphysicianlink.org
Trusted Zone: preview.newphysicianlink.org
DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} - hxxps://www.newphysicianlink.org/DSK_LOGINProj1.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxps://mhhswebpacsdmz.mhhs.org/ami/install/amiviewer.cab
DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} - hxxps://www.newphysicianlink.org/MHHS_Portal_Login_09.cab
DPF: {C9AB7412-4FA3-40FC-993F-AA12BD65AB6E} - hxxps://www.newphysicianlink.org/sso_launch_proj.cab
DPF: {F4B4D5AF-AB15-4A91-8AB3-566345E60010} - hxxps://www.newphysicianlink.org/phyapps/facesheetplnew/mhhsprint.cab
FF - ProfilePath - c:\documents and settings\Jessica Garza\Application Data\Mozilla\Firefox\Profiles\y4fpebnb.default\
FF - prefs.js: browser.startup.homepage - hxxps://pcgcapone.physiciancapitalgroup.com/gba
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\Java\j2re1.4.2_18\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-06 17:38:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 23:38
ComboFix2.txt 2010-03-05 16:37

Pre-Run: 105,001,889,792 bytes free
Post-Run: 104,955,121,664 bytes free

- - End Of File - - B478B0830FAB75388AF7CC36245970F9


The HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:02 PM, on 3/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Desktop\Support\connection_mon\ConnectionMonitor.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.newphysicianlink.org/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_18\bin\npjpi142_18.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_18\bin\npjpi142_18.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {7511EAA8-D4A8-411F-B392-F24CAC59CA32} (DSK_LOGIN Control) - https://www.newphysicianlink.org/DSK_LOGINProj1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} (Centricity Web ViewApp Control 3.0 SPa05) - https://mhhswebpacsdmz.mhhs.org/ami/install/amiviewer.cab
O16 - DPF: {C6FAB351-8F12-4ED3-A9C1-4D3E86B0BB07} (MHHS_Login Control 2009) - https://www.newphysicianlink.org/MHHS_Portal_Login_09.cab
O16 - DPF: {C9AB7412-4FA3-40FC-993F-AA12BD65AB6E} (sso_launch Control) - https://www.newphysicianlink.org/sso_launch_proj.cab
O16 - DPF: {F4B4D5AF-AB15-4A91-8AB3-566345E60010} (mhhs_print Control) - https://www.newphysicianlink.org/phyapps/fa...w/mhhsprint.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: ConnectionMonitor - SteelBytes - C:\Documents and Settings\All Users\Desktop\Support\connection_mon\ConnectionMonitor.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca5bf186fa5d62) (gupdate1ca5bf186fa5d62) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7654 bytes




#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 06 March 2010 - 08:41 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 nobrainer

nobrainer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 06 March 2010 - 10:51 PM

It seems to be running better now, thanks. Here is the log:

# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=178f9ae356990640b9fa3f0b62647a00
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-03-07 03:47:27
# local_time=2010-03-06 09:47:27 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=39935
# found=11
# cleaned=11
# scan_time=1200
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.CNY trojan (cleaned by deleting - quarantined) E6C4C4A0B395CA7F7336A18ECA72D8C9 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\156671.exe.vir Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\699252.exe.vir Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\83931.exe.vir Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\93118.exe.vir Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP308\A0030566.exe a variant of Win32/Kryptik.CNY trojan (cleaned by deleting - quarantined) E6C4C4A0B395CA7F7336A18ECA72D8C9 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP310\A0030761.exe a variant of Win32/Kryptik.CNY trojan (cleaned by deleting - quarantined) E6C4C4A0B395CA7F7336A18ECA72D8C9 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP312\A0031064.exe Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP312\A0031065.exe Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP312\A0031066.exe Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C
C:\System Volume Information\_restore{85E33953-71EA-4D8F-95D1-6DC3ABE2B100}\RP312\A0031067.exe Win32/Agent.OSE trojan (cleaned by deleting - quarantined) 7C510B97480D34F60526D6DDA472DB80 C


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 07 March 2010 - 06:50 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 nobrainer

nobrainer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 07 March 2010 - 08:23 PM

Everything seems to be working fine now. Thank you so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users