Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting - possible trojan on second laptop


  • This topic is locked This topic is locked
21 replies to this topic

#1 isabella_750

isabella_750

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 14 April 2012 - 12:43 PM

Now that my Dell Latitude 620 is cleaned, I am noticing the same google redirecting issues on the IBM Thinkpad T60 that is on the same wireless network. I have run Malwarebytes and SuperAntiSpyware without seeing any issues, but it still is acting like there is something hiding. Please find the DDS log below, and the Attach.txt log attached. I attempted to attach the ark.txt log but it was TOO BIG TO ATTACH.

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:09:50 on 2012-04-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.526 [GMT -7:00]
.
FW: McAfee Host Intrusion Prevention Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINNT\system32\IPSSVC.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\WINNT\system32\svchost.exe -k HPService
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer provided by Alcatel-Lucent
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: genesyslab.com
Trusted Zone: lucent.com
Trusted Zone: neolane.net\alu.us
Trusted Zone: taleo.net
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: lucent.com
Trusted Zone: taleo.net
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BF76567C-4005-45B7-B56E-1E520A8B26EA} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7WMP_USER - c:\program files\windows media player\cu.exe
mASetup: >{Proxy_IE_FF} - c:\program files\masterconfig\proxy_ie_ff\Proxy_IE_FF.exe
mASetup: >{QIESettings_10} - c:\program files\iesettings_10\currentuser.exe
mASetup: >{RealPlayer_11} - c:\program files\real\realplayer\cu.exe
mASetup: Autoproxy_00 - c:\program files\autoproxy\Proxy.exe
mASetup: Microsoft Office Communicator 2005 - "c:\program files\microsoft office communicator\VERMOC.EXE" /S
mASetup: MSOffice_2003 - c:\program files\microsoft office\office11\cu.EXE
mASetup: NetmeetingConf_10 - c:\winnt\installer\NetmeetingConf.exe
mASetup: OfficeTemplates_10 - c:\program files\microsoft office\templates\alcatel-lucent\Templates.exe
mASetup: PDFCreator_091 - c:\winnt\installer\{0001b4fd-9ea3-4d90-a79e-fd14ba3ab01d}\PDFCreator_CU.EXE
mASetup: QuickTime_76 - c:\winnt\installer\quicktime_76\currentuser.EXE
mASetup: Shockwave11 - c:\winnt\installer\macromedia\currentuser.exe
.
============= SERVICES / DRIVERS ===============
.
R0 01641735;01641735;c:\winnt\system32\drivers\01641735.sys [2012-4-7 133208]
R0 DozeHDD;DozeHDD;c:\winnt\system32\drivers\DOZEHDD.SYS [2011-4-26 24304]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [2010-6-16 20592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\winnt\system32\drivers\smiif32.sys [2011-4-26 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-31 654408]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2012-4-3 131432]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2012-4-3 142696]
R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [2012-1-31 22344]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\winnt\system32\drivers\NETwLx32.sys [2011-4-26 6609920]
S0 Lbd;Lbd;c:\winnt\system32\drivers\lbd.sys --> c:\winnt\system32\drivers\Lbd.sys [?]
S1 MpKsl9b0c6db2;MpKsl9b0c6db2;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb67f06b-1ef4-4ee6-97ec-d14685693133}\mpksl9b0c6db2.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eb67f06b-1ef4-4ee6-97ec-d14685693133}\MpKsl9b0c6db2.sys [?]
S1 MpKslfb37b697;MpKslfb37b697;\??\d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9a04b2b5-38ec-4b3c-ad9c-06996f5f99b8}\mpkslfb37b697.sys --> d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9a04b2b5-38ec-4b3c-ad9c-06996f5f99b8}\MpKslfb37b697.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winnt\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 EEPROMService;EEPROM Service Module;c:\winnt\system32\romserv.exe --> c:\winnt\system32\ROMServ.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-4-26 101736]
S3 AQFileRestore;AQFileRestore;c:\winnt\system32\drivers\aqfilerestore.sys --> c:\winnt\system32\drivers\AQFileRestore.sys [?]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\drivers\e1k5132.sys [2010-6-7 167080]
S3 HIPK;McAfee Inc. HIPK;c:\winnt\system32\drivers\HIPK.sys [2011-4-26 107960]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\winnt\system32\drivers\HIPPSK.sys [2011-4-26 38680]
S3 HIPQK;McAfee Inc. HIPQK;c:\winnt\system32\drivers\HIPQK.sys [2011-4-26 35552]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winnt\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WPRO_40_1040;WinPcap Packet Driver (WPRO_40_1040);c:\winnt\system32\drivers\wpro_40_1040.sys --> c:\winnt\system32\drivers\WPRO_40_1040.sys [?]
S3 YKBKQHC;YKBKQHC;d:\docume~1\lcasale\locals~1\temp\ykbkqhc.exe --> d:\docume~1\lcasale\locals~1\temp\YKBKQHC.exe [?]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
.
=============== Created Last 30 ================
.
2012-04-13 22:36:46 711240 ----a-w- c:\winnt\isRS-000.tmp
2012-04-13 22:34:56 -------- d-----w- d:\documents and settings\administrator\application data\Malwarebytes
2012-04-13 22:24:56 -------- d-----w- d:\documents and settings\administrator\application data\IObit
2012-04-13 22:01:18 -------- d-----w- c:\program files\VS Revo Group
2012-04-13 21:45:06 -------- d-----w- d:\documents and settings\administrator\application data\Avanquest
2012-04-13 21:38:55 -------- d-sh--w- d:\documents and settings\administrator\PrivacIE
2012-04-13 21:36:29 -------- d-sh--w- d:\documents and settings\administrator\IETldCache
2012-04-07 15:59:33 133208 ----a-w- c:\winnt\system32\drivers\01641735.sys
2012-04-07 15:22:46 -------- d-----w- d:\documents and settings\all users\application data\Webroot
2012-04-04 15:45:22 -------- d-----w- d:\documents and settings\all users\application data\IsolatedStorage
2012-04-04 15:43:58 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-04-04 15:43:38 -------- d-----w- d:\documents and settings\all users\application data\White Sky, Inc
2012-04-03 18:19:55 38760 ----a-w- c:\winnt\system32\ibmpmsvc.exe
2012-04-03 18:04:59 -------- d-----w- c:\winnt\system32\(null)
2012-04-03 18:04:49 -------- d-----w- c:\program files\common files\Lenovo
2012-04-03 18:04:33 21376 ----a-w- c:\winnt\system32\drivers\psadd.sys
2012-03-30 20:41:35 -------- dc----w- c:\winnt\ie8
2012-03-30 16:32:36 271704 ----a-r- c:\winnt\system32\hpzids01.dll
2012-03-30 16:31:00 -------- d-----w- c:\program files\common files\HP
2012-03-30 15:24:34 -------- d-----w- c:\program files\Canon
2012-03-30 15:24:32 -------- d-----w- c:\program files\common files\Canon
2012-03-29 18:11:27 -------- d-----w- c:\program files\Xenocode
2012-03-28 23:27:48 98816 ----a-w- c:\winnt\sed.exe
2012-03-28 23:27:48 518144 ----a-w- c:\winnt\SWREG.exe
2012-03-28 23:27:48 256000 ----a-w- c:\winnt\PEV.exe
2012-03-28 23:27:48 208896 ----a-w- c:\winnt\MBR.exe
2012-03-23 19:18:57 -------- d-----w- c:\program files\Amazon
2012-03-16 19:17:54 -------- d-----w- c:\program files\Trend Micro
2012-03-16 19:16:33 -------- d-----w- c:\program files\Sophos
2012-03-16 19:15:11 24960 ----a-w- c:\winnt\system32\drivers\pciidex.sys
2012-03-16 19:15:10 96512 ----a-w- c:\winnt\system32\drivers\atapi.sys
2012-03-16 19:15:09 3328 ----a-w- c:\winnt\system32\drivers\pciide.sys
2012-03-16 19:14:39 38784 ----a-w- c:\winnt\system32\drivers\sdvo.sys
2012-03-16 19:14:39 36864 ----a-w- c:\winnt\system32\drivers\tv.sys
2012-03-16 19:14:39 10496 ----a-w- c:\winnt\system32\drivers\lvds.sys
2012-03-16 19:14:38 403328 ----a-w- c:\winnt\system32\iegddis.dll
2012-03-16 19:14:38 401792 ----a-w- c:\winnt\system32\iegd3dg3.dll
2012-03-16 19:14:38 11264 ----a-w- c:\winnt\system32\drivers\analog.sys
2012-03-16 19:14:37 1677440 ----a-w- c:\winnt\system32\drivers\iegdmini.sys
2012-03-16 18:59:01 -------- d-----w- c:\winnt\Downloaded Installations
2012-03-16 18:44:15 -------- d-----w- d:\documents and settings\all users\application data\PC Drivers HeadQuarters
2012-03-16 18:10:02 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-04-04 22:56:40 22344 ----a-w- c:\winnt\system32\drivers\mbam.sys
2012-01-31 17:33:47 159608 ----a-w- c:\winnt\system32\mfevtps.exe.f877.deleteme
2012-01-31 17:25:26 14664 ----a-w- c:\winnt\stinger.sys
2012-01-31 17:25:11 159608 ----a-w- c:\winnt\system32\mfevtps.exe.bf11.deleteme
2012-01-23 04:49:38 309320 ----a-w- c:\winnt\system32\drivers\TrufosAlt.sys
.
============= FINISH: 10:10:30.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 14 April 2012 - 02:53 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 16 April 2012 - 08:43 AM

Gringo,

Thank you again for helping with this computer. Security Check ran without incident.

Security Check log:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

ESET Online Scanner v3
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware
Adobe Flash Player 11.1.102.55
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````

Combofix gave me almost the same responses as the other PC.
1) "You are infected with Rootkit.ZeroAccess!. It has inserted itself into the tcp/ip stack" so I hit "OK"
2) "Rootkit is detected" I hit "OK"
3) "You are infected with Rootkit.ZeroAccess!. It has inserted itself into the tcp/ip stack" I hit "OK"
then I saw a new message I haven't seen on the last PC
4) "[OpenEvent] failed to perform desited action. Error Code 2" I hit "OK"
5) "Rootkit is detected" I hit "OK"
6) Combofix asked to reboot

The log is as follows:

ComboFix 12-04-16.01 - Administrator 04/16/2012 6:29.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.722 [GMT -7:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-13 22:34 . 2012-04-13 22:34 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-13 22:24 . 2012-04-13 22:24 -------- d-----w- d:\documents and settings\Administrator\Application Data\IObit
2012-04-13 22:01 . 2012-04-13 22:01 -------- d-----w- c:\program files\VS Revo Group
2012-04-13 21:45 . 2012-04-13 22:23 -------- d-----w- d:\documents and settings\Administrator\Application Data\Avanquest
2012-04-13 21:38 . 2012-04-13 21:38 -------- d-sh--w- d:\documents and settings\Administrator\PrivacIE
2012-04-13 21:38 . 2012-04-16 13:14 -------- d-----w- d:\documents and settings\Administrator\Application Data\HPAppData
2012-04-13 21:36 . 2012-04-13 21:36 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache
2012-04-09 20:39 . 2012-04-09 20:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\ElevatedDiagnostics
2012-04-07 15:59 . 2012-04-07 20:27 133208 ----a-w- c:\winnt\system32\drivers\01641735.sys
2012-04-07 15:22 . 2012-04-07 15:22 -------- d-----w- d:\documents and settings\All Users\Application Data\Webroot
2012-04-07 15:22 . 2012-04-07 15:22 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\PackageAware
2012-04-04 18:42 . 2012-04-04 18:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\ZoomBrowser EX
2012-04-04 18:42 . 2012-04-04 18:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\CANON INC
2012-04-04 16:44 . 2012-04-04 16:44 -------- d-----w- d:\documents and settings\lcasale\Application Data\comcasttb
2012-04-04 16:38 . 2012-04-04 18:49 -------- d-----w- d:\documents and settings\lcasale\Application Data\CallingID
2012-04-04 15:57 . 2012-04-04 15:57 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ID Vault
2012-04-04 15:57 . 2012-04-04 15:57 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY\Application Data\ID Vault
2012-04-04 15:45 . 2012-04-04 15:45 -------- d-----w- d:\documents and settings\All Users\Application Data\IsolatedStorage
2012-04-04 15:44 . 2012-04-04 15:46 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\ID Vault
2012-04-04 15:44 . 2012-04-04 16:44 -------- d-----w- d:\documents and settings\lcasale\Application Data\ID Vault
2012-04-04 15:43 . 2012-04-04 16:44 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-04-04 15:43 . 2012-04-04 15:43 -------- d-----w- d:\documents and settings\All Users\Application Data\White Sky, Inc
2012-04-03 18:19 . 2011-08-11 18:20 38760 ----a-w- c:\winnt\system32\ibmpmsvc.exe
2012-04-03 18:05 . 2012-04-03 18:05 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\ApplicationHistory
2012-04-03 18:04 . 2012-04-03 18:04 -------- d-----w- c:\winnt\system32\(null)
2012-04-03 18:04 . 2012-04-03 18:20 -------- d-----w- c:\program files\Common Files\Lenovo
2012-04-03 18:04 . 2007-02-19 05:56 21376 ----a-w- c:\winnt\system32\drivers\psadd.sys
2012-03-30 20:41 . 2012-03-30 20:41 -------- dc----w- c:\winnt\ie8
2012-03-30 17:43 . 2012-04-09 17:09 -------- d-----w- d:\documents and settings\lcasale\Application Data\HPAppData
2012-03-30 16:32 . 2008-08-22 12:24 271704 ----a-r- c:\winnt\system32\hpzids01.dll
2012-03-30 16:31 . 2012-03-30 16:31 -------- d-----w- c:\program files\Common Files\HP
2012-03-30 15:24 . 2012-04-13 22:09 -------- d-----w- c:\program files\Canon
2012-03-30 15:24 . 2012-03-30 15:24 -------- d-----w- c:\program files\Common Files\Canon
2012-03-29 18:11 . 2012-03-29 18:11 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Xenocode
2012-03-29 18:11 . 2012-03-29 18:11 -------- d-----w- c:\program files\Xenocode
2012-03-23 19:19 . 2012-03-23 19:19 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Amazon
2012-03-23 19:18 . 2012-03-23 19:19 -------- d-----w- c:\program files\Amazon
2012-03-21 14:43 . 2012-03-21 14:44 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2012-01-31 18:40 22344 ----a-w- c:\winnt\system32\drivers\mbam.sys
2012-03-16 19:18 . 2012-03-16 19:17 388096 ----a-r- d:\documents and settings\lcasale\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-31 17:33 . 2012-01-31 17:33 159608 ----a-w- c:\winnt\system32\mfevtps.exe.f877.deleteme
2012-01-31 17:25 . 2012-01-31 17:25 14664 ----a-w- c:\winnt\stinger.sys
2012-01-31 17:25 . 2012-01-31 17:25 159608 ----a-w- c:\winnt\system32\mfevtps.exe.bf11.deleteme
2012-01-23 04:49 . 2012-01-23 04:02 309320 ----a-w- c:\winnt\system32\drivers\TrufosAlt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2011-10-20 101440]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-10-09 3900936]
.
d:\documents and settings\lcasale\Start Menu\Programs\Startup\
_uninst_01641735.lnk - d:\documents and settings\lcasale\Local Settings\temp\_uninst_01641735.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112754840-354624142-596004286-325669\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-1004\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-500\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-500\Scripts\Logoff\0\1]
"Script"=c:\program files\Profile Light\Logoff.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^IPSecClient Icon.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\IPSecClient Icon.lnk
backup=c:\winnt\pss\IPSecClient Icon.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACProfiles]
2009-11-04 10:51 130723 ----a-w- c:\winnt\Installer\ACprofiles.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoAutoScrollUtility]
2011-10-20 17:58 101440 ----a-w- c:\program files\Lenovo\VIRTSCRL\virtscrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 13:06 118784 ----a-w- c:\winnt\system32\ptipbmf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2010-11-04 23:29 517480 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 07:11 925696 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 21:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-16 18:14 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-07 13:10 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2010-07-01 18:25 337256 ----a-w- c:\winnt\system32\TpShocks.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McAfeeFramework"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
R0 01641735;01641735;c:\winnt\system32\drivers\01641735.sys [4/7/2012 8:59 AM 133208]
R0 DozeHDD;DozeHDD;c:\winnt\system32\drivers\DOZEHDD.SYS [4/26/2011 8:48 AM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [6/16/2010 5:44 AM 20592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\winnt\system32\drivers\smiif32.sys [4/26/2011 8:41 AM 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [4/3/2012 11:20 AM 131432]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [4/3/2012 11:20 AM 142696]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\winnt\system32\drivers\NETwLx32.sys [4/26/2011 8:53 AM 6609920]
S0 Lbd;Lbd;c:\winnt\system32\DRIVERS\Lbd.sys --> c:\winnt\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl9b0c6db2;MpKsl9b0c6db2;\??\d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB67F06B-1EF4-4EE6-97EC-D14685693133}\MpKsl9b0c6db2.sys --> d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB67F06B-1EF4-4EE6-97EC-D14685693133}\MpKsl9b0c6db2.sys [?]
S1 MpKslfb37b697;MpKslfb37b697;\??\d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A04B2B5-38EC-4B3C-AD9C-06996F5F99B8}\MpKslfb37b697.sys --> d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A04B2B5-38EC-4B3C-AD9C-06996F5F99B8}\MpKslfb37b697.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winnt\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 EEPROMService;EEPROM Service Module;c:\winnt\system32\ROMServ.exe --> c:\winnt\system32\ROMServ.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [4/26/2011 8:42 AM 101736]
S3 AQFileRestore;AQFileRestore;c:\winnt\system32\DRIVERS\AQFileRestore.sys --> c:\winnt\system32\DRIVERS\AQFileRestore.sys [?]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\drivers\e1k5132.sys [6/7/2010 7:13 AM 167080]
S3 HIPK;McAfee Inc. HIPK;c:\winnt\system32\drivers\HIPK.sys [4/26/2011 2:38 PM 107960]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\winnt\system32\drivers\HIPPSK.sys [4/26/2011 2:38 PM 38680]
S3 HIPQK;McAfee Inc. HIPQK;c:\winnt\system32\drivers\HIPQK.sys [4/26/2011 2:38 PM 35552]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [1/31/2012 11:40 AM 22344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winnt\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 WPRO_40_1040;WinPcap Packet Driver (WPRO_40_1040);c:\winnt\system32\drivers\WPRO_40_1040.sys --> c:\winnt\system32\drivers\WPRO_40_1040.sys [?]
S3 YKBKQHC;YKBKQHC;d:\docume~1\lcasale\LOCALS~1\Temp\YKBKQHC.exe --> d:\docume~1\lcasale\LOCALS~1\Temp\YKBKQHC.exe [?]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/31/2012 11:40 AM 654408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Autoproxy_00]
2011-04-05 15:48 126947 ----a-w- c:\program files\Autoproxy\Proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Office Communicator 2005]
2009-11-18 14:07 141824 ----a-w- c:\program files\Microsoft Office Communicator\VERMOC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MSOffice_2003]
2009-07-08 12:13 134027 ----a-w- c:\program files\Microsoft Office\OFFICE11\cu.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\NetmeetingConf_10]
2008-12-12 19:27 126172 ----a-w- c:\winnt\Installer\NetmeetingConf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OfficeTemplates_10]
2008-05-13 21:32 126348 ----a-w- c:\program files\Microsoft Office\Templates\Alcatel-Lucent\templates.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PDFCreator_091]
2008-02-14 06:49 127508 ----a-w- c:\winnt\Installer\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\PDFCreator_CU.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\QuickTime_76]
2009-09-29 11:59 130900 ----a-w- c:\winnt\Installer\Quicktime_76\currentuser.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Shockwave11]
2009-09-11 11:57 132973 ----a-w- c:\winnt\Installer\MACROMEDIA\currentuser.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7WMP_USER]
2009-04-24 14:55 112948 ----a-w- c:\program files\Windows Media Player\cu.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-2112754840-354624142-596004286-325669Core.job
- d:\documents and settings\lcasale\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-21 14:43]
.
2012-04-14 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-2112754840-354624142-596004286-325669UA.job
- d:\documents and settings\lcasale\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-21 14:43]
.
2012-03-30 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-04-26 23:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: genesyslab.com
Trusted Zone: lucent.com
Trusted Zone: neolane.net\alu.us
Trusted Zone: taleo.net
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: lucent.com
Trusted Zone: taleo.net
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-47601444.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 06:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-699567196-2665597415-1357020569-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fc,f1,81,33,fa,c7,46,bc,43,58,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fc,f1,81,33,fa,c7,46,bc,43,58,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2012-04-16 06:35:27
ComboFix-quarantined-files.txt 2012-04-16 13:35
ComboFix2.txt 2012-03-30 19:11
ComboFix3.txt 2012-03-30 18:56
ComboFix4.txt 2012-03-30 18:38
ComboFix5.txt 2012-04-16 13:22
.
Pre-Run: 10,997,161,984 bytes free
Post-Run: 11,026,583,552 bytes free
.
- - End Of File - - 46F0899585419A805A28FDC92230EA05

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 16 April 2012 - 12:01 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 16 April 2012 - 12:28 PM

Both TDSSKiller and aswMBR ran without issues. The logs are as follows:

10:04:58.0337 2980 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
10:04:58.0806 2980 ============================================================
10:04:58.0806 2980 Current date / time: 2012/04/16 10:04:58.0806
10:04:58.0806 2980 SystemInfo:
10:04:58.0806 2980
10:04:58.0806 2980 OS Version: 5.1.2600 ServicePack: 3.0
10:04:58.0806 2980 Product type: Workstation
10:04:58.0806 2980 ComputerName: USDALN0L3B2112
10:04:58.0806 2980 UserName: Administrator
10:04:58.0806 2980 Windows directory: C:\WINNT
10:04:58.0806 2980 System windows directory: C:\WINNT
10:04:58.0806 2980 Processor architecture: Intel x86
10:04:58.0806 2980 Number of processors: 2
10:04:58.0806 2980 Page size: 0x1000
10:04:58.0806 2980 Boot type: Normal boot
10:04:58.0806 2980 ============================================================
10:04:59.0212 2980 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1E48, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
10:04:59.0212 2980 \Device\Harddisk0\DR0:
10:04:59.0212 2980 MBR used
10:04:59.0212 2980 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2710011
10:04:59.0228 2980 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x271008F, BlocksNum 0x48B40E1
10:04:59.0290 2980 Initialize success
10:04:59.0290 2980 ============================================================
10:05:08.0900 0332 ============================================================
10:05:08.0900 0332 Scan started
10:05:08.0900 0332 Mode: Manual; SigCheck; TDLFS;
10:05:08.0900 0332 ============================================================
10:05:09.0400 0332 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
10:05:09.0572 0332 !SASCORE - ok
10:05:09.0697 0332 01641735 (186b54479d98e48aee0e9ada4b3c4d31) C:\WINNT\system32\DRIVERS\01641735.sys
10:05:09.0712 0332 01641735 - ok
10:05:09.0728 0332 Abiosdsk - ok
10:05:09.0743 0332 abp480n5 - ok
10:05:09.0790 0332 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
10:05:10.0618 0332 ACPI - ok
10:05:10.0728 0332 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINNT\system32\DRIVERS\ACPIEC.sys
10:05:10.0853 0332 ACPIEC - ok
10:05:10.0884 0332 ADIHdAudAddService (beee84a79710f705864685b05f1bb172) C:\WINNT\system32\drivers\ADIHdAud.sys
10:05:10.0915 0332 ADIHdAudAddService - ok
10:05:10.0931 0332 adpu160m - ok
10:05:10.0962 0332 AEAudioService (358063ab6c1c4173b735525cdfa65f94) C:\WINNT\system32\drivers\AEAudio.sys
10:05:10.0978 0332 AEAudioService - ok
10:05:11.0087 0332 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
10:05:11.0212 0332 aec - ok
10:05:11.0243 0332 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINNT\System32\drivers\afd.sys
10:05:11.0306 0332 AFD - ok
10:05:11.0306 0332 Aha154x - ok
10:05:11.0322 0332 aic78u2 - ok
10:05:11.0337 0332 aic78xx - ok
10:05:11.0368 0332 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINNT\system32\alrsvc.dll
10:05:11.0493 0332 Alerter - ok
10:05:11.0572 0332 ALG (8c515081584a38aa007909cd02020b3d) C:\WINNT\System32\alg.exe
10:05:11.0634 0332 ALG - ok
10:05:11.0650 0332 AliIde - ok
10:05:11.0665 0332 amsint - ok
10:05:11.0697 0332 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINNT\System32\appmgmts.dll
10:05:11.0759 0332 AppMgmt - ok
10:05:11.0759 0332 AQFileRestore - ok
10:05:11.0775 0332 asc - ok
10:05:11.0790 0332 asc3350p - ok
10:05:11.0790 0332 asc3550 - ok
10:05:11.0868 0332 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINNT\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
10:05:11.0884 0332 aspnet_state - ok
10:05:11.0900 0332 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
10:05:12.0025 0332 AsyncMac - ok
10:05:12.0118 0332 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
10:05:12.0243 0332 atapi - ok
10:05:12.0259 0332 Atdisk - ok
10:05:12.0290 0332 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
10:05:12.0400 0332 Atmarpc - ok
10:05:12.0431 0332 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINNT\system32\DRIVERS\atmeltpm.sys
10:05:12.0462 0332 atmeltpm - ok
10:05:12.0493 0332 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINNT\System32\audiosrv.dll
10:05:12.0618 0332 AudioSrv - ok
10:05:12.0728 0332 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
10:05:12.0853 0332 audstub - ok
10:05:12.0884 0332 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINNT\system32\drivers\Beep.sys
10:05:13.0009 0332 Beep - ok
10:05:13.0056 0332 BITS (574738f61fca2935f5265dc4e5691314) C:\WINNT\system32\qmgr.dll
10:05:13.0197 0332 BITS - ok
10:05:13.0290 0332 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINNT\System32\browser.dll
10:05:13.0415 0332 Browser - ok
10:05:13.0431 0332 BTWUSB - ok
10:05:13.0478 0332 catchme - ok
10:05:13.0525 0332 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
10:05:13.0650 0332 cbidf2k - ok
10:05:13.0712 0332 CcmExec (a454a9baa25b8c8e76735dd86bd4b017) C:\WINNT\system32\CCM\CcmExec.exe
10:05:13.0775 0332 CcmExec - ok
10:05:13.0853 0332 cd20xrnt - ok
10:05:13.0884 0332 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
10:05:14.0009 0332 Cdaudio - ok
10:05:14.0040 0332 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
10:05:14.0150 0332 Cdfs - ok
10:05:14.0165 0332 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINNT\system32\DRIVERS\cdrom.sys
10:05:14.0290 0332 Cdrom - ok
10:05:14.0306 0332 Changer - ok
10:05:14.0337 0332 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINNT\system32\cisvc.exe
10:05:14.0447 0332 CiSvc - ok
10:05:14.0540 0332 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINNT\system32\clipsrv.exe
10:05:14.0665 0332 ClipSrv - ok
10:05:14.0728 0332 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:05:14.0759 0332 clr_optimization_v2.0.50727_32 - ok
10:05:14.0822 0332 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINNT\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:05:14.0837 0332 clr_optimization_v4.0.30319_32 - ok
10:05:14.0931 0332 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINNT\system32\DRIVERS\CmBatt.sys
10:05:15.0056 0332 CmBatt - ok
10:05:15.0056 0332 CmdIde - ok
10:05:15.0087 0332 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINNT\system32\DRIVERS\compbatt.sys
10:05:15.0212 0332 Compbatt - ok
10:05:15.0228 0332 COMSysApp - ok
10:05:15.0228 0332 Cpqarray - ok
10:05:15.0259 0332 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINNT\System32\cryptsvc.dll
10:05:15.0368 0332 CryptSvc - ok
10:05:15.0384 0332 dac2w2k - ok
10:05:15.0400 0332 dac960nt - ok
10:05:15.0447 0332 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINNT\system32\rpcss.dll
10:05:15.0493 0332 DcomLaunch - ok
10:05:15.0587 0332 Dhcp (c51de19619d50cbd03708647aca10e70) C:\WINNT\System32\dhcpcsvc.dll
10:05:15.0618 0332 Dhcp - ok
10:05:15.0681 0332 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
10:05:15.0806 0332 Disk - ok
10:05:15.0806 0332 dmadmin - ok
10:05:15.0868 0332 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
10:05:16.0009 0332 dmboot - ok
10:05:16.0118 0332 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
10:05:16.0243 0332 dmio - ok
10:05:16.0259 0332 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
10:05:16.0368 0332 dmload - ok
10:05:16.0400 0332 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINNT\System32\dmserver.dll
10:05:16.0525 0332 dmserver - ok
10:05:16.0556 0332 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
10:05:16.0681 0332 DMusic - ok
10:05:16.0759 0332 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINNT\System32\dnsrslvr.dll
10:05:16.0775 0332 Dnscache - ok
10:05:16.0806 0332 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINNT\System32\dot3svc.dll
10:05:16.0915 0332 Dot3svc - ok
10:05:16.0962 0332 DozeHDD (e00b3ce273b17aee1259c105df5524ca) C:\WINNT\system32\DRIVERS\DozeHDD.sys
10:05:16.0978 0332 DozeHDD - ok
10:05:16.0993 0332 dpti2o - ok
10:05:17.0025 0332 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
10:05:17.0134 0332 drmkaud - ok
10:05:17.0212 0332 e1express (6de32a9123ef60f9d423e9163af0e305) C:\WINNT\system32\DRIVERS\e1e5132.sys
10:05:17.0228 0332 e1express - ok
10:05:17.0259 0332 e1kexpress (9f7ae949202f0ef6b17dd3cc5c117ad3) C:\WINNT\system32\DRIVERS\e1k5132.sys
10:05:17.0275 0332 e1kexpress - ok
10:05:17.0306 0332 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINNT\System32\eapsvc.dll
10:05:17.0431 0332 EapHost - ok
10:05:17.0462 0332 EEPROMService - ok
10:05:17.0478 0332 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINNT\System32\ersvc.dll
10:05:17.0587 0332 ERSvc - ok
10:05:17.0681 0332 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINNT\system32\services.exe
10:05:17.0681 0332 Eventlog - ok
10:05:17.0728 0332 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINNT\system32\es.dll
10:05:17.0775 0332 EventSystem - ok
10:05:17.0868 0332 EvtEng (959bccdee125bd87d79968878df5e269) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
10:05:17.0915 0332 EvtEng ( UnsignedFile.Multi.Generic ) - warning
10:05:17.0915 0332 EvtEng - detected UnsignedFile.Multi.Generic (1)
10:05:18.0025 0332 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
10:05:18.0150 0332 Fastfat - ok
10:05:18.0197 0332 fasttx2k (5d95724d3c3923449c02be1106657bcd) C:\WINNT\system32\drivers\fasttx2k.sys
10:05:18.0228 0332 fasttx2k - ok
10:05:18.0275 0332 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
10:05:18.0384 0332 FastUserSwitchingCompatibility - ok
10:05:18.0478 0332 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINNT\system32\fxssvc.exe
10:05:18.0603 0332 Fax - ok
10:05:18.0650 0332 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\drivers\Fdc.sys
10:05:18.0775 0332 Fdc - ok
10:05:18.0790 0332 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
10:05:18.0915 0332 Fips - ok
10:05:18.0993 0332 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\drivers\Flpydisk.sys
10:05:19.0103 0332 Flpydisk - ok
10:05:19.0134 0332 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\DRIVERS\fltMgr.sys
10:05:19.0243 0332 FltMgr - ok
10:05:19.0290 0332 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINNT\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:05:19.0306 0332 FontCache3.0.0.0 - ok
10:05:19.0337 0332 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
10:05:19.0462 0332 Fs_Rec - ok
10:05:19.0572 0332 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
10:05:19.0681 0332 Ftdisk - ok
10:05:19.0712 0332 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
10:05:19.0837 0332 Gpc - ok
10:05:19.0868 0332 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINNT\system32\DRIVERS\HDAudBus.sys
10:05:19.0978 0332 HDAudBus - ok
10:05:20.0009 0332 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:05:20.0118 0332 helpsvc - ok
10:05:20.0134 0332 HidServ - ok
10:05:20.0165 0332 HIPK (8a6755326c45f00aed55536db25c8782) C:\WINNT\system32\drivers\HIPK.sys
10:05:20.0181 0332 HIPK - ok
10:05:20.0275 0332 HIPPSK (058c06b52edbc8cb17087da00f612e20) C:\WINNT\system32\drivers\HIPPSK.sys
10:05:20.0275 0332 HIPPSK - ok
10:05:20.0290 0332 HIPQK (7266838c37fe1bbf2b2e03c3be72fb44) C:\WINNT\system32\drivers\HIPQK.sys
10:05:20.0306 0332 HIPQK - ok
10:05:20.0337 0332 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINNT\System32\kmsvc.dll
10:05:20.0462 0332 hkmsvc - ok
10:05:20.0478 0332 hpn - ok
10:05:20.0603 0332 hpqcxs08 (ce0fcec4d4d860f36d972759b11eaf0f) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
10:05:20.0618 0332 hpqcxs08 ( UnsignedFile.Multi.Generic ) - warning
10:05:20.0618 0332 hpqcxs08 - detected UnsignedFile.Multi.Generic (1)
10:05:20.0650 0332 hpqddsvc (7da3211ac63edd90b8eca1ca1abfd43b) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
10:05:20.0665 0332 hpqddsvc ( UnsignedFile.Multi.Generic ) - warning
10:05:20.0665 0332 hpqddsvc - detected UnsignedFile.Multi.Generic (1)
10:05:20.0697 0332 HPSLPSVC (14229263aa19c704e0d6d2e7404a8455) C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
10:05:20.0728 0332 HPSLPSVC ( UnsignedFile.Multi.Generic ) - warning
10:05:20.0728 0332 HPSLPSVC - detected UnsignedFile.Multi.Generic (1)
10:05:20.0837 0332 HSFHWAZL (8e60293c44e3f6f7f09defb60023a37d) C:\WINNT\system32\DRIVERS\HSFHWAZL.sys
10:05:20.0868 0332 HSFHWAZL - ok
10:05:20.0947 0332 HSF_DPV (4c2aab15ad6229134f70e5c950e6185c) C:\WINNT\system32\DRIVERS\HSF_DPV.sys
10:05:21.0040 0332 HSF_DPV - ok
10:05:21.0150 0332 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINNT\system32\Drivers\HTTP.sys
10:05:21.0259 0332 HTTP - ok
10:05:21.0290 0332 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINNT\System32\w3ssl.dll
10:05:21.0415 0332 HTTPFilter - ok
10:05:21.0478 0332 i2omgmt - ok
10:05:21.0493 0332 i2omp - ok
10:05:21.0540 0332 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINNT\system32\DRIVERS\i8042prt.sys
10:05:21.0665 0332 i8042prt - ok
10:05:21.0728 0332 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINNT\system32\DRIVERS\igxpmp32.sys
10:05:21.0837 0332 ialm - ok
10:05:21.0947 0332 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\WINNT\system32\drivers\iaStor.sys
10:05:21.0962 0332 iaStor - ok
10:05:21.0993 0332 IBMPMDRV (e3ffc8cb45b3f55264ee10f084b2731b) C:\WINNT\system32\DRIVERS\ibmpmdrv.sys
10:05:22.0009 0332 IBMPMDRV - ok
10:05:22.0025 0332 IBMPMSVC (5565982522ee9d4e8921feb304d4226f) C:\WINNT\system32\ibmpmsvc.exe
10:05:22.0040 0332 IBMPMSVC - ok
10:05:22.0118 0332 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINNT\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:05:22.0165 0332 idsvc - ok
10:05:22.0290 0332 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
10:05:22.0415 0332 Imapi - ok
10:05:22.0447 0332 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINNT\system32\imapi.exe
10:05:22.0572 0332 ImapiService - ok
10:05:22.0587 0332 ini910u - ok
10:05:22.0634 0332 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINNT\system32\DRIVERS\intelide.sys
10:05:22.0743 0332 IntelIde - ok
10:05:22.0853 0332 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
10:05:22.0947 0332 intelppm - ok
10:05:22.0993 0332 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\DRIVERS\Ip6Fw.sys
10:05:23.0103 0332 Ip6Fw - ok
10:05:23.0118 0332 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
10:05:23.0243 0332 IpFilterDriver - ok
10:05:23.0259 0332 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
10:05:23.0368 0332 IpInIp - ok
10:05:23.0400 0332 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
10:05:23.0525 0332 IpNat - ok
10:05:23.0618 0332 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
10:05:23.0728 0332 IPSec - ok
10:05:23.0775 0332 IPSSVC (00d8e9daebe72a5df3986fd418a995eb) C:\WINNT\system32\IPSSVC.EXE
10:05:23.0775 0332 IPSSVC - ok
10:05:23.0822 0332 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINNT\system32\DRIVERS\irda.sys
10:05:23.0884 0332 irda - ok
10:05:23.0900 0332 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
10:05:23.0962 0332 IRENUM - ok
10:05:23.0993 0332 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\WINNT\System32\irmon.dll
10:05:24.0056 0332 Irmon - ok
10:05:24.0165 0332 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
10:05:24.0275 0332 isapnp - ok
10:05:24.0306 0332 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
10:05:24.0431 0332 Kbdclass - ok
10:05:24.0478 0332 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
10:05:24.0587 0332 kmixer - ok
10:05:24.0618 0332 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINNT\system32\drivers\KSecDD.sys
10:05:24.0743 0332 KSecDD - ok
10:05:24.0837 0332 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINNT\System32\srvsvc.dll
10:05:24.0962 0332 LanmanServer - ok
10:05:24.0993 0332 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINNT\System32\wkssvc.dll
10:05:25.0040 0332 lanmanworkstation - ok
10:05:25.0087 0332 Lavasoft Ad-Aware Service - ok
10:05:25.0103 0332 Lavasoft Kernexplorer - ok
10:05:25.0181 0332 Lbd - ok
10:05:25.0197 0332 lbrtfdc - ok
10:05:25.0275 0332 LENOVO.MICMUTE (340288b3b2edc8afd5ff127df85142a7) C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
10:05:25.0290 0332 LENOVO.MICMUTE - ok
10:05:25.0322 0332 lenovo.smi (9aac267a225f3caebb9e633f7eb16e4b) C:\WINNT\system32\DRIVERS\smiif32.sys
10:05:25.0322 0332 lenovo.smi - ok
10:05:25.0415 0332 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINNT\System32\lmhsvc.dll
10:05:25.0540 0332 LmHosts - ok
10:05:25.0603 0332 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINNT\system32\drivers\mbam.sys
10:05:25.0603 0332 MBAMProtector - ok
10:05:25.0712 0332 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
10:05:25.0743 0332 MBAMService - ok
10:05:25.0790 0332 McAfeeFramework (200d973a6ec41d29d9cca21ea75e1edd) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
10:05:25.0790 0332 McAfeeFramework - ok
10:05:25.0931 0332 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINNT\system32\DRIVERS\mdmxsdk.sys
10:05:25.0947 0332 mdmxsdk - ok
10:05:25.0993 0332 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINNT\System32\msgsvc.dll
10:05:26.0103 0332 Messenger - ok
10:05:26.0150 0332 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINNT\system32\drivers\mfeapfk.sys
10:05:26.0150 0332 mfeapfk - ok
10:05:26.0181 0332 mfetdik (a42444ec62783035d8fc953b4814aa42) C:\WINNT\system32\drivers\mfetdik.sys
10:05:26.0197 0332 mfetdik - ok
10:05:26.0290 0332 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
10:05:26.0415 0332 mnmdd - ok
10:05:26.0447 0332 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINNT\system32\mnmsrvc.exe
10:05:26.0556 0332 mnmsrvc - ok
10:05:26.0587 0332 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
10:05:26.0697 0332 Modem - ok
10:05:26.0743 0332 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
10:05:26.0853 0332 Mouclass - ok
10:05:26.0962 0332 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
10:05:27.0056 0332 MountMgr - ok
10:05:27.0134 0332 MpKsl9b0c6db2 - ok
10:05:27.0134 0332 MpKslfb37b697 - ok
10:05:27.0150 0332 mraid35x - ok
10:05:27.0197 0332 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINNT\system32\DRIVERS\mrxdav.sys
10:05:27.0322 0332 MRxDAV - ok
10:05:27.0368 0332 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINNT\system32\DRIVERS\mrxsmb.sys
10:05:27.0431 0332 MRxSmb - ok
10:05:27.0525 0332 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINNT\system32\msdtc.exe
10:05:27.0634 0332 MSDTC - ok
10:05:27.0681 0332 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
10:05:27.0790 0332 Msfs - ok
10:05:27.0806 0332 MSIServer - ok
10:05:27.0837 0332 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
10:05:27.0962 0332 MSKSSRV - ok
10:05:27.0978 0332 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
10:05:28.0087 0332 MSPCLOCK - ok
10:05:28.0103 0332 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
10:05:28.0228 0332 MSPQM - ok
10:05:28.0322 0332 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
10:05:28.0447 0332 mssmbios - ok
10:05:28.0509 0332 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
10:05:28.0618 0332 Mup - ok
10:05:28.0665 0332 napagent (0102140028fad045756796e1c685d695) C:\WINNT\System32\qagentrt.dll
10:05:28.0790 0332 napagent - ok
10:05:28.0900 0332 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
10:05:29.0025 0332 NDIS - ok
10:05:29.0040 0332 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
10:05:29.0165 0332 NdisTapi - ok
10:05:29.0181 0332 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
10:05:29.0290 0332 Ndisuio - ok
10:05:29.0306 0332 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
10:05:29.0415 0332 NdisWan - ok
10:05:29.0462 0332 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINNT\system32\drivers\NDProxy.sys
10:05:29.0478 0332 NDProxy - ok
10:05:29.0572 0332 Net Driver HPZ12 (a081cb6fb9a12668f233eb5414be3a0e) C:\WINNT\system32\HPZinw12.dll
10:05:29.0603 0332 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
10:05:29.0603 0332 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
10:05:29.0650 0332 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
10:05:29.0775 0332 NetBIOS - ok
10:05:29.0806 0332 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
10:05:29.0931 0332 NetBT - ok
10:05:30.0025 0332 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINNT\system32\netdde.exe
10:05:30.0118 0332 NetDDE - ok
10:05:30.0134 0332 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINNT\system32\netdde.exe
10:05:30.0228 0332 NetDDEdsdm - ok
10:05:30.0275 0332 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
10:05:30.0400 0332 Netlogon - ok
10:05:30.0431 0332 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINNT\System32\netman.dll
10:05:30.0556 0332 Netman - ok
10:05:30.0618 0332 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINNT\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
10:05:30.0634 0332 NetTcpPortSharing - ok
10:05:30.0915 0332 NETwLx32 (72062b53186e4a3f5fcbc41ebb62b905) C:\WINNT\system32\DRIVERS\NETwLx32.sys
10:05:31.0322 0332 NETwLx32 - ok
10:05:31.0415 0332 Nla (943337d786a56729263071623bbb9de5) C:\WINNT\System32\mswsock.dll
10:05:31.0447 0332 Nla - ok
10:05:31.0493 0332 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINNT\system32\DRIVERS\NMnt.sys
10:05:31.0603 0332 nm - ok
10:05:31.0650 0332 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
10:05:31.0759 0332 Npfs - ok
10:05:31.0806 0332 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINNT\system32\DRIVERS\nscirda.sys
10:05:31.0868 0332 NSCIRDA - ok
10:05:31.0993 0332 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
10:05:32.0134 0332 Ntfs - ok
10:05:32.0165 0332 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
10:05:32.0275 0332 NtLmSsp - ok
10:05:32.0353 0332 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINNT\system32\ntmssvc.dll
10:05:32.0478 0332 NtmsSvc - ok
10:05:32.0540 0332 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
10:05:32.0665 0332 Null - ok
10:05:32.0743 0332 nvatabus (94bcac35da19cdea6bb6d15f26c399c0) C:\WINNT\system32\drivers\nvatabus.sys
10:05:32.0775 0332 nvatabus - ok
10:05:32.0806 0332 nvraid (80f0f543e9c780c925770e69e2191e83) C:\WINNT\system32\drivers\nvraid.sys
10:05:32.0822 0332 nvraid - ok
10:05:32.0837 0332 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
10:05:32.0947 0332 NwlnkFlt - ok
10:05:32.0993 0332 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
10:05:33.0103 0332 NwlnkFwd - ok
10:05:33.0165 0332 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\drivers\Parport.sys
10:05:33.0290 0332 Parport - ok
10:05:33.0306 0332 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
10:05:33.0431 0332 PartMgr - ok
10:05:33.0447 0332 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
10:05:33.0556 0332 ParVdm - ok
10:05:33.0587 0332 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
10:05:33.0697 0332 PCI - ok
10:05:33.0728 0332 PCIDump - ok
10:05:33.0822 0332 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
10:05:33.0915 0332 PCIIde - ok
10:05:33.0931 0332 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\DRIVERS\pcmcia.sys
10:05:34.0040 0332 Pcmcia - ok
10:05:34.0056 0332 PDCOMP - ok
10:05:34.0072 0332 PDFRAME - ok
10:05:34.0072 0332 PDRELI - ok
10:05:34.0087 0332 PDRFRAME - ok
10:05:34.0103 0332 perc2 - ok
10:05:34.0118 0332 perc2hib - ok
10:05:34.0150 0332 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINNT\system32\services.exe
10:05:34.0165 0332 PlugPlay - ok
10:05:34.0212 0332 Pml Driver HPZ12 (65bc271f337637731d3c71455ae1f476) C:\WINNT\system32\HPZipm12.dll
10:05:34.0228 0332 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
10:05:34.0228 0332 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
10:05:34.0306 0332 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
10:05:34.0415 0332 PolicyAgent - ok
10:05:34.0493 0332 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
10:05:34.0618 0332 PptpMiniport - ok
10:05:34.0681 0332 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINNT\system32\CCM\prepdrv.sys
10:05:34.0681 0332 prepdrvr - ok
10:05:34.0775 0332 PROCDD (1d80309fed4babf8ea9e7b84a394348b) C:\WINNT\system32\DRIVERS\PROCDD.SYS
10:05:34.0775 0332 PROCDD - ok
10:05:34.0822 0332 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
10:05:34.0931 0332 ProtectedStorage - ok
10:05:34.0962 0332 psadd (651d3abc1d82d61b6cfb40cb947b3db3) C:\WINNT\system32\DRIVERS\psadd.sys
10:05:34.0978 0332 psadd - ok
10:05:35.0025 0332 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
10:05:35.0118 0332 Ptilink - ok
10:05:35.0181 0332 ql1080 - ok
10:05:35.0212 0332 Ql10wnt - ok
10:05:35.0228 0332 ql12160 - ok
10:05:35.0228 0332 ql1240 - ok
10:05:35.0243 0332 ql1280 - ok
10:05:35.0259 0332 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
10:05:35.0368 0332 RasAcd - ok
10:05:35.0400 0332 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINNT\System32\rasauto.dll
10:05:35.0509 0332 RasAuto - ok
10:05:35.0556 0332 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINNT\system32\DRIVERS\rasirda.sys
10:05:35.0603 0332 Rasirda - ok
10:05:35.0618 0332 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
10:05:35.0743 0332 Rasl2tp - ok
10:05:35.0837 0332 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINNT\System32\rasmans.dll
10:05:35.0931 0332 RasMan - ok
10:05:35.0993 0332 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
10:05:36.0103 0332 RasPppoe - ok
10:05:36.0118 0332 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
10:05:36.0228 0332 Raspti - ok
10:05:36.0243 0332 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
10:05:36.0368 0332 Rdbss - ok
10:05:36.0462 0332 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
10:05:36.0556 0332 RDPCDD - ok
10:05:36.0618 0332 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINNT\system32\DRIVERS\rdpdr.sys
10:05:36.0728 0332 rdpdr - ok
10:05:36.0759 0332 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
10:05:36.0884 0332 RDPWD - ok
10:05:36.0978 0332 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINNT\system32\sessmgr.exe
10:05:37.0072 0332 RDSessMgr - ok
10:05:37.0134 0332 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\redbook.sys
10:05:37.0259 0332 redbook - ok
10:05:37.0290 0332 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINNT\System32\mprdim.dll
10:05:37.0400 0332 RemoteAccess - ok
10:05:37.0493 0332 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINNT\system32\regsvc.dll
10:05:37.0618 0332 RemoteRegistry - ok
10:05:37.0665 0332 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINNT\system32\locator.exe
10:05:37.0759 0332 RpcLocator - ok
10:05:37.0806 0332 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINNT\System32\rpcss.dll
10:05:37.0868 0332 RpcSs - ok
10:05:37.0947 0332 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINNT\system32\rsvp.exe
10:05:38.0056 0332 RSVP - ok
10:05:38.0150 0332 S24EventMonitor (ee326929f9355ffd139fc86ec3cd039d) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
10:05:38.0243 0332 S24EventMonitor ( UnsignedFile.Multi.Generic ) - warning
10:05:38.0243 0332 S24EventMonitor - detected UnsignedFile.Multi.Generic (1)
10:05:38.0322 0332 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
10:05:38.0431 0332 SamSs - ok
10:05:38.0493 0332 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
10:05:38.0509 0332 SASDIFSV - ok
10:05:38.0540 0332 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
10:05:38.0556 0332 SASKUTIL - ok
10:05:38.0587 0332 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINNT\System32\SCardSvr.exe
10:05:38.0712 0332 SCardSvr - ok
10:05:38.0790 0332 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINNT\system32\schedsvc.dll
10:05:38.0915 0332 Schedule - ok
10:05:38.0962 0332 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
10:05:39.0025 0332 Secdrv - ok
10:05:39.0040 0332 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINNT\System32\seclogon.dll
10:05:39.0150 0332 seclogon - ok
10:05:39.0181 0332 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINNT\system32\sens.dll
10:05:39.0306 0332 SENS - ok
10:05:39.0400 0332 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINNT\system32\DRIVERS\serenum.sys
10:05:39.0493 0332 serenum - ok
10:05:39.0525 0332 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\DRIVERS\serial.sys
10:05:39.0650 0332 Serial - ok
10:05:39.0681 0332 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\drivers\Sfloppy.sys
10:05:39.0790 0332 Sfloppy - ok
10:05:39.0837 0332 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINNT\System32\ipnathlp.dll
10:05:39.0962 0332 SharedAccess - ok
10:05:40.0056 0332 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
10:05:40.0165 0332 ShellHWDetection - ok
10:05:40.0228 0332 Shockprf (bc31655a03d9e9ed6f7116bafb9b38c7) C:\WINNT\system32\DRIVERS\Apsx86.sys
10:05:40.0228 0332 Shockprf - ok
10:05:40.0243 0332 Simbad - ok
10:05:40.0275 0332 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINNT\system32\DRIVERS\smsmdm.sys
10:05:40.0275 0332 smsmdd - ok
10:05:40.0306 0332 smstsmgr - ok
10:05:40.0384 0332 Sparrow - ok
10:05:40.0431 0332 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
10:05:40.0556 0332 splitter - ok
10:05:40.0587 0332 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINNT\system32\spoolsv.exe
10:05:40.0697 0332 Spooler - ok
10:05:40.0728 0332 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\system32\DRIVERS\sr.sys
10:05:40.0790 0332 sr - ok
10:05:40.0900 0332 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINNT\system32\srsvc.dll
10:05:40.0962 0332 srservice - ok
10:05:41.0025 0332 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINNT\system32\DRIVERS\srv.sys
10:05:41.0087 0332 Srv - ok
10:05:41.0165 0332 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINNT\System32\ssdpsrv.dll
10:05:41.0212 0332 SSDPSRV - ok
10:05:41.0290 0332 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINNT\system32\DRIVERS\serscan.sys
10:05:41.0384 0332 StillCam - ok
10:05:41.0431 0332 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINNT\system32\wiaservc.dll
10:05:41.0556 0332 stisvc - ok
10:05:41.0665 0332 SUService (c2191c1a5dfed0795e3d3b68905b195b) c:\program files\lenovo\system update\suservice.exe
10:05:41.0665 0332 SUService ( UnsignedFile.Multi.Generic ) - warning
10:05:41.0665 0332 SUService - detected UnsignedFile.Multi.Generic (1)
10:05:41.0759 0332 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
10:05:41.0868 0332 swenum - ok
10:05:41.0915 0332 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
10:05:42.0025 0332 swmidi - ok
10:05:42.0040 0332 SwPrv - ok
10:05:42.0040 0332 symc810 - ok
10:05:42.0056 0332 symc8xx - ok
10:05:42.0103 0332 symmpi (ddf9f222929ddcc1f17215fadbdbf2aa) C:\WINNT\system32\drivers\symmpi.sys
10:05:42.0118 0332 symmpi - ok
10:05:42.0134 0332 sym_hi - ok
10:05:42.0150 0332 sym_u3 - ok
10:05:42.0212 0332 SynTP (4f3fa14e8d306005f3f4cb771e806f40) C:\WINNT\system32\DRIVERS\SynTP.sys
10:05:42.0275 0332 SynTP - ok
10:05:42.0400 0332 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
10:05:42.0509 0332 sysaudio - ok
10:05:42.0587 0332 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINNT\system32\smlogsvc.exe
10:05:42.0697 0332 SysmonLog - ok
10:05:42.0759 0332 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINNT\System32\tapisrv.dll
10:05:42.0884 0332 TapiSrv - ok
10:05:42.0947 0332 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINNT\system32\DRIVERS\tcpip.sys
10:05:42.0978 0332 Tcpip - ok
10:05:43.0072 0332 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
10:05:43.0181 0332 TDPIPE - ok
10:05:43.0228 0332 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
10:05:43.0353 0332 TDTCP - ok
10:05:43.0368 0332 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
10:05:43.0478 0332 TermDD - ok
10:05:43.0525 0332 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINNT\System32\termsrv.dll
10:05:43.0650 0332 TermService - ok
10:05:43.0712 0332 Themes (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
10:05:43.0822 0332 Themes - ok
10:05:43.0915 0332 ThinkVantage Registry Monitor Service (9626746a9b120d2ed537dd8d76278405) C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
10:05:43.0947 0332 ThinkVantage Registry Monitor Service - ok
10:05:44.0009 0332 TosIde - ok
10:05:44.0056 0332 TPDIGIMN (c5dc9e462407b274b504de2aa3220c2e) C:\WINNT\system32\DRIVERS\ApsHM86.sys
10:05:44.0056 0332 TPDIGIMN - ok
10:05:44.0103 0332 TPHDEXLGSVC (4b2f57221e4ca268967eed0c4f2b7726) C:\WINNT\system32\TPHDEXLG.exe
10:05:44.0103 0332 TPHDEXLGSVC - ok
10:05:44.0165 0332 TPHKDRV (8aef2188630f5ecd79ad9abba630630b) C:\WINNT\system32\DRIVERS\TPHKDRV.sys
10:05:44.0197 0332 TPHKDRV - ok
10:05:44.0275 0332 TPHKLOAD (9cd364ecb3a10b24c7cac8ff89993a67) C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
10:05:44.0290 0332 TPHKLOAD - ok
10:05:44.0306 0332 TPHKSVC (c04bb65441913ab621c58a8bd3169b23) C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
10:05:44.0322 0332 TPHKSVC - ok
10:05:44.0353 0332 TpKmpSVC - ok
10:05:44.0415 0332 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINNT\system32\trkwks.dll
10:05:44.0540 0332 TrkWks - ok
10:05:44.0650 0332 TVT Scheduler (e9ea448f1174be4052416b62263ea4ee) C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
10:05:44.0743 0332 TVT Scheduler ( UnsignedFile.Multi.Generic ) - warning
10:05:44.0743 0332 TVT Scheduler - detected UnsignedFile.Multi.Generic (1)
10:05:44.0837 0332 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
10:05:44.0962 0332 Udfs - ok
10:05:44.0962 0332 UIUSys - ok
10:05:44.0978 0332 ultra - ok
10:05:45.0025 0332 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
10:05:45.0134 0332 Update - ok
10:05:45.0181 0332 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINNT\System32\upnphost.dll
10:05:45.0243 0332 upnphost - ok
10:05:45.0322 0332 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINNT\System32\ups.exe
10:05:45.0447 0332 UPS - ok
10:05:45.0509 0332 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
10:05:45.0618 0332 usbehci - ok
10:05:45.0650 0332 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
10:05:45.0775 0332 usbhub - ok
10:05:45.0806 0332 usbprint (a717c8721046828520c9edf31288fc00) C:\WINNT\system32\DRIVERS\usbprint.sys
10:05:45.0931 0332 usbprint - ok
10:05:46.0009 0332 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINNT\system32\DRIVERS\usbscan.sys
10:05:46.0118 0332 usbscan - ok
10:05:46.0150 0332 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
10:05:46.0259 0332 USBSTOR - ok
10:05:46.0290 0332 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
10:05:46.0400 0332 usbuhci - ok
10:05:46.0431 0332 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
10:05:46.0540 0332 VgaSave - ok
10:05:46.0556 0332 ViaIde - ok
10:05:46.0587 0332 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
10:05:46.0681 0332 VolSnap - ok
10:05:46.0759 0332 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINNT\System32\vssvc.exe
10:05:46.0837 0332 VSS - ok
10:05:46.0868 0332 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINNT\system32\w32time.dll
10:05:46.0993 0332 W32Time - ok
10:05:47.0040 0332 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
10:05:47.0150 0332 Wanarp - ok
10:05:47.0243 0332 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINNT\system32\DRIVERS\wdcsam.sys
10:05:47.0259 0332 WDC_SAM - ok
10:05:47.0306 0332 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINNT\system32\Drivers\wdf01000.sys
10:05:47.0337 0332 Wdf01000 - ok
10:05:47.0353 0332 WDICA - ok
10:05:47.0400 0332 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
10:05:47.0509 0332 wdmaud - ok
10:05:47.0618 0332 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINNT\System32\webclnt.dll
10:05:47.0728 0332 WebClient - ok
10:05:47.0790 0332 winachsf (e17d31cd52dcb7745ac5330eea062d0b) C:\WINNT\system32\DRIVERS\HSF_CNXT.sys
10:05:47.0837 0332 winachsf - ok
10:05:47.0978 0332 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINNT\system32\wbem\WMIsvc.dll
10:05:48.0103 0332 winmgmt - ok
10:05:48.0134 0332 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINNT\system32\MsPMSNSv.dll
10:05:48.0181 0332 WmdmPmSN - ok
10:05:48.0290 0332 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINNT\System32\advapi32.dll
10:05:48.0337 0332 Wmi - ok
10:05:48.0415 0332 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINNT\system32\DRIVERS\wmiacpi.sys
10:05:48.0525 0332 WmiAcpi - ok
10:05:48.0650 0332 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINNT\system32\wbem\wmiapsrv.exe
10:05:48.0759 0332 WmiApSrv - ok
10:05:48.0837 0332 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:05:48.0884 0332 WMPNetworkSvc - ok
10:05:49.0072 0332 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINNT\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:05:49.0103 0332 WPFFontCache_v0400 - ok
10:05:49.0197 0332 WPRO_40_1040 - ok
10:05:49.0275 0332 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINNT\System32\drivers\ws2ifsl.sys
10:05:49.0384 0332 WS2IFSL - ok
10:05:49.0415 0332 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINNT\system32\wscsvc.dll
10:05:49.0540 0332 wscsvc - ok
10:05:49.0540 0332 wuauserv - ok
10:05:49.0572 0332 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINNT\system32\DRIVERS\WudfPf.sys
10:05:49.0587 0332 WudfPf - ok
10:05:49.0681 0332 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINNT\system32\DRIVERS\wudfrd.sys
10:05:49.0697 0332 WudfRd - ok
10:05:49.0775 0332 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINNT\System32\WUDFSvc.dll
10:05:49.0775 0332 WudfSvc - ok
10:05:49.0822 0332 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINNT\System32\wzcsvc.dll
10:05:49.0962 0332 WZCSVC - ok
10:05:50.0025 0332 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINNT\System32\xmlprov.dll
10:05:50.0118 0332 xmlprov - ok
10:05:50.0197 0332 YKBKQHC - ok
10:05:50.0228 0332 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:05:50.0540 0332 \Device\Harddisk0\DR0 - ok
10:05:50.0540 0332 Boot (0x1200) (020b47f4fbee82b1dbdad7c706c096a7) \Device\Harddisk0\DR0\Partition0
10:05:50.0540 0332 \Device\Harddisk0\DR0\Partition0 - ok
10:05:50.0540 0332 Boot (0x1200) (732380225aa8093b74c8a1e1dc6fd075) \Device\Harddisk0\DR0\Partition1
10:05:50.0556 0332 \Device\Harddisk0\DR0\Partition1 - ok
10:05:50.0556 0332 ============================================================
10:05:50.0556 0332 Scan finished
10:05:50.0556 0332 ============================================================
10:05:50.0665 2812 Detected object count: 9
10:05:50.0665 2812 Actual detected object count: 9
10:06:11.0072 2812 EvtEng ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 EvtEng ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0072 2812 hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0072 2812 hpqddsvc ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0072 2812 HPSLPSVC ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 HPSLPSVC ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0072 2812 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0072 2812 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0072 2812 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0087 2812 S24EventMonitor ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0087 2812 S24EventMonitor ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0087 2812 SUService ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0087 2812 SUService ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:06:11.0087 2812 TVT Scheduler ( UnsignedFile.Multi.Generic ) - skipped by user
10:06:11.0087 2812 TVT Scheduler ( UnsignedFile.Multi.Generic ) - User select action: Skip

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-16 10:11:06
-----------------------------
10:11:06.009 OS Version: Windows 5.1.2600 Service Pack 3
10:11:06.009 Number of processors: 2 586 0xE08
10:11:06.009 ComputerName: USDALN0L3B2112 UserName: Administrator
10:11:06.212 Initialize success
10:21:01.605 AVAST engine defs: 12041600
10:21:19.513 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
10:21:19.513 Disk 0 Vendor: HTS72106 MC3I Size: 57231MB BusType: 3
10:21:19.544 Disk 0 MBR read successfully
10:21:19.544 Disk 0 MBR scan
10:21:19.591 Disk 0 Windows XP default MBR code
10:21:19.591 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20000 MB offset 63
10:21:19.591 Disk 0 Partition - 00 0F Extended LBA 37224 MB offset 40960080
10:21:19.606 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 37224 MB offset 40960143
10:21:19.606 Disk 0 scanning sectors +117195120
10:21:19.700 Disk 0 scanning C:\WINNT\system32\drivers
10:21:28.044 Service scanning
10:21:45.389 Modules scanning
10:22:01.936 Disk 0 trace - called modules:
10:22:02.483 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
10:22:02.483 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d46030]
10:22:02.499 3 CLASSPNP.SYS[f7640fd7] -> nt!IofCallDriver -> \Device\00000092[0x86d62a28]
10:22:02.499 5 ACPI.sys[f74e7620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86d54028]
10:22:02.655 AVAST engine scan C:\WINNT
10:22:07.812 AVAST engine scan C:\WINNT\system32
10:24:28.755 AVAST engine scan C:\WINNT\system32\drivers
10:24:40.084 AVAST engine scan D:\Documents and Settings\Administrator
10:25:07.569 AVAST engine scan D:\Documents and Settings\All Users
10:25:35.539 Scan finished successfully
10:26:44.759 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\Administrator\Desktop\MBR.dat"
10:26:44.759 The log file has been saved successfully to "D:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 16 April 2012 - 08:16 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 April 2012 - 09:10 AM

Gringo -

Combofix, initiated by using the CFscript you had me create, was able to complete. The messages I received were similar to the first run:
1) "You are infected with Rootkit.ZeroAccess!. It has inserted itself into the tcp/ip stack" so I hit "OK"
2) "Rootkit is detected" I hit "OK"
3) "You are infected with Rootkit.ZeroAccess!. It has inserted itself into the tcp/ip stack" I hit "OK"
4) "Rootkit is detected" I hit "OK"
5) Combofix asked to reboot
6) Combofix "needs to run a deeper scan"

ComboFix 12-04-16.01 - Administrator 04/17/2012 6:57.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.723 [GMT -7:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-16 20:36 . 2012-04-16 20:47 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2012-04-13 22:34 . 2012-04-13 22:34 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2012-04-13 22:24 . 2012-04-13 22:24 -------- d-----w- d:\documents and settings\Administrator\Application Data\IObit
2012-04-13 22:01 . 2012-04-13 22:01 -------- d-----w- c:\program files\VS Revo Group
2012-04-13 21:45 . 2012-04-13 22:23 -------- d-----w- d:\documents and settings\Administrator\Application Data\Avanquest
2012-04-13 21:38 . 2012-04-13 21:38 -------- d-sh--w- d:\documents and settings\Administrator\PrivacIE
2012-04-13 21:38 . 2012-04-16 17:13 -------- d-----w- d:\documents and settings\Administrator\Application Data\HPAppData
2012-04-13 21:36 . 2012-04-13 21:36 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache
2012-04-09 20:39 . 2012-04-09 20:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\ElevatedDiagnostics
2012-04-07 15:59 . 2012-04-07 20:27 133208 ----a-w- c:\winnt\system32\drivers\01641735.sys
2012-04-07 15:22 . 2012-04-07 15:22 -------- d-----w- d:\documents and settings\All Users\Application Data\Webroot
2012-04-07 15:22 . 2012-04-07 15:22 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\PackageAware
2012-04-04 18:42 . 2012-04-04 18:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\ZoomBrowser EX
2012-04-04 18:42 . 2012-04-04 18:42 -------- d-----w- d:\documents and settings\lcasale\Application Data\CANON INC
2012-04-04 16:44 . 2012-04-04 16:44 -------- d-----w- d:\documents and settings\lcasale\Application Data\comcasttb
2012-04-04 16:38 . 2012-04-04 18:49 -------- d-----w- d:\documents and settings\lcasale\Application Data\CallingID
2012-04-04 15:57 . 2012-04-04 15:57 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ID Vault
2012-04-04 15:57 . 2012-04-04 15:57 -------- d-----w- d:\documents and settings\LocalService.NT AUTHORITY\Application Data\ID Vault
2012-04-04 15:45 . 2012-04-04 15:45 -------- d-----w- d:\documents and settings\All Users\Application Data\IsolatedStorage
2012-04-04 15:44 . 2012-04-04 15:46 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\ID Vault
2012-04-04 15:44 . 2012-04-04 16:44 -------- d-----w- d:\documents and settings\lcasale\Application Data\ID Vault
2012-04-04 15:43 . 2012-04-04 16:44 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-04-04 15:43 . 2012-04-04 15:43 -------- d-----w- d:\documents and settings\All Users\Application Data\White Sky, Inc
2012-04-03 18:19 . 2011-08-11 18:20 38760 ----a-w- c:\winnt\system32\ibmpmsvc.exe
2012-04-03 18:05 . 2012-04-03 18:05 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\ApplicationHistory
2012-04-03 18:04 . 2012-04-03 18:04 -------- d-----w- c:\winnt\system32\(null)
2012-04-03 18:04 . 2012-04-03 18:20 -------- d-----w- c:\program files\Common Files\Lenovo
2012-04-03 18:04 . 2007-02-19 05:56 21376 ----a-w- c:\winnt\system32\drivers\psadd.sys
2012-03-30 20:41 . 2012-03-30 20:41 -------- dc----w- c:\winnt\ie8
2012-03-30 17:43 . 2012-04-09 17:09 -------- d-----w- d:\documents and settings\lcasale\Application Data\HPAppData
2012-03-30 16:32 . 2008-08-22 12:24 271704 ----a-r- c:\winnt\system32\hpzids01.dll
2012-03-30 16:31 . 2012-03-30 16:31 -------- d-----w- c:\program files\Common Files\HP
2012-03-30 15:24 . 2012-04-13 22:09 -------- d-----w- c:\program files\Canon
2012-03-30 15:24 . 2012-03-30 15:24 -------- d-----w- c:\program files\Common Files\Canon
2012-03-29 18:11 . 2012-03-29 18:11 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Xenocode
2012-03-29 18:11 . 2012-03-29 18:11 -------- d-----w- c:\program files\Xenocode
2012-03-23 19:19 . 2012-03-23 19:19 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Amazon
2012-03-23 19:18 . 2012-03-23 19:19 -------- d-----w- c:\program files\Amazon
2012-03-21 14:43 . 2012-03-21 14:44 -------- d-----w- d:\documents and settings\lcasale\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 22:56 . 2012-01-31 18:40 22344 ----a-w- c:\winnt\system32\drivers\mbam.sys
2012-03-16 19:18 . 2012-03-16 19:17 388096 ----a-r- d:\documents and settings\lcasale\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-31 17:33 . 2012-01-31 17:33 159608 ----a-w- c:\winnt\system32\mfevtps.exe.f877.deleteme
2012-01-31 17:25 . 2012-01-31 17:25 14664 ----a-w- c:\winnt\stinger.sys
2012-01-31 17:25 . 2012-01-31 17:25 159608 ----a-w- c:\winnt\system32\mfevtps.exe.bf11.deleteme
2012-01-23 04:49 . 2012-01-23 04:02 309320 ----a-w- c:\winnt\system32\drivers\TrufosAlt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2011-10-20 101440]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-08 91688]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-10-09 3900936]
.
d:\documents and settings\lcasale\Start Menu\Programs\Startup\
_uninst_01641735.lnk - d:\documents and settings\lcasale\Local Settings\temp\_uninst_01641735.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2112754840-354624142-596004286-325669\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-1004\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-500\Scripts\Logoff\0\0]
"Script"=KEYBOARD.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-699567196-2665597415-1357020569-500\Scripts\Logoff\0\1]
"Script"=c:\program files\Profile Light\Logoff.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^IPSecClient Icon.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\IPSecClient Icon.lnk
backup=c:\winnt\pss\IPSecClient Icon.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACProfiles]
2009-11-04 10:51 130723 ----a-w- c:\winnt\Installer\ACprofiles.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoAutoScrollUtility]
2011-10-20 17:58 101440 ----a-w- c:\program files\Lenovo\VIRTSCRL\virtscrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ptipbmf]
2003-06-20 13:06 118784 ----a-w- c:\winnt\system32\ptipbmf.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
2010-11-04 23:29 517480 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 07:11 925696 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 21:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-16 18:14 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-06-07 13:10 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2010-07-01 18:25 337256 ----a-w- c:\winnt\system32\TpShocks.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McAfeeFramework"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
.
R0 01641735;01641735;c:\winnt\system32\drivers\01641735.sys [4/7/2012 8:59 AM 133208]
R0 DozeHDD;DozeHDD;c:\winnt\system32\drivers\DOZEHDD.SYS [4/26/2011 8:48 AM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\winnt\system32\drivers\ApsHM86.sys [6/16/2010 5:44 AM 20592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\winnt\system32\drivers\smiif32.sys [4/26/2011 8:41 AM 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [4/3/2012 11:20 AM 131432]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [4/3/2012 11:20 AM 142696]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\winnt\system32\drivers\NETwLx32.sys [4/26/2011 8:53 AM 6609920]
S0 Lbd;Lbd;c:\winnt\system32\DRIVERS\Lbd.sys --> c:\winnt\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl9b0c6db2;MpKsl9b0c6db2;\??\d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB67F06B-1EF4-4EE6-97EC-D14685693133}\MpKsl9b0c6db2.sys --> d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB67F06B-1EF4-4EE6-97EC-D14685693133}\MpKsl9b0c6db2.sys [?]
S1 MpKslfb37b697;MpKslfb37b697;\??\d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A04B2B5-38EC-4B3C-AD9C-06996F5F99B8}\MpKslfb37b697.sys --> d:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9A04B2B5-38EC-4B3C-AD9C-06996F5F99B8}\MpKslfb37b697.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winnt\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 EEPROMService;EEPROM Service Module;c:\winnt\system32\ROMServ.exe --> c:\winnt\system32\ROMServ.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [4/26/2011 8:42 AM 101736]
S3 AQFileRestore;AQFileRestore;c:\winnt\system32\DRIVERS\AQFileRestore.sys --> c:\winnt\system32\DRIVERS\AQFileRestore.sys [?]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\drivers\e1k5132.sys [6/7/2010 7:13 AM 167080]
S3 HIPK;McAfee Inc. HIPK;c:\winnt\system32\drivers\HIPK.sys [4/26/2011 2:38 PM 107960]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\winnt\system32\drivers\HIPPSK.sys [4/26/2011 2:38 PM 38680]
S3 HIPQK;McAfee Inc. HIPQK;c:\winnt\system32\drivers\HIPQK.sys [4/26/2011 2:38 PM 35552]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [1/31/2012 11:40 AM 22344]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winnt\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S3 WPRO_40_1040;WinPcap Packet Driver (WPRO_40_1040);c:\winnt\system32\drivers\WPRO_40_1040.sys --> c:\winnt\system32\drivers\WPRO_40_1040.sys [?]
S3 YKBKQHC;YKBKQHC;d:\docume~1\lcasale\LOCALS~1\Temp\YKBKQHC.exe --> d:\docume~1\lcasale\LOCALS~1\Temp\YKBKQHC.exe [?]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/31/2012 11:40 AM 654408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Autoproxy_00]
2011-04-05 15:48 126947 ----a-w- c:\program files\Autoproxy\Proxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Microsoft Office Communicator 2005]
2009-11-18 14:07 141824 ----a-w- c:\program files\Microsoft Office Communicator\VERMOC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MSOffice_2003]
2009-07-08 12:13 134027 ----a-w- c:\program files\Microsoft Office\OFFICE11\cu.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\NetmeetingConf_10]
2008-12-12 19:27 126172 ----a-w- c:\winnt\Installer\NetmeetingConf.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\OfficeTemplates_10]
2008-05-13 21:32 126348 ----a-w- c:\program files\Microsoft Office\Templates\Alcatel-Lucent\templates.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PDFCreator_091]
2008-02-14 06:49 127508 ----a-w- c:\winnt\Installer\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}\PDFCreator_CU.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\QuickTime_76]
2009-09-29 11:59 130900 ----a-w- c:\winnt\Installer\Quicktime_76\currentuser.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Shockwave11]
2009-09-11 11:57 132973 ----a-w- c:\winnt\Installer\MACROMEDIA\currentuser.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7WMP_USER]
2009-04-24 14:55 112948 ----a-w- c:\program files\Windows Media Player\cu.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-17 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-2112754840-354624142-596004286-325669Core.job
- d:\documents and settings\lcasale\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-21 14:43]
.
2012-04-17 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-2112754840-354624142-596004286-325669UA.job
- d:\documents and settings\lcasale\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-21 14:43]
.
2012-03-30 c:\winnt\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2011-04-26 23:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: genesyslab.com
Trusted Zone: lucent.com
Trusted Zone: neolane.net\alu.us
Trusted Zone: taleo.net
Trusted Zone: alcatel-lucent.com
Trusted Zone: alcatel-lucent.de
Trusted Zone: alcatel-lucent.fr
Trusted Zone: alcatel.com
Trusted Zone: alcatel.de
Trusted Zone: alcatel.fr
Trusted Zone: automation.local
Trusted Zone: frillslib01
Trusted Zone: frmeus0dvp01
Trusted Zone: lucent.com
Trusted Zone: taleo.net
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} - hxxp://www.disneyphotopass.com/Scripts/ImageUploader7.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 07:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-699567196-2665597415-1357020569-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fc,f1,81,33,fa,c7,46,bc,43,58,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fc,f1,81,33,fa,c7,46,bc,43,58,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2012-04-17 07:02:55
ComboFix-quarantined-files.txt 2012-04-17 14:02
ComboFix2.txt 2012-04-16 13:35
ComboFix3.txt 2012-03-30 19:11
ComboFix4.txt 2012-03-30 18:56
ComboFix5.txt 2012-04-17 13:50
.
Pre-Run: 11,028,348,928 bytes free
Post-Run: 11,020,513,280 bytes free
.
- - End Of File - - A0EDE57C3E21A67A11DB990C2B44F6FE

I am also getting a strange application error message every once and awhile using IE. It will actually cause IE to crash and close. "Instruction at 0x000(some number I didn't catch) referenced memory at 0x000(same number). The memory could not be written". Just thought you should know.

Liz

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 17 April 2012 - 12:57 PM

Hello


are you still getting redirected?


I want you to push the fixit button here and see if IE still crashes - http://support.microsoft.com/kb/923737


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

JRE_16x [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 17 April 2012 - 12:57 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 April 2012 - 01:47 PM

Gringo -

So I had a couple of problems completing these steps.

Issue 1: The FixIt button you asked me to use came back with "failed to process"
Issue 2: While running Revo Uninstaller to remove JRE_16x the Malwarebytes application opened a window that said "[OpenEvent] Failed to perform desired action. Error Code 2"
Issue 3: At beginning of install of HiJack I got the following window "Please wait while the installer finishes determining your disk space requirements" but it eventually continued

The logs requested are attached:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.17.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: USDALN0L3B2112 [administrator]

Protection: Disabled

4/17/2012 11:25:20 AM
mbam-log-2012-04-17 (11-25-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 249621
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:42:05 AM, on 4/17/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\WINNT\system32\IPSSVC.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Updater For XFIN_PORTAL - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files\xfin_portal\auxi\comcastAu.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: _uninst_01641735.lnk = D:\Documents and Settings\lcasale\Local Settings\temp\_uninst_01641735.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: _uninst_01641735.lnk = D:\Documents and Settings\lcasale\Local Settings\temp\_uninst_01641735.bat (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://*.alcatel-lucent.com
O15 - Trusted Zone: http://*.alcatel.com
O15 - Trusted Zone: http://*.genesyslab.com
O15 - Trusted Zone: http://*.lucent.com
O15 - Trusted Zone: http://alu.us.neolane.net
O15 - Trusted Zone: http://*.taleo.net
O15 - ProtocolDefaults: 'file' protocol is in Intranet Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in Intranet Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Intranet Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Intranet Zone, should be Internet Zone
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F3DCFC89-8C6E-4052-9176-B7806D188FD5} (Image Uploader Control) - http://www.disneyphotopass.com/Scripts/ImageUploader7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na02.lucent.com
O17 - HKLM\Software\..\Telephony: DomainName = na02.lucent.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na02.lucent.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na02.lucent.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na02.lucent.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: EEPROM Service Module (EEPROMService) - Unknown owner - C:\WINNT\system32\ROMServ.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINNT\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINNT\System32\TPHDEXLG.exe
O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe (file missing)
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: YKBKQHC - Unknown owner - D:\DOCUME~1\lcasale\LOCALS~1\Temp\YKBKQHC.exe (file missing)

--
End of file - 7526 bytes

#10 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 17 April 2012 - 02:09 PM

Gringo -

Still getting the same error from Malwarebytes. "[OpenEvent] Failed to perform desired action. Error Code 2" Not sure what I did to make it pop up. I attached a jpg of the window just in case.

Liz

Attached Files



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 17 April 2012 - 06:08 PM

Uninstall Malwarebytes

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 19 April 2012 - 07:28 AM

Gringo -

I uninstalled and reinstalled Malwarebytes. I am no longer getting the [OpenEvent] error. However, I am still having some issues with IE. I will get an error window that opens asking if I want to stop a script and then when I say yes IE will lock up and I will have to close the service to close the window. I am also still getting the strange application error message every once and awhile using IE. It will actually cause IE to crash and close. "Instruction at 0x000(some number I didn't catch) referenced memory at 0x000(same number). The memory could not be written".

Any ideas?

Liz

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 19 April 2012 - 07:39 AM

Reset IE::

Lets Reset IE to see if it help help things out

  • Start Internet Explorer.
  • On the Tools menu, click Internet Options.
  • On the Advanced tab, click Reset
  • put a check mark next to Delete Personal Settings
  • click Reset to confirm
  • when complete click the close button
  • restart IE
    you can go here to see a step by step on how to do this - RESET IE

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 isabella_750

isabella_750
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 19 April 2012 - 12:27 PM

Gringo -

Still having issues with IE. Another Application Error came up - different than before. I have attached a print screen.

Liz

Attached Files



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:36 PM

Posted 19 April 2012 - 12:30 PM

Hello


I want you to uninstall and then reinstall IE8


to do this you need to uninstall ie 8 first - http://www.wondershare.com/disk-utility/uninstall-internet-explorer.html


then you can go here to reinstall it - http://www.microsoft.com/download/en/details.aspx?id=43


let me know if this fixes IE



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users