ComboFix 10-10-23.02 - user 10/24/2010 14:36:27.6.2 - x86 Running from: c:\documents and settings\user\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\explorer.exe C:\winlogon.exe c:\windows\explorer.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2010-09-24 to 2010-10-24 ))))))))))))))))))))))))))))))) . 2010-10-23 17:37 . 2010-02-16 18:20 40328 ----a-w- c:\windows\system32\HIPIS0e011b3.dll 2010-10-22 22:13 . 2010-10-22 22:13 -------- d-----w- C:\_OTL 2010-10-22 21:50 . 2010-10-22 22:41 -------- d-----w- c:\documents and settings\user 2010-10-18 13:59 . 2010-10-18 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz 2010-10-16 14:06 . 2010-10-16 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2010-10-16 05:24 . 2010-10-16 05:24 -------- d-----w- c:\program files\CCleaner 2010-10-15 20:29 . 2010-10-15 20:29 -------- d-----w- C:\2060e3e07a73307b53 2010-10-15 14:46 . 2010-10-15 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2010-10-15 12:54 . 2010-10-15 12:54 -------- d-----w- c:\documents and settings\userM02\Application Data\Office Genuine Advantage 2010-10-15 02:45 . 2010-10-15 02:45 -------- d-----w- c:\documents and settings\Administrator 2010-10-15 02:40 . 2010-10-15 02:40 -------- d-----w- c:\windows\system32\zh-HK 2010-10-14 23:14 . 2010-10-14 23:14 -------- d-----w- c:\program files\Trend Micro 2010-10-14 23:00 . 2010-10-14 23:00 -------- d-----w- c:\documents and settings\userM02\Local Settings\Application Data\PackageAware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2008-10-21 22:15 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2008-10-21 22:15 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2008-10-21 22:15 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2008-10-21 22:15 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-09 13:38 . 2008-10-21 22:16 832512 ----a-w- c:\windows\system32\wininet.dll 2010-09-09 13:38 . 2008-10-21 22:15 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2010-09-09 13:38 . 2008-10-21 22:15 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-09-09 13:38 . 2008-10-21 22:14 17408 ----a-w- c:\windows\system32\corpol.dll 2010-09-09 05:22 . 2009-09-16 08:23 136512 ----a-w- c:\windows\system32\KevlarSigs.dll 2010-09-08 15:57 . 2008-10-21 22:14 389120 ----a-w- c:\windows\system32\html.iec 2010-09-01 11:51 . 2008-10-21 22:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2008-10-21 22:16 1852800 ----a-w- c:\windows\system32\win32k.sys 2010-08-27 08:02 . 2008-10-21 22:15 119808 ----a-w- c:\windows\system32\t2embed.dll 2010-08-27 05:57 . 2008-10-21 22:15 99840 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 14:37 . 2010-08-26 14:37 36864 ----a-w- c:\documents and settings\userM02\atwbxdet.dll 2010-08-26 14:37 . 2010-08-26 14:37 0 ----a-w- c:\documents and settings\userM02\webex.tmp 2010-08-26 13:39 . 2008-10-21 22:15 357248 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-26 12:52 . 2009-10-18 17:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-08-23 16:12 . 2008-10-21 22:14 617472 ----a-w- c:\windows\system32\comctl32.dll 2010-08-17 13:17 . 2008-10-21 22:15 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-16 08:45 . 2008-10-21 22:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2009-09-01 01:07 . 2009-12-19 02:36 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll 2009-06-18 13:16 34304 --sh--r- c:\windows\system32\PvLogiciels.dotNetProtector.Runtime.dll 2009-06-18 13:16 626688 --sh--r- c:\windows\system32\PvLogiciels.dotNetProtector.RuntimeAMD64.dll 2009-06-18 13:16 1060864 --sh--r- c:\windows\system32\PvLogiciels.dotNetProtector.RuntimeItanium.dll 2009-06-18 13:16 237568 --sh--r- c:\windows\system32\PvLogiciels.dotNetProtector.RuntimeV1.dll 2009-06-18 13:16 446464 --sh--r- c:\windows\system32\PvLogiciels.dotNetProtector.RuntimeX86.dll . ------- Sigcheck ------- [-] 2008-04-14 . FF6B814E157F62BC8D37A2DA8E7593F8 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe [-] 2008-04-14 . B0CE284FEBA28AAC71DE4F05268B3CFE . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe . ((((((((((((((((((((((((((((( SnapShot@2010-10-16_06.20.46 ))))))))))))))))))))))))))))))))))))))))) . + 2010-10-24 18:18 . 2010-10-24 18:18 16384 c:\windows\temp\Perflib_Perfdata_744.dat + 2010-10-24 18:21 . 2010-10-24 18:21 16384 c:\windows\temp\Perflib_Perfdata_57c.dat - 2010-10-16 04:12 . 2010-10-16 04:12 40866 c:\windows\system32\api_hook_list.dat + 2010-10-24 18:21 . 2010-10-24 18:21 40866 c:\windows\system32\api_hook_list.dat + 2010-10-16 08:03 . 2010-10-16 08:03 21504 c:\windows\Installer\c89532.msi + 2010-10-18 13:56 . 2010-10-18 13:56 75064 c:\windows\Installer\{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}\ProductName.chm.de_D066A77819B7480BA99CC79FB02C9357.exe + 2010-10-18 13:56 . 2010-10-18 13:56 75064 c:\windows\Installer\{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}\DriverDetective.pt_6CF114D33913468CBA2AA6967939B819.exe + 2010-10-18 13:56 . 2010-10-18 13:56 75064 c:\windows\Installer\{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}\DriverDetective.it_251B66F1CA924E82A1EE29E85D5EC5A1.exe + 2010-10-18 13:56 . 2010-10-18 13:56 75064 c:\windows\Installer\{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}\DriverDetective.fr_E1678746353A46E3A9150D3E8B3832B1.exe + 2010-10-18 13:56 . 2010-10-18 13:56 75064 c:\windows\Installer\{97BBECCF-B1FD-4010-8D4B-EFC9E3CCEECF}\DriverDetective.es_654C8EA5162D4D4084239A5EDD67F462.exe + 2010-10-18 13:58 . 2010-10-18 13:58 73728 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\2ca77d3264fd771c6b6b0b20c5770a28\DriversHQ.DriverDetective.ExceptionLogging.ni.dll + 2008-10-22 17:55 . 2010-10-23 17:09 106496 c:\windows\Installer\{90A54C33-C3FB-416C-B4BE-1AD893DE0007}\Icon90A54C331.exe - 2008-10-22 17:55 . 2009-11-11 14:45 106496 c:\windows\Installer\{90A54C33-C3FB-416C-B4BE-1AD893DE0007}\Icon90A54C331.exe + 2010-10-18 13:58 . 2010-10-18 13:58 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\XPBurnComponent\22d7e624156e58654e1575dadd595360\XPBurnComponent.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 309248 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\d858baffc46e529458ddcf43080dcd07\Microsoft.Practices.EnterpriseLibrary.Common.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 303616 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\3b1b05fce56410012e194a6b6abbc7b3\Microsoft.Practices.ObjectBuilder.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 148992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Practices#\2b74ddc93944c01a9eb0a417e7dd5187\Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 230912 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\c607110447058880d0ed2737307e3b59\Microsoft.ApplicationBlocks.Updater.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.WUApiLib\819777343d1e292a4e022ed3986d37bb\Interop.WUApiLib.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 378880 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\dd14fec14370e04c8a7095aa050de25b\DriversHQ.DriverDetective.Client.Communication.ni.dll + 2010-10-18 13:58 . 2010-10-18 13:58 334336 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\9fa42497291470eb3423c467165ac4a9\DriversHQ.DriverDetective.Common.ni.dll - 2009-06-15 07:27 . 2009-06-15 07:27 1683456 c:\windows\system32\htmlres115_en.dll + 2008-11-27 06:42 . 2008-11-27 06:42 1683456 c:\windows\system32\htmlres115_en.dll + 2007-05-15 20:58 . 2007-05-15 20:58 1402504 c:\windows\Downloaded Program Files\InstallLP.dll + 2010-10-18 13:58 . 2010-10-18 13:58 4664320 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.DriverDet#\5c339c45a75807cc82708f896e0e08d0\DriversHQ.DriverDetective.Client.ni.exe + 2010-10-18 13:58 . 2010-10-18 13:58 1099264 c:\windows\assembly\NativeImages_v2.0.50727_32\DriversHQ.Common\f7981568ce022e9dc8c969ff54bc690d\DriversHQ.Common.ni.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl] @="{ba930330-a721-11d3-a7b9-00500464ee16}" [HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}] 2007-09-05 17:48 77824 ----a-w- c:\windows\system32\SgeDrse.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2] @="{2030D939-54A7-4fea-9B06-49EA77EFC87F}" [HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}] 2007-09-05 17:48 77824 ----a-w- c:\windows\system32\SgeDrse.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376] "Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-16 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-13 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-13 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-13 150040] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-09-08 136512] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240] "McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-02-16 979104] "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-10-07 3077432] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-03 1323008] "TpShocks"="TpShocks.exe" [2008-06-06 181536] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576] "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-31 60192] "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208] "LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2007-09-05 24576] "EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2007-09-05 245760] "pSGEState"="c:\program files\Utimaco\Safeguard Easy\pSGEState.exe" [2008-08-08 125952] "RegTool"="c:\program files\Gemplus\GemSafe Libraries\BIN\RegTool.exe" [2006-10-04 40960] "gemstrmw"="c:\windows\system32\gemstrmw.exe" [2004-09-15 24576] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376] c:\documents and settings\userM02\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-9-26 344064] Snagit 9.lnk - c:\program files\TechSmith\Snagit 9\Snagit32.exe [2009-10-15 6287176] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-15 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS] 2008-10-06 19:49 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog] 2002-01-22 19:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2008-06-24 21:31 95496 ----a-w- c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification] 2005-03-31 15:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 20:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 20:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-879983540-682003330-508785\Scripts\Logon\0\0] "Script"=\\amer.company.com\sysvol\amer.company.com\scripts\CIT\chkp2p.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NetSupport\\NetSupport Manager\\client32.exe"= R2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [2006-10-04 118784] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 136176] R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-06 106496] R3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2008-05-30 835584] R3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-10-06 102400] R3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\DRIVERS\firehk.sys [2009-06-25 44680] R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2008-05-30 155120] R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448] R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2009-10-16 45608] S0 AES-256;AES-256;c:\windows\SYSTEM32\DRIVERS\AES256.SYS [2007-09-05 19712] S0 SgeFlt;SgeFlt;c:\windows\SYSTEM32\DRIVERS\SGEFLT.SYS [2007-12-11 63488] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-14 19496] S2 aPodClientService;aPod Client Service;c:\windows\company\_utils\apodclient\apodclientservice11.exe [2008-09-22 45056] S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-06 1668344] S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-06 98304] S2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [2010-02-16 1498224] S2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2010-02-16 35696] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464] S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-09-01 21256] S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-02-16 70728] S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-09-25 94208] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2008-06-24 12560] S2 Tether;Tether;c:\program files\Tether\TBService.exe [2010-05-14 49080] S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-06 482176] S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y5132.sys [2008-07-10 244368] S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2008-05-30 26137] S3 FirehkMP;FirehkMP;c:\windows\system32\DRIVERS\firehk.sys [2009-06-25 44680] S3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-02-16 107896] S3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-02-16 38680] S3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-02-16 35584] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{00001111-45A3-4914-4DBA-B25D54854CE3}] 2009-08-28 16:58 142848 ----a-w- c:\windows\company\IETRUS~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08538B4C-105A-4BD5-E8B4-8F0BC1038940}] 2009-07-22 13:38 124928 ----a-w- c:\windows\company\OFFICE~1\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10EFA767-8710-400C-AD8F-88CB6DD5F5C4}] 2006-05-10 15:24 120458 ----a-w- c:\windows\company\OFFICE~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{17599311-A6DA-459A-6493-D3F804FB1AA0}] 2007-06-08 13:52 136253 ----a-w- c:\windows\company\BOXIR2~1.5SP\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1988BFB9-8BC7-4F91-2EA1-721AC254551D}] 2002-04-22 14:56 1305975 ----a-w- c:\windows\company\PHOTOS~1\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F0A5400-614B-4C41-8DB0-79C45B014F75}] 2005-05-11 21:04 121552 ----a-w- c:\windows\company\NETMEE~1.01\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1FFED32A-26D0-49CC-06AA-30A1355945CD}] 2007-03-12 13:56 120263 ----a-w- c:\windows\company\IEPROX~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2A255F0E-D91A-4644-97A4-0553F1C8A0B5}] 2008-10-28 19:05 120403 ----a-w- c:\windows\company\LenovoFPS\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{363A1B14-2EA2-4CF0-FD8D-CAACBA670BF3}] 2008-08-11 20:14 141312 ----a-w- c:\windows\company\ACROBA~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36563AB8-5AAA-4C6E-72BE-411B5F247109}] 2008-09-16 19:54 124928 ----a-w- c:\windows\company\FLASHA~1\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3AC2D64A-733F-4B78-6C8D-A71005E4D18}] 2009-02-18 18:28 142336 ----a-w- c:\windows\company\JRE160~1.12\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4B9C1B32-D4EF-4453-A5B5-E5AAC3A862C3}] 2009-09-17 13:20 141824 ----a-w- c:\windows\company\FLASHS~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{573DBEA3-5487-4220-E8AA-F870A5D66C7B}] 2007-02-27 18:42 140242 ----a-w- c:\windows\company\FIBERL~1.6\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5D2DE268-1C82-4BD0-539B-A90BD98FDE12}] 2009-08-28 17:59 140800 ----a-w- c:\windows\company\companyI~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5FC4E575-FDA7-4CA9-36A1-E89EBFA5C8F0}] 2008-05-13 18:43 120395 ----a-w- C:\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{620514D4-CAEE-46A6-908C-4ABB2F37CE25}] 2009-07-21 17:59 141312 ----a-w- c:\windows\company\OUTLOO~2.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{625F8360-1E32-4ABB-B8A6-F1FB8FCAF672}] 2006-03-30 13:31 120628 ----a-w- c:\windows\company\Office Communicator 2005 1.0.559\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{64BDDD02-24A3-44E9-A481-4A9F83FCCB74}] 2008-04-16 17:33 142336 ----a-w- c:\windows\company\TOOLBA~1.1\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6C6036C5-CCBF-426B-EFB8-56B22548B74C}] 2006-05-06 15:56 129426 ----a-w- c:\windows\company\PGPCUS~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{751226CF-45A3-4914-4DBA-B25D54854CE3}] 2009-08-28 16:58 142848 ----a-w- c:\windows\company\IETRUS~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7648A138-67EB-4395-CBB3-2C4F1D504F2E}] 2007-11-13 19:01 124928 ----a-w- c:\windows\company\IEPOPU~1.0\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7C7CD628-A712-4F9B-D8BE-FDF36AC6297C}] 2009-06-22 18:28 118991 ----a-w- c:\drivers\APPS\PerUser.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A3F41FC6-8282-4c1d-BED5-2582250EC54F}] 2008-04-15 15:19 121183 ----a-w- c:\windows\company\PCODES~1.0F\PerUser.exe . Contents of the 'Scheduled Tasks' folder 2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-31 23:35] 2010-10-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-31 23:35] 2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-879983540-682003330-508785Core.job - c:\documents and settings\userM02\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-07 23:35] 2010-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-879983540-682003330-508785UA.job - c:\documents and settings\userM02\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-07 23:35] 2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626771726-2973149853-2108063670-1018Core.job - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-23 07:47] 2010-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-626771726-2973149853-2108063670-1018UA.job - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-23 07:47] 2010-10-24 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-09-16 05:47] 2010-10-24 c:\windows\Tasks\User_Feed_Synchronization-{7064549A-867A-4424-B1B6-1B44E64DA9AF}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 22:36] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = hxxp://world.company.com uInternet Settings,ProxyOverride = Trusted Zone: accenture.com\sms-company Trusted Zone: accenture.com\sms-company-dev Trusted Zone: p2l.company.com Trusted Zone: company.com Trusted Zone: company.com\*.p2l Trusted Zone: company.com\pdocs Trusted Zone: company.com\pdocsstg Trusted Zone: companyhealthydirections.com Trusted Zone: webex.com\companyconnect Trusted Zone: company.com Trusted Zone: company.com\*.labs Trusted Zone: company.com\*.pr Trusted Zone: company.com\*.pri Trusted Zone: company.com\*.wai Trusted Zone: company.com\*.war Trusted Zone: company.com\vanweb.labs Trusted Zone: company.com\webex Trusted Zone: p2l.company.com Trusted Zone: company.com Trusted Zone: company.com\pdocs Trusted Zone: company.com\pdocsstg Trusted Zone: companyhealthydirections.com TCP: {FF32B4A8-25B0-4458-82EF-80B8BE0F811A} = 208.67.222.222,208.67.220.220 DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {8D5D65AC-273D-491E-8874-BBB4B63DEA67} - hxxp://ecf.company.com/sites/CUE/_layouts/1033/DSigRes.cab DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} - hxxp://qualitycenter/qcbin/Spider10.cab FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-24 14:46 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(344) c:\windows\system32\tvt_gina.dll c:\program files\Lenovo\Client Security Solution\css_gina_plugin.dll c:\program files\Lenovo\Client Security Solution\css_wait_bar.dll c:\windows\system32\cssuserdatadispatcher.dll c:\program files\Lenovo\Client Security Solution\csswait.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\program files\Lenovo\Client Security Solution\cssdlgpwentry.dll c:\program files\Lenovo\Client Security Solution\dlganswerprompt.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Common Files\Lenovo\tvt_think_res.dll c:\program files\Lenovo\Client Security Solution\css_think_res.dll c:\program files\Lenovo\Client Security Solution\css_strings.dll c:\windows\system32\IWPDGINA.DLL c:\program files\Intel\WiFi\bin\LangResources\ENU\SsoGnENU.dll c:\program files\Lenovo Fingerprint Software\atcssint.dll c:\program files\Lenovo Fingerprint Software\SharedResources.dll c:\program files\Lenovo Fingerprint Software\FPResource.dll c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll c:\windows\system32\AFSSClientLib.dll c:\program files\ThinkVantage Fingerprint Software\pscssint.dll c:\program files\ThinkVantage Fingerprint Software\vti.dll c:\program files\ThinkVantage Fingerprint Software\infql2.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\qlbase.dll c:\windows\system32\FpWinLogonNp.dll c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\Lenovo\HOTKEY\tphklock.dll c:\windows\system32\SGLogEx.dll c:\windows\system32\SGLogNotification.dll c:\windows\system32\GetUserSid.dll c:\windows\system32\HcApi.dll c:\windows\system32\KevlarSigs.dll - - - - - - - > 'lsass.exe'(408) c:\windows\system32\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infql2.dll c:\windows\system32\HcApi.dll c:\windows\system32\KevlarSigs.dll - - - - - - - > 'csrss.exe'(1952) c:\program files\NetSupport\NetSupport Manager\pcihooks.dll c:\windows\system32\HcApi.dll c:\windows\system32\KevlarSigs.dll . Completion time: 2010-10-24 14:49:02 ComboFix-quarantined-files.txt 2010-10-24 18:48 ComboFix2.txt 2010-10-23 18:51 ComboFix3.txt 2010-10-23 00:27 ComboFix4.txt 2010-10-22 23:59 ComboFix5.txt 2010-10-24 18:01 Pre-Run: 98,062,893,056 bytes free Post-Run: 98,038,317,056 bytes free - - End Of File - - 7DEAF13463D5723184EDCA5CE54516C4