Author Topic: [Inactive] Win32.Z.Access.c redirects searches (Read 1312 times)

Chromed Shoes · « **on:** March 14, 2012, 02:30:05 PM »

Hello, I have a laptop running windows xp pro that gets redirected when I do a search on the web.
I think this may be due to a stubborn root-kit virus. I ran a scan with TDSS killer which found Win32.z.Access.c as a possible culprit. However every time I reboot my computer to cure the infection it keeps returning.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Run by User at 21:24:57 on 2012-02-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.131 [GMT -7:00]
.
AV: Spy Sweeper with AntiVirus *Disabled/Updated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Online Armor Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\OAui.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{87C3D374-06BE-42D8-AB4D-A36F02853EEA} : DhcpNameServer = 75.75.76.76 75.75.75.75
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\05bge07v.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\05bge07v.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\user\local settings\application data\robloxversions\version-9d8ee47fdc21422e\NPRobloxProxy.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: Vista-aero: {07b2a769-ed19-4483-87ce-c643914c81bb} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;c:\windows\system32\drivers\SSFS0BB8.sys [2007-9-20 20280]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-15 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-6-15 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-6-15 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-6-15 28232]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-15 136360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-15 66616]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-6-15 1283400]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2007-9-20 3564344]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-15 269480]
S2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-6-15 3505992]
S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [2011-3-14 20504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-14 40776]
.
=============== Created Last 30 ================
.
2012-02-15 04:19:28   40776   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
.
==================== Find3M ====================
.
2012-02-15 04:13:37   0   --sha-w-   c:\windows\system32\dds_trash_log.cmd
2012-02-15 03:58:39   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2011-12-10 22:24:06   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-21 15:59:50   3095040   ----a-w-   c:\program files\openofficeorg32.msi
2010-05-21 15:58:20   460088   ----a-w-   c:\program files\setup.exe
2005-11-23 02:01:32   174838062   ----a-w-   c:\program files\GP5FULLBK-1.exe
.
============= FINISH: 21:29:08.82 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/20/2007 10:43:20 AM
System Uptime: 2/14/2012 9:12:51 PM (0 hours ago)
Processor: Intel(R) Pentium(R) M processor 1.73GHz | N/A | 795/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 32 GiB total, 24.568 GiB free.
D: is FIXED (NTFS) - 5 GiB total, 1.17 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP342: 2/14/2012 10:04:43 PM - System Checkpoint
RP343: 2/14/2012 9:20:18 PM - System Checkpoint
RP344: 2/14/2012 9:18:14 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Avira AntiVir Personal - Free Antivirus
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes Anti-Malware version 1.60.1.1000
mCore
mDriver
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mMHouse
Mozilla Firefox (3.6.16)
mPfMgr
mProSafe
mWlsSafe
mXML
Online Armor 4.0
OpenOffice.org 3.2
PowerDVD
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Roblox for User
Sony USB Mouse
Spy Sweeper
WebFldrs XP
Windows Driver Package - Sony Corporation (SPI) HIDCLASS (08/20/2002 7.0.3.820)
Windows Installer 3.1 (KB893803)
Windows Live ID Sign-in Assistant
.
==== Event Viewer Messages From Past Week ========
.
2/14/2012 9:15:49 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
2/14/2012 9:15:28 PM, error: Service Control Manager [7003] - The Fast User Switching Compatibility service depends on the following nonexistent service: TermService
2/14/2012 9:15:21 PM, error: Service Control Manager [7023] - The World Wide Web Publishing service terminated with the following error: TCP/IP network protocol not installed.
2/14/2012 9:15:21 PM, error: Service Control Manager [7023] - The Simple Mail Transfer Protocol (SMTP) service terminated with the following error: TCP/IP network protocol not installed.
2/14/2012 9:15:21 PM, error: Service Control Manager [7023] - The FTP Publishing service terminated with the following error: TCP/IP network protocol not installed.
2/14/2012 9:15:21 PM, error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector service which failed to start because of the following error: Access is denied.
2/14/2012 9:15:21 PM, error: Service Control Manager [7000] - The WebDav Client Redirector service failed to start due to the following error: Access is denied.
2/14/2012 9:15:21 PM, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: Access is denied.
2/14/2012 9:14:55 PM, error: Service Control Manager [7034] - The Online Armor service terminated unexpectedly. It has done this 1 time(s).
2/14/2012 9:14:03 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
2/14/2012 9:14:02 PM, error: Dhcp [1002] - The IP address lease 192.168.1.106 for the Network Card with network address 0013CE17EE6A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
2/14/2012 9:13:59 PM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 0013CE17EE6A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
2/14/2012 9:13:53 PM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 0013CE17EE6A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
2/14/2012 9:13:33 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
2/14/2012 9:12:53 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
2/14/2012 10:04:38 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
.
==== End Of File ===========================

1972vet · « **Reply #1 on:** March 14, 2012, 02:33:37 PM »

Greetings Chromed Shoes and Welcome to our Forums,

Let's first take a look at the TDSSKiller log that was produced. You did save it, didn't you?

Chromed Shoes · « **Reply #2 on:** March 14, 2012, 02:59:24 PM »

Thanks 1972vet
I believe this is what you requested

21:14:12.0765 1856   TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
21:14:12.0937 1856   ============================================================
21:14:12.0937 1856   Current date / time: 2012/02/14 21:14:12.0937
21:14:12.0937 1856   SystemInfo:
21:14:12.0937 1856
21:14:12.0937 1856   OS Version: 5.1.2600 ServicePack: 2.0
21:14:12.0937 1856   Product type: Workstation
21:14:12.0937 1856   ComputerName: USER-F370A5F1FE
21:14:12.0937 1856   UserName: User
21:14:12.0937 1856   Windows directory: C:\WINDOWS
21:14:12.0937 1856   System windows directory: C:\WINDOWS
21:14:12.0937 1856   Processor architecture: Intel x86
21:14:12.0937 1856   Number of processors: 1
21:14:12.0937 1856   Page size: 0x1000
21:14:12.0937 1856   Boot type: Normal boot
21:14:12.0937 1856   ============================================================
21:14:15.0546 1856   Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:14:15.0546 1856   \Device\Harddisk0\DR0:
21:14:15.0546 1856   MBR used
21:14:15.0546 1856   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xA050CF
21:14:15.0546 1856   \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xA0510E, BlocksNum 0x407C331
21:14:15.0750 1856   Initialize success
21:14:15.0750 1856   ============================================================
21:14:21.0500 1604   ============================================================
21:14:21.0500 1604   Scan started
21:14:21.0500 1604   Mode: Manual;
21:14:21.0500 1604   ============================================================
21:14:21.0781 1604   73279805 - ok
21:14:21.0796 1604   Abiosdsk - ok
21:14:21.0812 1604   abp480n5 - ok
21:14:21.0875 1604   ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:14:21.0875 1604   ACPI - ok
21:14:21.0984 1604   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:14:21.0984 1604   ACPIEC - ok
21:14:22.0015 1604   adpu160m - ok
21:14:22.0062 1604   aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
21:14:22.0078 1604   aec - ok
21:14:22.0187 1604   AegisP (f498fd605c08404b20a48954c722ff74) C:\WINDOWS\system32\DRIVERS\AegisP.sys
21:14:22.0187 1604   AegisP - ok
21:14:22.0203 1604   AFD - ok
21:14:22.0218 1604   Aha154x - ok
21:14:22.0234 1604   aic78u2 - ok
21:14:22.0250 1604   aic78xx - ok
21:14:22.0281 1604   AliIde - ok
21:14:22.0296 1604   amsint - ok
21:14:22.0375 1604   Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:14:22.0375 1604   Arp1394 - ok
21:14:22.0515 1604   asc - ok
21:14:22.0531 1604   asc3350p - ok
21:14:22.0546 1604   asc3550 - ok
21:14:22.0625 1604   AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:14:22.0625 1604   AsyncMac - ok
21:14:22.0718 1604   atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:14:22.0718 1604   atapi - ok
21:14:22.0812 1604   Atdisk - ok
21:14:22.0875 1604   Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:14:22.0875 1604   Atmarpc - ok
21:14:23.0046 1604   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:14:23.0046 1604   audstub - ok
21:14:23.0203 1604   avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
21:14:23.0203 1604   avgio - ok
21:14:23.0343 1604   avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
21:14:23.0343 1604   avgntflt - ok
21:14:23.0406 1604   avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
21:14:23.0421 1604   avipbb - ok
21:14:23.0562 1604   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:14:23.0562 1604   Beep - ok
21:14:23.0765 1604   catchme - ok
21:14:23.0875 1604   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:14:23.0875 1604   cbidf2k - ok
21:14:23.0937 1604   CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:14:23.0937 1604   CCDECODE - ok
21:14:24.0015 1604   cd20xrnt - ok
21:14:24.0078 1604   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:14:24.0078 1604   Cdaudio - ok
21:14:24.0140 1604   Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
21:14:24.0140 1604   Cdfs - ok
21:14:24.0281 1604   Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:14:24.0281 1604   Cdrom - ok
21:14:24.0296 1604   Changer - ok
21:14:24.0359 1604   CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:14:24.0359 1604   CmBatt - ok
21:14:24.0500 1604   CmdIde - ok
21:14:24.0562 1604   Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:14:24.0562 1604   Compbatt - ok
21:14:24.0656 1604   Cpqarray - ok
21:14:24.0843 1604   cpuz132 - ok
21:14:24.0937 1604   dac2w2k - ok
21:14:24.0953 1604   dac960nt - ok
21:14:25.0031 1604   Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
21:14:25.0031 1604   Disk - ok
21:14:25.0140 1604   dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
21:14:25.0156 1604   dmboot - ok
21:14:25.0281 1604   dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
21:14:25.0281 1604   dmio - ok
21:14:25.0328 1604   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:14:25.0328 1604   dmload - ok
21:14:25.0390 1604   DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
21:14:25.0390 1604   DMusic - ok
21:14:25.0437 1604   dpti2o - ok
21:14:25.0468 1604   drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
21:14:25.0484 1604   drmkaud - ok
21:14:25.0562 1604   E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
21:14:25.0562 1604   E100B - ok
21:14:25.0734 1604   Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
21:14:25.0734 1604   Fastfat - ok
21:14:25.0781 1604   Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
21:14:25.0781 1604   Fdc - ok
21:14:25.0921 1604   Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
21:14:25.0921 1604   Fips - ok
21:14:25.0984 1604   Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:14:25.0984 1604   Flpydisk - ok
21:14:26.0125 1604   FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:14:26.0125 1604   FltMgr - ok
21:14:26.0187 1604   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:14:26.0187 1604   Fs_Rec - ok
21:14:26.0296 1604   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:14:26.0296 1604   Ftdisk - ok
21:14:26.0359 1604   GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:14:26.0359 1604   GEARAspiWDM - ok
21:14:26.0531 1604   Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:14:26.0531 1604   Gpc - ok
21:14:26.0984 1604   HDAudBus (4f11912e3b579013be7b1628791ebbcd) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:14:27.0000 1604   HDAudBus - ok
21:14:27.0109 1604   HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:14:27.0109 1604   HidUsb - ok
21:14:27.0156 1604   HPFXBULKLEDM (6f98a555acf3c1b68fcc1f50e0fd2091) C:\WINDOWS\system32\drivers\hppcbulkio.sys
21:14:27.0171 1604   HPFXBULKLEDM - ok
21:14:27.0171 1604   hpn - ok
21:14:27.0234 1604   HSFHWAZL (3d812d0de9344bc9bd1a1b8575b883db) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
21:14:27.0250 1604   HSFHWAZL - ok
21:14:27.0421 1604   HSF_DP (0e130bec5a13cf68adaa216ab55a8dff) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
21:14:27.0453 1604   HSF_DP - ok
21:14:27.0593 1604   HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
21:14:27.0609 1604   HTTP - ok
21:14:27.0625 1604   i2omgmt - ok
21:14:27.0640 1604   i2omp - ok
21:14:27.0703 1604   i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:14:27.0718 1604   i8042prt - ok
21:14:27.0906 1604   ialm (0c7b8efc2b1ac4cd62f4e7eafc864b95) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:14:27.0921 1604   ialm - ok
21:14:28.0062 1604   Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:14:28.0062 1604   Imapi - ok
21:14:28.0093 1604   ini910u - ok
21:14:28.0343 1604   IntcAzAudAddService (93903ddd430db2fc61cbeeb2be651e9f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:14:28.0562 1604   IntcAzAudAddService - ok
21:14:28.0703 1604   IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:14:28.0703 1604   IntelIde - ok
21:14:28.0765 1604   intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:14:28.0765 1604   intelppm - ok
21:14:28.0875 1604   Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:14:28.0875 1604   Ip6Fw - ok
21:14:28.0937 1604   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:14:28.0937 1604   IpFilterDriver - ok
21:14:29.0031 1604   IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:14:29.0046 1604   IpInIp - ok
21:14:29.0078 1604   IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:14:29.0093 1604   IpNat - ok
21:14:29.0140 1604   IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:14:29.0140 1604   IPSec - ok
21:14:29.0250 1604   IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:14:29.0250 1604   IRENUM - ok
21:14:29.0312 1604   isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:14:29.0312 1604   isapnp - ok
21:14:29.0437 1604   Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:14:29.0437 1604   Kbdclass - ok
21:14:29.0531 1604   kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
21:14:29.0531 1604   kmixer - ok
21:14:29.0671 1604   KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
21:14:29.0671 1604   KSecDD - ok
21:14:29.0703 1604   lbrtfdc - ok
21:14:29.0781 1604   mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:14:29.0781 1604   mdmxsdk - ok
21:14:29.0921 1604   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:14:29.0921 1604   mnmdd - ok
21:14:29.0984 1604   Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
21:14:29.0984 1604   Modem - ok
21:14:30.0031 1604   Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:14:30.0031 1604   Mouclass - ok
21:14:30.0140 1604   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:14:30.0156 1604   mouhid - ok
21:14:30.0203 1604   MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
21:14:30.0218 1604   MountMgr - ok
21:14:30.0343 1604   MQAC (db07b0088cdfd20c2a22e675120ede34) C:\WINDOWS\system32\drivers\mqac.sys
21:14:30.0343 1604   MQAC - ok
21:14:30.0359 1604   mraid35x - ok
21:14:30.0421 1604   MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:14:30.0421 1604   MRxDAV - ok
21:14:30.0593 1604   MRxSmb (45128e71c1cdbf2245d834a0192612e1) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:14:30.0609 1604   Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 45128e71c1cdbf2245d834a0192612e1, Fake md5: fee52d7c7a47894003ac1997e06b454d
21:14:30.0609 1604   MRxSmb ( Virus.Win32.ZAccess.c ) - infected
21:14:30.0609 1604   MRxSmb - detected Virus.Win32.ZAccess.c (0)
21:14:30.0734 1604   Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
21:14:30.0734 1604   Msfs - ok
21:14:30.0765 1604   MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:14:30.0781 1604   MSKSSRV - ok
21:14:30.0828 1604   MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:14:30.0843 1604   MSPCLOCK - ok
21:14:30.0937 1604   MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
21:14:30.0953 1604   MSPQM - ok
21:14:31.0000 1604   mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:14:31.0000 1604   mssmbios - ok
21:14:31.0125 1604   MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
21:14:31.0125 1604   MSTEE - ok
21:14:31.0187 1604   Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
21:14:31.0187 1604   Mup - ok
21:14:31.0312 1604   NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:14:31.0312 1604   NABTSFEC - ok
21:14:31.0390 1604   NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
21:14:31.0390 1604   NDIS - ok
21:14:31.0562 1604   NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:14:31.0562 1604   NdisIP - ok
21:14:31.0671 1604   NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:14:31.0671 1604   NdisTapi - ok
21:14:31.0765 1604   Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:14:31.0765 1604   Ndisuio - ok
21:14:31.0875 1604   NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:14:31.0890 1604   NdisWan - ok
21:14:32.0015 1604   NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
21:14:32.0015 1604   NDProxy - ok
21:14:32.0093 1604   NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:14:32.0093 1604   NetBIOS - ok
21:14:32.0203 1604   NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:14:32.0203 1604   NetBT - ok
21:14:32.0328 1604   NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:14:32.0328 1604   NIC1394 - ok
21:14:32.0484 1604   Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
21:14:32.0484 1604   Npfs - ok
21:14:32.0890 1604   Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
21:14:32.0906 1604   Ntfs - ok
21:14:33.0062 1604   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:14:33.0062 1604   Null - ok
21:14:33.0140 1604   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:14:33.0140 1604   NwlnkFlt - ok
21:14:33.0250 1604   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:14:33.0250 1604   NwlnkFwd - ok
21:14:33.0312 1604   NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
21:14:33.0312 1604   NwlnkIpx - ok
21:14:33.0468 1604   NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
21:14:33.0468 1604   NwlnkNb - ok
21:14:33.0500 1604   NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
21:14:33.0500 1604   NwlnkSpx - ok
21:14:33.0640 1604   NWRDR (03373a79440473062c6f3aedec6a49c8) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
21:14:33.0640 1604   NWRDR - ok
21:14:33.0687 1604   OADevice (f759e5266a91e6a9ab5dd7939c6560b6) C:\WINDOWS\system32\drivers\OADriver.sys
21:14:33.0703 1604   OADevice - ok
21:14:33.0781 1604   OAmon (fe6a66c9614de5e0f3e6b846a699fcae) C:\WINDOWS\system32\drivers\OAmon.sys
21:14:33.0796 1604   OAmon - ok
21:14:33.0843 1604   OAnet (44bff97b3704475194380e563180b64e) C:\WINDOWS\system32\drivers\OAnet.sys
21:14:33.0843 1604   OAnet - ok
21:14:33.0906 1604   ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:14:33.0921 1604   ohci1394 - ok
21:14:34.0046 1604   P1110VID (56ebd7c43be8c9e129d452828c1532d8) C:\WINDOWS\system32\DRIVERS\P1110Vid.sys
21:14:34.0062 1604   P1110VID - ok
21:14:34.0140 1604   Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
21:14:34.0140 1604   Parport - ok
21:14:34.0265 1604   PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
21:14:34.0265 1604   PartMgr - ok
21:14:34.0296 1604   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:14:34.0296 1604   ParVdm - ok
21:14:34.0328 1604   PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
21:14:34.0328 1604   PCI - ok
21:14:34.0437 1604   PCIDump - ok
21:14:34.0546 1604   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
21:14:34.0546 1604   PCIIde - ok
21:14:34.0656 1604   Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:14:34.0671 1604   Pcmcia - ok
21:14:34.0687 1604   PDCOMP - ok
21:14:34.0703 1604   PDFRAME - ok
21:14:34.0718 1604   PDRELI - ok
21:14:34.0734 1604   PDRFRAME - ok
21:14:34.0750 1604   perc2 - ok
21:14:34.0765 1604   perc2hib - ok
21:14:34.0859 1604   PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:14:34.0859 1604   PptpMiniport - ok
21:14:34.0906 1604   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:14:34.0906 1604   Ptilink - ok
21:14:34.0968 1604   ql1080 - ok
21:14:35.0000 1604   Ql10wnt - ok
21:14:35.0015 1604   ql12160 - ok
21:14:35.0031 1604   ql1240 - ok
21:14:35.0046 1604   ql1280 - ok
21:14:35.0062 1604   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:14:35.0078 1604   RasAcd - ok
21:14:35.0140 1604   Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:14:35.0156 1604   Rasl2tp - ok
21:14:35.0203 1604   RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:14:35.0203 1604   RasPppoe - ok
21:14:35.0218 1604   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:14:35.0218 1604   Raspti - ok
21:14:35.0281 1604   Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:14:35.0281 1604   Rdbss - ok
21:14:35.0406 1604   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:14:35.0406 1604   RDPCDD - ok
21:14:35.0500 1604   rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:14:35.0500 1604   rdpdr - ok
21:14:35.0625 1604   RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
21:14:35.0640 1604   RDPWD - ok
21:14:35.0703 1604   redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:14:35.0703 1604   redbook - ok
21:14:35.0875 1604   RMCAST (35e81b908ae4e97fc7bdf4607c516ff4) C:\WINDOWS\system32\drivers\RMCast.sys
21:14:35.0875 1604   RMCAST - ok
21:14:35.0953 1604   s24trans (85a26a3bb748dfd3170cdbf45b0dd7fd) C:\WINDOWS\system32\DRIVERS\s24trans.sys
21:14:35.0968 1604   s24trans - ok
21:14:36.0109 1604   Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:14:36.0109 1604   Secdrv - ok
21:14:36.0171 1604   Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
21:14:36.0171 1604   Serial - ok
21:14:36.0203 1604   Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:14:36.0203 1604   Sfloppy - ok
21:14:36.0234 1604   Simbad - ok
21:14:36.0312 1604   SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:14:36.0312 1604   SLIP - ok
21:14:36.0453 1604   SNC (1a992c8136c015453e82041c35b299da) C:\WINDOWS\system32\DRIVERS\SonyNC.sys
21:14:36.0453 1604   SNC - ok
21:14:36.0484 1604   Sparrow - ok
21:14:36.0562 1604   splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
21:14:36.0562 1604   splitter - ok
21:14:36.0687 1604   sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
21:14:36.0687 1604   sr - ok
21:14:36.0765 1604   Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
21:14:36.0781 1604   Srv - ok
21:14:36.0890 1604   SSFS0BB8 (f84aaedb24fcad0459da04831ce88c79) C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
21:14:36.0890 1604   SSFS0BB8 - ok
21:14:36.0937 1604   SSHRMD (c72d348c59ed1c144ee0a1fa128a3f91) C:\WINDOWS\system32\Drivers\SSHRMD.SYS
21:14:36.0937 1604   SSHRMD - ok
21:14:37.0046 1604   SSIDRV (fa3a35407d3490782f2caf9d0ca6228f) C:\WINDOWS\system32\Drivers\SSIDRV.SYS
21:14:37.0062 1604   SSIDRV - ok
21:14:37.0093 1604   SSKBFD (1447d27bc0bed901054bef361c5bacde) C:\WINDOWS\system32\Drivers\sskbfd.sys
21:14:37.0093 1604   SSKBFD - ok
21:14:37.0156 1604   ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
21:14:37.0156 1604   ssmdrv - ok
21:14:37.0312 1604   streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:14:37.0312 1604   streamip - ok
21:14:37.0359 1604   swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:14:37.0375 1604   swenum - ok
21:14:37.0531 1604   swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
21:14:37.0546 1604   swmidi - ok
21:14:37.0609 1604   symc810 - ok
21:14:37.0640 1604   symc8xx - ok
21:14:37.0656 1604   sym_hi - ok
21:14:37.0671 1604   sym_u3 - ok
21:14:37.0734 1604   sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
21:14:37.0734 1604   sysaudio - ok
21:14:37.0921 1604   Tcpip (09eb23a4567bdd56d9580a059e616e23) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:14:37.0921 1604   Tcpip - ok
21:14:38.0062 1604   Tcpip6 (4d58bb1ae8841aafd8790ad7e1e3b8ea) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
21:14:38.0078 1604   Tcpip6 - ok
21:14:38.0109 1604   TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:14:38.0109 1604   TDPIPE - ok
21:14:38.0234 1604   TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
21:14:38.0234 1604   TDTCP - ok
21:14:38.0296 1604   TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:14:38.0296 1604   TermDD - ok
21:14:38.0437 1604   tifmsony (fb481e8cd426d0e5f96a838a47390c94) C:\WINDOWS\system32\drivers\tifmsony.sys
21:14:38.0437 1604   tifmsony - ok
21:14:38.0453 1604   TosIde - ok
21:14:38.0531 1604   tunmp (87a0e9e18c10a9e454238e3330e2a26d) C:\WINDOWS\system32\DRIVERS\tunmp.sys
21:14:38.0531 1604   tunmp - ok
21:14:38.0640 1604   Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
21:14:38.0640 1604   Udfs - ok
21:14:38.0671 1604   ultra - ok
21:14:38.0734 1604   Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
21:14:38.0734 1604   Update - ok
21:14:38.0875 1604   usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:14:38.0875 1604   usbccgp - ok
21:14:38.0921 1604   usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:14:38.0937 1604   usbehci - ok
21:14:39.0031 1604   usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:14:39.0031 1604   usbhub - ok
21:14:39.0093 1604   usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:14:39.0093 1604   usbprint - ok
21:14:39.0203 1604   usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:14:39.0218 1604   usbscan - ok
21:14:39.0265 1604   USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:14:39.0265 1604   USBSTOR - ok
21:14:39.0328 1604   usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:14:39.0328 1604   usbuhci - ok
21:14:39.0546 1604   VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
21:14:39.0546 1604   VgaSave - ok
21:14:39.0578 1604   ViaIde - ok
21:14:39.0718 1604   VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
21:14:39.0718 1604   VolSnap - ok
21:14:40.0000 1604   w29n51 (c89da341fcc883a3d79dc11727484fc2) C:\WINDOWS\system32\DRIVERS\w29n51.sys
21:14:40.0218 1604   w29n51 - ok
21:14:40.0375 1604   Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:14:40.0375 1604   Wanarp - ok
21:14:40.0390 1604   WDICA - ok
21:14:40.0484 1604   wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
21:14:40.0484 1604   wdmaud - ok
21:14:40.0671 1604   winachsf (c08fad1207bb219bdf9eec30afc1809e) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:14:40.0687 1604   winachsf - ok
21:14:40.0890 1604   WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:14:40.0890 1604   WSTCODEC - ok
21:14:40.0953 1604   MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:14:41.0171 1604   \Device\Harddisk0\DR0 - ok
21:14:41.0171 1604   Boot (0x1200) (752a0a1398ef2ece0aeb195f844b04a4) \Device\Harddisk0\DR0\Partition0
21:14:41.0171 1604   \Device\Harddisk0\DR0\Partition0 - ok
21:14:41.0187 1604   Boot (0x1200) (158f8d3d6073c7c647ad877fd5bb31d4) \Device\Harddisk0\DR0\Partition1
21:14:41.0187 1604   \Device\Harddisk0\DR0\Partition1 - ok
21:14:41.0187 1604   ============================================================
21:14:41.0187 1604   Scan finished
21:14:41.0187 1604   ============================================================
21:14:41.0218 1648   Detected object count: 1
21:14:41.0218 1648   Actual detected object count: 1
21:15:53.0218 1648   C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
21:15:57.0250 1648   Backup copy found, using it..
21:15:57.0578 1648   C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
21:16:03.0593 1648   MRxSmb ( Virus.Win32.ZAccess.c ) - User select action: Cure

1972vet · « **Reply #3 on:** March 14, 2012, 05:34:57 PM »

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Chromed Shoes · « **Reply #4 on:** March 14, 2012, 10:06:46 PM »

Here is the log produced..

ComboFix 12-03-14.01 - User 03/14/2012 21:11:19.2.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spy Sweeper with AntiVirus *Disabled/Outdated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\Adobe\zafira.exe
c:\documents and settings\User\Application Data\Identities\sock.exe
c:\windows\system32\raysat3_4_6_18server.dll
c:\windows\system32\rt73.dll
c:\windows\system32\symids.dll
c:\windows\system32\wanarp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BTHUSB
-------\Legacy_VC4CB104
-------\Legacy_WEBSENSEPOLICYSERVER
-------\Legacy_WSEARCH
-------\Service_bthusb
-------\Service_VC4CB104
-------\Service_websensepolicyserver
-------\Service_wsearch
.
.
((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))
.
.
2012-03-15 04:09 . 2012-03-15 04:09   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-03-15 04:09 . 2012-03-15 04:09   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-03-15 04:09 . 2012-03-15 04:09   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-03-15 04:09 . 2012-03-15 04:09   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-03-15 04:09 . 2012-03-15 04:09   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-03-15 04:09 . 2012-03-15 04:09   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-03-15 04:09 . 2012-03-15 04:09   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-03-15 04:09 . 2012-03-15 04:09   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-03-15 04:09 . 2012-03-15 04:09   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-03-15 04:08 . 2012-03-15 04:08   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-03-15 04:08 . 2012-03-15 04:08   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-03-15 04:08 . 2012-03-15 04:08   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-03-15 04:08 . 2012-03-15 04:08   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-03-15 03:02 . 2001-08-17 19:51   20752   -c--a-w-   c:\windows\system32\dllcache\sonync.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   -c--a-w-   c:\windows\system32\dllcache\redbook.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   ----a-w-   c:\windows\system32\drivers\redbook.sys
2012-02-15 04:19 . 2012-02-15 04:15   --------   d-----w-   C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 04:08 . 2001-01-03 19:05   0   --sha-w-   c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:12 . 2009-06-15 14:11   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-15 04:12 . 2007-03-11 00:33   451456   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2012-02-15 04:12 . 2007-03-11 00:33   74752   ----a-w-   c:\windows\system32\drivers\ipsec.sys
2012-02-15 04:12 . 2007-03-11 00:33   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2012-02-15 03:58 . 2009-06-15 14:11   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-05-21 15:59 . 2010-05-21 15:59   3095040   ----a-w-   c:\program files\openofficeorg32.msi
2010-05-21 15:58 . 2010-05-21 15:58   460088   ----a-w-   c:\program files\setup.exe
2005-11-23 02:01 . 2009-04-27 21:34   174838062   ----a-w-   c:\program files\GP5FULLBK-1.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2007-03-11 . 09EB23A4567BDD56D9580A059E616E23 . 359040 . . [5.1.2600.2505] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\termsrv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
2010-07-07 19:33   6965576   ----a-w-   c:\program files\Tall Emu\Online Armor\oaui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-12-11 19:34   281768   ----a-w-   c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
2012-03-15 04:07   388608   ----a-r-   c:\combofix\CF13251.3XE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:06   1667584   ------w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2007-07-20 04:54   5361464   ----a-w-   c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43   248040   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2001-01-03 19:30   296056   ----a-w-   c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OAcat"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"EvtEng"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;c:\windows\system32\drivers\SSFS0BB8.sys [9/20/2007 4:02 PM 20280]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/15/2009 7:29 AM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/15/2009 7:29 AM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/15/2009 7:29 AM 28232]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/15/2009 7:11 AM 136360]
S0 73279805;73279805;c:\windows\system32\drivers\54757030.sys --> c:\windows\system32\drivers\54757030.sys [?]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [3/14/2011 4:19 PM 20504]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/15/2009 7:29 AM 1283400]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/15/2009 7:29 AM 3505992]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IKSYSFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ     p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ati2mtaa
iksysflt
mail2ec
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
2001-01-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\05bge07v.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: Vista-aero: {07b2a769-ed19-4483-87ce-c643914c81bb} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-19139830.sys
SafeBoot-25513703.sys
SafeBoot-25581730.sys
SafeBoot-29021679.sys
SafeBoot-36484385.sys
SafeBoot-73279805.sys
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0200
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 21:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB35442$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WRLogonNTF.dll
.
- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2012-03-14 21:15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-15 04:15
.
Pre-Run: 26,173,362,176 bytes free
Post-Run: 28,539,334,656 bytes free
.
- - End Of File - - 41AB0E637B056B56D7E0BBEA9BAC49AB

1972vet · « **Reply #5 on:** March 15, 2012, 07:51:25 AM »

This log appears to be edited. Let's see if it's a fluke. Open the log once more, copy the entire log and paste that back here on your next reply. Thanks!

Chromed Shoes · « **Reply #6 on:** March 15, 2012, 11:05:30 AM »

should I run a second scan with ComboFix?

ComboFix 12-03-14.01 - User 03/14/2012 21:11:19.2.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spy Sweeper with AntiVirus *Disabled/Outdated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\Adobe\zafira.exe
c:\documents and settings\User\Application Data\Identities\sock.exe
c:\windows\system32\raysat3_4_6_18server.dll
c:\windows\system32\rt73.dll
c:\windows\system32\symids.dll
c:\windows\system32\wanarp.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BTHUSB
-------\Legacy_VC4CB104
-------\Legacy_WEBSENSEPOLICYSERVER
-------\Legacy_WSEARCH
-------\Service_bthusb
-------\Service_VC4CB104
-------\Service_websensepolicyserver
-------\Service_wsearch
.
.
((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))
.
.
2012-03-15 04:09 . 2012-03-15 04:09   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-03-15 04:09 . 2012-03-15 04:09   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-03-15 04:09 . 2012-03-15 04:09   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-03-15 04:09 . 2012-03-15 04:09   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-03-15 04:09 . 2012-03-15 04:09   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-03-15 04:09 . 2012-03-15 04:09   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-03-15 04:09 . 2012-03-15 04:09   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-03-15 04:09 . 2012-03-15 04:09   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-03-15 04:09 . 2012-03-15 04:09   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-03-15 04:08 . 2012-03-15 04:08   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-03-15 04:08 . 2012-03-15 04:08   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-03-15 04:08 . 2012-03-15 04:08   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-03-15 04:08 . 2012-03-15 04:08   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-03-15 03:02 . 2001-08-17 19:51   20752   -c--a-w-   c:\windows\system32\dllcache\sonync.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   -c--a-w-   c:\windows\system32\dllcache\redbook.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   ----a-w-   c:\windows\system32\drivers\redbook.sys
2012-02-15 04:19 . 2012-02-15 04:15   --------   d-----w-   C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 04:08 . 2001-01-03 19:05   0   --sha-w-   c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:12 . 2009-06-15 14:11   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-15 04:12 . 2007-03-11 00:33   451456   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2012-02-15 04:12 . 2007-03-11 00:33   74752   ----a-w-   c:\windows\system32\drivers\ipsec.sys
2012-02-15 04:12 . 2007-03-11 00:33   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2012-02-15 03:58 . 2009-06-15 14:11   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-05-21 15:59 . 2010-05-21 15:59   3095040   ----a-w-   c:\program files\openofficeorg32.msi
2010-05-21 15:58 . 2010-05-21 15:58   460088   ----a-w-   c:\program files\setup.exe
2005-11-23 02:01 . 2009-04-27 21:34   174838062   ----a-w-   c:\program files\GP5FULLBK-1.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2007-03-11 . 09EB23A4567BDD56D9580A059E616E23 . 359040 . . [5.1.2600.2505] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\termsrv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
2010-07-07 19:33   6965576   ----a-w-   c:\program files\Tall Emu\Online Armor\oaui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-12-11 19:34   281768   ----a-w-   c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
2012-03-15 04:07   388608   ----a-r-   c:\combofix\CF13251.3XE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:06   1667584   ------w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2007-07-20 04:54   5361464   ----a-w-   c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43   248040   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2001-01-03 19:30   296056   ----a-w-   c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OAcat"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"EvtEng"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;c:\windows\system32\drivers\SSFS0BB8.sys [9/20/2007 4:02 PM 20280]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/15/2009 7:29 AM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/15/2009 7:29 AM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/15/2009 7:29 AM 28232]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/15/2009 7:11 AM 136360]
S0 73279805;73279805;c:\windows\system32\drivers\54757030.sys --> c:\windows\system32\drivers\54757030.sys [?]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [3/14/2011 4:19 PM 20504]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/15/2009 7:29 AM 1283400]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/15/2009 7:29 AM 3505992]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IKSYSFLT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ     p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ati2mtaa
iksysflt
mail2ec
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
2001-01-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: mswsock.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\05bge07v.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: Vista-aero: {07b2a769-ed19-4483-87ce-c643914c81bb} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-19139830.sys
SafeBoot-25513703.sys
SafeBoot-25581730.sys
SafeBoot-29021679.sys
SafeBoot-36484385.sys
SafeBoot-73279805.sys
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0200\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_104D0200
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 21:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB35442$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WRLogonNTF.dll
.
- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2012-03-14 21:15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-15 04:15
.
Pre-Run: 26,173,362,176 bytes free
Post-Run: 28,539,334,656 bytes free
.
- - End Of File - - 41AB0E637B056B56D7E0BBEA9BAC49AB

1972vet · « **Reply #7 on:** March 15, 2012, 12:36:46 PM »

OK, thanks. It looks the same. Please run combofix again and post back the new log. Thanks!

Chromed Shoes · « **Reply #8 on:** March 15, 2012, 03:22:51 PM »

I realize that the date and time on the log produced are from yesterday's date. However this is only because the time setting on my computer are off. I guess the date marked on the log reflects the time setting on my computer(I've tried fixing the date but it never seems to stay updated). Anyway this is the new log from combofix.

ComboFix 12-03-14.01 - User 03/14/2012 21:15:53.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.219 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spy Sweeper with AntiVirus *Disabled/Outdated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB35442$
c:\windows\$NtUninstallKB35442$\1973485522\@
c:\windows\$NtUninstallKB35442$\1973485522\cfg.ini
c:\windows\$NtUninstallKB35442$\1973485522\Desktop.ini
c:\windows\$NtUninstallKB35442$\1973485522\L\jlubmrqt
c:\windows\$NtUninstallKB35442$\1973485522\oemid
c:\windows\$NtUninstallKB35442$\1973485522\U\00000001.@
c:\windows\$NtUninstallKB35442$\1973485522\U\00000002.@
c:\windows\$NtUninstallKB35442$\1973485522\U\00000004.@
c:\windows\$NtUninstallKB35442$\1973485522\U\80000000.@
c:\windows\$NtUninstallKB35442$\1973485522\U\80000004.@
c:\windows\$NtUninstallKB35442$\1973485522\U\80000032.@
c:\windows\$NtUninstallKB35442$\1973485522\version
c:\windows\$NtUninstallKB35442$\3841739398
c:\windows\system32\kraidsvc.dll
c:\windows\system32\ovt519.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IKSYSFLT
-------\Legacy_SQLSERVERAGENT
-------\Service_iksysflt
-------\Service_sqlserveragent
.
.
((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))
.
.
2012-03-15 04:09 . 2012-03-15 04:09   63115   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-03-15 04:09 . 2012-03-15 04:09   9310   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   8646   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-03-15 04:09 . 2012-03-15 04:09   6429   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-03-15 04:09 . 2012-03-15 04:09   5927   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-03-15 04:09 . 2012-03-15 04:09   4599   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-03-15 04:09 . 2012-03-15 04:09   8613   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-03-15 04:09 . 2012-03-15 04:09   6910   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-03-15 04:09 . 2012-03-15 04:09   1651   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-03-15 04:09 . 2012-03-15 04:09   6208   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-03-15 04:09 . 2012-03-15 04:09   18541   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-03-15 04:08 . 2012-03-15 04:08   8288   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-03-15 04:08 . 2012-03-15 04:08   51852   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-03-15 04:08 . 2012-03-15 04:08   8782   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-03-15 04:08 . 2012-03-15 04:08   7271   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   23327   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-03-15 04:08 . 2012-03-15 04:08   20719   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-03-15 03:02 . 2001-08-17 19:51   20752   -c--a-w-   c:\windows\system32\dllcache\sonync.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   -c--a-w-   c:\windows\system32\dllcache\redbook.sys
2012-03-15 03:02 . 2004-08-04 05:59   57472   ----a-w-   c:\windows\system32\drivers\redbook.sys
2012-02-15 04:19 . 2012-02-15 04:15   --------   d-----w-   C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 04:08 . 2001-01-03 19:05   0   --sha-w-   c:\windows\system32\dds_trash_log.cmd
2012-02-15 04:12 . 2009-06-15 14:11   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-02-15 04:12 . 2007-03-11 00:33   451456   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2012-02-15 04:12 . 2007-03-11 00:33   74752   ----a-w-   c:\windows\system32\drivers\ipsec.sys
2012-02-15 04:12 . 2007-03-11 00:33   138496   ----a-w-   c:\windows\system32\drivers\afd.sys
2012-02-15 03:58 . 2009-06-15 14:11   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2010-05-21 15:59 . 2010-05-21 15:59   3095040   ----a-w-   c:\program files\openofficeorg32.msi
2010-05-21 15:58 . 2010-05-21 15:58   460088   ----a-w-   c:\program files\setup.exe
2005-11-23 02:01 . 2009-04-27 21:34   174838062   ----a-w-   c:\program files\GP5FULLBK-1.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2007-03-11 . 09EB23A4567BDD56D9580A059E616E23 . 359040 . . [5.1.2600.2505] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-03-15_04.10.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-15 04:08 . 2012-03-15 04:08   16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2012-03-15 04:08 . 2012-03-15 04:08   16384 c:\windows\Temp\Perflib_Perfdata_1b0.dat
+ 2007-09-20 17:30 . 2012-03-15 04:12   217197 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\@OnlineArmor GUI]
2010-07-07 19:33   6965576   ----a-w-   c:\program files\Tall Emu\Online Armor\oaui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2010-12-11 19:34   281768   ----a-w-   c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:06   1667584   ------w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2007-07-20 04:54   5361464   ----a-w-   c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43   248040   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2001-01-03 19:30   296056   ----a-w-   c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wlidsvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"SvcOnlineArmor"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"OAcat"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"EvtEng"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;c:\windows\system32\drivers\SSFS0BB8.sys [9/20/2007 4:02 PM 20280]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/15/2009 7:29 AM 236104]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/15/2009 7:29 AM 22600]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/15/2009 7:29 AM 28232]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/15/2009 7:11 AM 136360]
S0 73279805;73279805;c:\windows\system32\drivers\54757030.sys --> c:\windows\system32\drivers\54757030.sys [?]
S3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [3/14/2011 4:19 PM 20504]
S4 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/15/2009 7:29 AM 1283400]
S4 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/15/2009 7:29 AM 3505992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ     p2psvc p2pimsvc p2pgasvc PNRPSvc
getPlusHelper   REG_MULTI_SZ     getPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ati2mtaa
mail2ec
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
2001-01-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-776561741-1993962763-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\05bge07v.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Chromifox Basic: chromifox@altmusictv.com - %profile%\extensions\chromifox@altmusictv.com
FF - Ext: Vista-aero: {07b2a769-ed19-4483-87ce-c643914c81bb} - %profile%\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-combofix - c:\combofix\CF13251.3XE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 22:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2012-03-14 22:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-15 05:06
ComboFix2.txt 2012-03-15 04:15
.
Pre-Run: 28,423,286,784 bytes free
Post-Run: 28,527,616,000 bytes free
.
- - End Of File - - 8CFEBE89FDB5873A94203D1090104AC0

1972vet · « **Reply #9 on:** March 15, 2012, 05:11:45 PM »

Great, thanks. While this log looks much more like I expect it, I now need to ask if you have your installation disk handy. There is a critical core file that is missing and can only be replaced now from the disk. We could have used combofix to do this, but no substitution was found on board. Let me know...Thanks!

1972vet · « **Reply #10 on:** March 18, 2012, 06:47:05 PM »

Still with us Chromed Shoes?

Chromed Shoes · « **Reply #11 on:** March 19, 2012, 05:45:15 PM »

yeah it's just that I don't have a copy of said disk

1972vet · « **Reply #12 on:** March 20, 2012, 08:35:55 AM »

Then I'm afraid that system will remain infected. Have you considered upgrading? Windows XP is quite old now, even if you had a disk to repair that one, it's still time to upgrade to a more up to date operating system. Have you considered this?

1972vet · « **Reply #13 on:** March 28, 2012, 07:20:42 AM »

Still with us Chromed Shoes? Please let me know what you decided so we can decide what to do with this thread. Thanks!

1972vet · « **Reply #14 on:** March 31, 2012, 06:58:30 PM »

Due to the lack of feedback this Topic is closed. If you need continued support, please create a new thread detailing what issues you are having.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

News:

Author Topic: [Inactive] Win32.Z.Access.c redirects searches (Read 1312 times)

Chromed Shoes

[Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

Chromed Shoes

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

Chromed Shoes

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

Chromed Shoes

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

Chromed Shoes

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

Chromed Shoes

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches

1972vet

Re: [Inactive] Win32.Z.Access.c redirects searches