Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Abnow" redirect virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 sympa

sympa

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 11 March 2012 - 03:54 AM

every time i open a web link it redirects to a webpage "abnow..."




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Tizian at 13:19:53 on 2012-03-10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2469 [GMT 2:00]
.
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\totalcmd\TOTALCMD.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/?ilc=8
mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
mStart Page = hxxp://www.yahoo.com/?ilc=8
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203524975998
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B14859CA-23C9-4B09-88B6-FF32C79AF492} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 firedrv;Generic OHCILynx-1394 (intek);c:\windows\system32\drivers\firedrv.sys [2007-11-16 103528]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-12-19 18056]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-12-19 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 31704]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-12-19 1960584]
S2 gupdate;Serviciul Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-7 136176]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-7 136176]
.
=============== Created Last 30 ================
.
2012-03-10 11:19:27 -------- d-----w- c:\documents and settings\tizian\local settings\application data\COMODO
2012-03-10 10:35:43 0 --sha-w- c:\windows\system32\dds_log_ad13.cmd
2012-03-09 15:43:27 -------- d-----w- C:\ComboFix
2012-03-09 12:25:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-09 09:23:57 -------- d-----w- c:\program files\CCleaner
2012-03-09 09:15:51 -------- d-----w- c:\documents and settings\all users\application data\Comodo
2012-03-09 09:15:46 -------- d-----w- c:\program files\COMODO
2012-02-27 12:45:32 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-02-27 12:43:07 -------- d-sh--w- c:\documents and settings\tizian\local settings\application data\d67d2d4d
2012-02-16 12:01:56 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 12:01:56 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-03-09 18:33:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 12:26:22 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-17 21:00:48 494968 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 10:29:49 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2011-12-19 16:59:22 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 16:59:20 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 16:58:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 16:58:56 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 13:20:18,90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 11 March 2012 - 03:32 PM

Greetings sympa and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 11 March 2012 - 05:32 PM

Greetings sympa,


I have had an opportunity to review your logs. Prior to offering my first step I must advise you of the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections [ZeroAccess] is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Panda USB Vaccine

--------------------

From a clean computer, please download and use Panda USB Vaccine.

Alternate download link 1
Alternate download link 2

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.


===================================================


xPUD MBR Report

--------------------

Start this from a clean computer. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.


    Posted Image

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Right click this dumpit link, select "save link/target as", and save the file directly to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive). If it is not there remove the USB device for 5 seconds then reinsert.
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 12 March 2012 - 02:05 AM

Hello


Thank you for the time you are taking with this.
As this is a CAD computer, even though there might be financial transactions performed from it . it's not its focus. Secondly, the image of this PC is not available at the moment so a cleanup would be the best thing at the moment.

Edited by sympa, 12 March 2012 - 02:05 AM.


#5 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 14 March 2012 - 12:59 PM

Hello

Sorry for the delay in responding but here is the requested file


Thank you

Attached Files

  • Attached File  mbr.zip   2.21KB   6 downloads


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 15 March 2012 - 07:36 AM

----------


Greetings sympa,


Your master boot record looks clean. That is good news but it doesn't help us resolve the redirect issue.

Could you please tell me how you connect to the internet, specifically whether or not you go through a router. If so, are there other computers attached to the router and are those computers experiencing any redirects?

I see you previously ran both TDSSKiller and Combofix. I would like to review those logs so we can to continue to investigate the cause of your difficulties.

Finally, there is a suspicious folder on your machine. We will be looking at the contents of that folder.


===================================================


Posting Prior TDSSKiller Log

--------------------

I would like to review your previous TDSSKiller log to help evaluate the state of your computer.

  • A log file named TDSSKiller_version_date_time_log.txt was created and saved to the root directory (usually Local Disk C:).
  • Please copy and paste the contents of that file in your next reply.

===================================================


Obtaining Current ComboFix.txt

--------------------

Please copy and paste the contents of the following file in your reply.

C:\ComboFix.txt


===================================================


RUN BATCH (.bat) FILE

--------------------

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type Notepad and press enter
  • Copy and paste the following into the Notepad document:

    cd c:\documents and settings\tizian\local settings\application data\d67d2d4d
    dir > print.txt
    notepad print.txt
    
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat.
  • Click Save.

    When done properly, the icon should look like this (or something similar) Posted Image on your desktop.
  • Close the Notepad.
  • Locate and double-click look.bat on the desktop.
  • Notepad will open print.txt. Copy and paste the contents in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Do you (and others) connect to the internet through a router?
  • Combofix.txt
  • TDSSKiller log
  • print.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 17 March 2012 - 02:24 AM

hi

1. normally it's just one pc on that router, but i suspect that it's also used for wi-fi access from time to time,
the ill pc being a desktop
2. 14:25:08.0796 2308 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
14:25:08.0921 2308 ============================================================
14:25:08.0921 2308 Current date / time: 2012/03/09 14:25:08.0921
14:25:08.0921 2308 SystemInfo:
14:25:08.0921 2308
14:25:08.0921 2308 OS Version: 5.1.2600 ServicePack: 3.0
14:25:08.0921 2308 Product type: Workstation
14:25:08.0921 2308 ComputerName: SCHUETZ-DENTAL
14:25:08.0921 2308 UserName: Tizian
14:25:08.0921 2308 Windows directory: C:\WINDOWS
14:25:08.0921 2308 System windows directory: C:\WINDOWS
14:25:08.0921 2308 Processor architecture: Intel x86
14:25:08.0921 2308 Number of processors: 2
14:25:08.0921 2308 Page size: 0x1000
14:25:08.0921 2308 Boot type: Normal boot
14:25:08.0921 2308 ============================================================
14:25:09.0328 2308 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:25:09.0328 2308 \Device\Harddisk0\DR0:
14:25:09.0328 2308 MBR used
14:25:09.0328 2308 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x61AB7E8
14:25:09.0343 2308 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x61AB827, BlocksNum 0x15F98B65
14:25:09.0343 2308 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1C14438C, BlocksNum 0x1064AAE
14:25:09.0437 2308 Initialize success
14:25:09.0437 2308 ============================================================
14:25:13.0312 1972 ============================================================
14:25:13.0312 1972 Scan started
14:25:13.0312 1972 Mode: Manual;
14:25:13.0312 1972 ============================================================
14:25:13.0437 1972 Abiosdsk - ok
14:25:13.0453 1972 abp480n5 - ok
14:25:13.0484 1972 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:25:13.0484 1972 ACPI - ok
14:25:13.0500 1972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:25:13.0500 1972 ACPIEC - ok
14:25:13.0546 1972 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys
14:25:13.0640 1972 ADIHdAudAddService - ok
14:25:13.0640 1972 adpu160m - ok
14:25:13.0671 1972 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:25:13.0671 1972 aec - ok
14:25:13.0703 1972 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:25:13.0796 1972 AFD - ok
14:25:13.0812 1972 Aha154x - ok
14:25:13.0812 1972 aic78u2 - ok
14:25:13.0812 1972 aic78xx - ok
14:25:13.0828 1972 akshasp - ok
14:25:13.0828 1972 aksusb - ok
14:25:13.0843 1972 AliIde - ok
14:25:13.0843 1972 amsint - ok
14:25:13.0875 1972 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:25:13.0875 1972 Arp1394 - ok
14:25:13.0890 1972 asc - ok
14:25:13.0890 1972 asc3350p - ok
14:25:13.0890 1972 asc3550 - ok
14:25:13.0953 1972 asusgsb (d320732bcf5ff856120bd06855c66867) C:\WINDOWS\system32\drivers\asusgsb.sys
14:25:14.0015 1972 asusgsb - ok
14:25:14.0046 1972 asuskbnt (b3b881eb81013aac11594a5400ada47a) C:\WINDOWS\system32\drivers\atkkbnt.sys
14:25:14.0093 1972 asuskbnt - ok
14:25:14.0109 1972 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:25:14.0109 1972 AsyncMac - ok
14:25:14.0156 1972 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:25:14.0187 1972 atapi - ok
14:25:14.0203 1972 Atdisk - ok
14:25:14.0218 1972 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:25:14.0218 1972 Atmarpc - ok
14:25:14.0265 1972 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:25:14.0265 1972 audstub - ok
14:25:14.0296 1972 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:25:14.0296 1972 b57w2k - ok
14:25:14.0312 1972 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:25:14.0312 1972 Beep - ok
14:25:14.0312 1972 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:25:14.0312 1972 cbidf2k - ok
14:25:14.0328 1972 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:25:14.0328 1972 CCDECODE - ok
14:25:14.0343 1972 cd20xrnt - ok
14:25:14.0359 1972 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:25:14.0359 1972 Cdaudio - ok
14:25:14.0375 1972 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:25:14.0375 1972 Cdfs - ok
14:25:14.0390 1972 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:25:14.0390 1972 Cdrom - ok
14:25:14.0390 1972 Changer - ok
14:25:14.0421 1972 cmderd (6fc2b79561ba089cb5a271c0ab9192d9) C:\WINDOWS\system32\DRIVERS\cmderd.sys
14:25:14.0421 1972 cmderd - ok
14:25:14.0437 1972 cmdGuard (f8a304ab7bbc61b26f66ab65aae27693) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
14:25:14.0437 1972 cmdGuard - ok
14:25:14.0453 1972 cmdHlp (a736f2263310fee1799de88cb50c1023) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
14:25:14.0453 1972 cmdHlp - ok
14:25:14.0453 1972 CmdIde - ok
14:25:14.0468 1972 Cpqarray - ok
14:25:14.0468 1972 dac2w2k - ok
14:25:14.0484 1972 dac960nt - ok
14:25:14.0500 1972 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:25:14.0515 1972 Disk - ok
14:25:14.0546 1972 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:25:14.0562 1972 dmboot - ok
14:25:14.0578 1972 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:25:14.0578 1972 dmio - ok
14:25:14.0578 1972 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:25:14.0578 1972 dmload - ok
14:25:14.0593 1972 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:25:14.0609 1972 DMusic - ok
14:25:14.0609 1972 dpti2o - ok
14:25:14.0656 1972 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:25:14.0656 1972 drmkaud - ok
14:25:14.0703 1972 EIO (0daf3544804650526751c478aeccce63) C:\WINDOWS\system32\drivers\EIO.sys
14:25:14.0734 1972 EIO - ok
14:25:14.0750 1972 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:25:14.0750 1972 Fastfat - ok
14:25:14.0765 1972 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:25:14.0765 1972 Fdc - ok
14:25:14.0796 1972 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:25:14.0796 1972 Fips - ok
14:25:14.0828 1972 firedrv (c0e5a3d1a7fd6364b21989ae60b15cfc) C:\WINDOWS\system32\DRIVERS\firedrv.sys
14:25:14.0875 1972 firedrv - ok
14:25:14.0875 1972 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:25:14.0890 1972 Flpydisk - ok
14:25:14.0906 1972 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:25:14.0921 1972 FltMgr - ok
14:25:14.0921 1972 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:25:14.0921 1972 Fs_Rec - ok
14:25:14.0968 1972 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\WINDOWS\system32\drivers\ftdibus.sys
14:25:15.0031 1972 FTDIBUS - ok
14:25:15.0031 1972 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:25:15.0031 1972 Ftdisk - ok
14:25:15.0078 1972 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\WINDOWS\system32\drivers\ftser2k.sys
14:25:15.0125 1972 FTSER2K - ok
14:25:15.0156 1972 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:25:15.0156 1972 Gpc - ok
14:25:15.0187 1972 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:25:15.0187 1972 HDAudBus - ok
14:25:15.0203 1972 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:25:15.0203 1972 hidusb - ok
14:25:15.0203 1972 hpn - ok
14:25:15.0234 1972 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:25:15.0234 1972 HTTP - ok
14:25:15.0250 1972 i2omgmt - ok
14:25:15.0250 1972 i2omp - ok
14:25:15.0281 1972 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
14:25:15.0281 1972 i8042prt - ok
14:25:15.0281 1972 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
14:25:15.0281 1972 iaStor - ok
14:25:15.0328 1972 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:25:15.0328 1972 Imapi - ok
14:25:15.0328 1972 ini910u - ok
14:25:15.0359 1972 Inspect (456003490faa4a2361ceacbfb6409172) C:\WINDOWS\system32\DRIVERS\inspect.sys
14:25:15.0359 1972 Inspect - ok
14:25:15.0375 1972 IntelIde - ok
14:25:15.0390 1972 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:25:15.0390 1972 intelppm - ok
14:25:15.0421 1972 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:25:15.0421 1972 Ip6Fw - ok
14:25:15.0437 1972 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:25:15.0437 1972 IpFilterDriver - ok
14:25:15.0468 1972 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:25:15.0468 1972 IpInIp - ok
14:25:15.0500 1972 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:25:15.0500 1972 IpNat - ok
14:25:15.0515 1972 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:25:15.0515 1972 IPSec - ok
14:25:15.0531 1972 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:25:15.0531 1972 IRENUM - ok
14:25:15.0546 1972 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:25:15.0546 1972 isapnp - ok
14:25:15.0578 1972 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:25:15.0578 1972 Kbdclass - ok
14:25:15.0578 1972 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:25:15.0578 1972 kbdhid - ok
14:25:15.0593 1972 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:25:15.0593 1972 kmixer - ok
14:25:15.0625 1972 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:25:15.0625 1972 KSecDD - ok
14:25:15.0625 1972 lbrtfdc - ok
14:25:15.0656 1972 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:25:15.0656 1972 mnmdd - ok
14:25:15.0703 1972 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:25:15.0703 1972 Modem - ok
14:25:15.0703 1972 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:25:15.0703 1972 Mouclass - ok
14:25:15.0750 1972 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:25:15.0750 1972 mouhid - ok
14:25:15.0781 1972 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:25:15.0781 1972 MountMgr - ok
14:25:15.0781 1972 mraid35x - ok
14:25:15.0796 1972 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:25:15.0796 1972 MRxDAV - ok
14:25:15.0828 1972 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:25:15.0906 1972 MRxSmb - ok
14:25:15.0921 1972 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:25:15.0921 1972 Msfs - ok
14:25:15.0953 1972 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:25:15.0968 1972 MSKSSRV - ok
14:25:15.0984 1972 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:25:15.0984 1972 MSPCLOCK - ok
14:25:16.0000 1972 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:25:16.0000 1972 MSPQM - ok
14:25:16.0015 1972 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:25:16.0015 1972 mssmbios - ok
14:25:16.0062 1972 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:25:16.0062 1972 MSTEE - ok
14:25:16.0078 1972 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:25:16.0156 1972 Mup - ok
14:25:16.0171 1972 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:25:16.0171 1972 NABTSFEC - ok
14:25:16.0187 1972 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:25:16.0203 1972 NDIS - ok
14:25:16.0218 1972 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:25:16.0218 1972 NdisIP - ok
14:25:16.0250 1972 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:25:16.0296 1972 NdisTapi - ok
14:25:16.0312 1972 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:25:16.0312 1972 Ndisuio - ok
14:25:16.0328 1972 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:25:16.0328 1972 NdisWan - ok
14:25:16.0343 1972 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:25:16.0390 1972 NDProxy - ok
14:25:16.0421 1972 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:25:16.0421 1972 NetBIOS - ok
14:25:16.0453 1972 NetBT (56e2562fec1f630f2f6794f7442a4937) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:25:16.0453 1972 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 56e2562fec1f630f2f6794f7442a4937, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
14:25:16.0453 1972 NetBT ( Virus.Win32.ZAccess.g ) - infected
14:25:16.0453 1972 NetBT - detected Virus.Win32.ZAccess.g (0)
14:25:16.0468 1972 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:25:16.0484 1972 NIC1394 - ok
14:25:16.0500 1972 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:25:16.0500 1972 Npfs - ok
14:25:16.0515 1972 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:25:16.0546 1972 Ntfs - ok
14:25:16.0546 1972 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:25:16.0546 1972 Null - ok
14:25:16.0671 1972 nv (8e72e452b9cc1e455d19e3c9fa964d37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:25:16.0921 1972 nv - ok
14:25:16.0984 1972 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:25:16.0984 1972 NwlnkFlt - ok
14:25:17.0031 1972 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:25:17.0031 1972 NwlnkFwd - ok
14:25:17.0078 1972 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:25:17.0078 1972 ohci1394 - ok
14:25:17.0093 1972 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:25:17.0093 1972 Parport - ok
14:25:17.0093 1972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:25:17.0093 1972 PartMgr - ok
14:25:17.0156 1972 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:25:17.0156 1972 ParVdm - ok
14:25:17.0171 1972 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:25:17.0171 1972 PCI - ok
14:25:17.0171 1972 PCIDump - ok
14:25:17.0203 1972 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:25:17.0203 1972 PCIIde - ok
14:25:17.0218 1972 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:25:17.0218 1972 Pcmcia - ok
14:25:17.0218 1972 PDCOMP - ok
14:25:17.0234 1972 PDFRAME - ok
14:25:17.0234 1972 PDRELI - ok
14:25:17.0250 1972 PDRFRAME - ok
14:25:17.0250 1972 perc2 - ok
14:25:17.0250 1972 perc2hib - ok
14:25:17.0296 1972 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:25:17.0296 1972 PptpMiniport - ok
14:25:17.0312 1972 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:25:17.0312 1972 PSched - ok
14:25:17.0328 1972 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:25:17.0328 1972 Ptilink - ok
14:25:17.0328 1972 ql1080 - ok
14:25:17.0343 1972 Ql10wnt - ok
14:25:17.0343 1972 ql12160 - ok
14:25:17.0359 1972 ql1240 - ok
14:25:17.0359 1972 ql1280 - ok
14:25:17.0375 1972 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:25:17.0375 1972 RasAcd - ok
14:25:17.0375 1972 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:25:17.0375 1972 Rasl2tp - ok
14:25:17.0390 1972 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:25:17.0390 1972 RasPppoe - ok
14:25:17.0406 1972 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:25:17.0406 1972 Raspti - ok
14:25:17.0421 1972 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:25:17.0421 1972 Rdbss - ok
14:25:17.0421 1972 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:25:17.0421 1972 RDPCDD - ok
14:25:17.0437 1972 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:25:17.0437 1972 rdpdr - ok
14:25:17.0484 1972 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:25:17.0531 1972 RDPWD - ok
14:25:17.0546 1972 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:25:17.0562 1972 redbook - ok
14:25:17.0593 1972 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:25:17.0593 1972 Secdrv - ok
14:25:17.0625 1972 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
14:25:17.0625 1972 SenFiltService - ok
14:25:17.0640 1972 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:25:17.0640 1972 serenum - ok
14:25:17.0656 1972 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:25:17.0656 1972 Serial - ok
14:25:17.0671 1972 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:25:17.0671 1972 Sfloppy - ok
14:25:17.0671 1972 Simbad - ok
14:25:17.0703 1972 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:25:17.0703 1972 SLIP - ok
14:25:17.0703 1972 Sparrow - ok
14:25:17.0718 1972 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:25:17.0718 1972 splitter - ok
14:25:17.0734 1972 sptd - ok
14:25:17.0750 1972 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:25:17.0750 1972 sr - ok
14:25:17.0765 1972 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:25:17.0765 1972 Srv - ok
14:25:17.0796 1972 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:25:17.0796 1972 streamip - ok
14:25:17.0812 1972 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:25:17.0812 1972 swenum - ok
14:25:17.0828 1972 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:25:17.0828 1972 swmidi - ok
14:25:17.0843 1972 symc810 - ok
14:25:17.0843 1972 symc8xx - ok
14:25:17.0859 1972 sym_hi - ok
14:25:17.0859 1972 sym_u3 - ok
14:25:17.0875 1972 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:25:17.0875 1972 sysaudio - ok
14:25:17.0921 1972 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:25:17.0921 1972 Tcpip - ok
14:25:17.0937 1972 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:25:17.0937 1972 TDPIPE - ok
14:25:17.0953 1972 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:25:17.0968 1972 TDTCP - ok
14:25:17.0984 1972 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:25:17.0984 1972 TermDD - ok
14:25:18.0000 1972 TosIde - ok
14:25:18.0015 1972 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:25:18.0015 1972 Udfs - ok
14:25:18.0031 1972 ultra - ok
14:25:18.0062 1972 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:25:18.0078 1972 Update - ok
14:25:18.0125 1972 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:25:18.0125 1972 USBAAPL - ok
14:25:18.0156 1972 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:25:18.0156 1972 usbehci - ok
14:25:18.0171 1972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:25:18.0171 1972 usbhub - ok
14:25:18.0203 1972 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:25:18.0203 1972 usbprint - ok
14:25:18.0218 1972 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:25:18.0234 1972 usbscan - ok
14:25:18.0250 1972 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:25:18.0250 1972 USBSTOR - ok
14:25:18.0250 1972 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:25:18.0250 1972 usbuhci - ok
14:25:18.0265 1972 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:25:18.0265 1972 VgaSave - ok
14:25:18.0265 1972 ViaIde - ok
14:25:18.0296 1972 Video3D (8643da4a6c83da6c10fcab1e5ab6632d) C:\WINDOWS\system32\Drivers\Video3D32.sys
14:25:18.0296 1972 Video3D - ok
14:25:18.0312 1972 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:25:18.0312 1972 VolSnap - ok
14:25:18.0328 1972 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:25:18.0343 1972 Wanarp - ok
14:25:18.0343 1972 WDICA - ok
14:25:18.0359 1972 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:25:18.0359 1972 wdmaud - ok
14:25:18.0406 1972 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:25:18.0406 1972 WSTCODEC - ok
14:25:18.0437 1972 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:25:18.0562 1972 \Device\Harddisk0\DR0 - ok
14:25:18.0562 1972 Boot (0x1200) (2a3eee48cac264d526e83372fabaea25) \Device\Harddisk0\DR0\Partition0
14:25:18.0562 1972 \Device\Harddisk0\DR0\Partition0 - ok
14:25:18.0578 1972 Boot (0x1200) (1f97aa073117fdc9a14c2e7a58eeb04d) \Device\Harddisk0\DR0\Partition1
14:25:18.0578 1972 \Device\Harddisk0\DR0\Partition1 - ok
14:25:18.0593 1972 Boot (0x1200) (94594e372391c7dce598a0ce1a9da8dc) \Device\Harddisk0\DR0\Partition2
14:25:18.0593 1972 \Device\Harddisk0\DR0\Partition2 - ok
14:25:18.0609 1972 ============================================================
14:25:18.0609 1972 Scan finished
14:25:18.0609 1972 ============================================================
14:25:18.0609 0340 Detected object count: 1
14:25:18.0609 0340 Actual detected object count: 1
14:25:25.0859 0340 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
14:25:26.0687 0340 Backup copy found, using it..
14:25:26.0796 0340 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
14:25:28.0000 0340 NetBT ( Virus.Win32.ZAccess.g ) - User select action: Cure
14:25:36.0625 2304 Deinitialize success



3. i searched for the combofix.txt but it's not on C nor in c:\combofix\, i can run combofix if instructed

4. Volume in drive C is System
Volume Serial Number is 18CF-6D05

Directory of C:\Documents and Settings\Tizian\Local Settings\Application Data\d67d2d4d

17.03.2012 09:23 0 print.txt
1 File(s) 0 bytes
0 Dir(s) 28.865.835.008 bytes free

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 18 March 2012 - 03:40 PM

Greetings sympa,

Thank your for the information. Since we are not able to locate the previous log I am going to ask you to run ComboFix now.


===================================================


Re-installing and Running Combofix in Windows XP

--------------------

I would like you to delete Combofix and then re-install it. We will then run the program again with the new copy.

  • Right click on the ComboFix Icon Posted Image on your desktop and select Delete.
    Please download ComboFix from one of these locations and save it to your desktop:

    Bleepingcomputer
    ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.


    Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    Posted Image

  • Click on Yes, to continue scanning for malware.

    When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • Are you still experiencing redirects?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 19 March 2012 - 10:23 AM

hi


1. It seems that the combofix installation does not work, the install starts directly with the window seen in the print-screen but it does not generate other popups or dialogs.

as far as i can see it created a folder on c drive "3278..." which is sort of clone of my-computer root folder, but other than that nothing

2. redirects are still being active

am attaching the printscreen

Edited by sympa, 20 March 2012 - 01:47 AM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 19 March 2012 - 04:26 PM

Greetings sympa,


We are going to try to run Combofix again but this time adding a step to stop any processes that might be trying to interfere with it.

Please follow the instructions closely. I am going to have you delete ComboFix again. If you have any other copies besides the one on your desktop they must be deleted as well.


===================================================


Rkill

-------------------

Please download Rkill by Grinler from one of the 4 links below:

  • Before we begin, you should disable your anti-malware softwares you have installed and running so they do not interfere Rkill running as some anti-malware softwares detect Rkill as malicious.
    • Please refer to this page if you are not sure how.
  • Double-click on Rkill
    • Note: You may have to run Rkill a few times before it is successful.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed
  • If nothing happens or if the tool does not run, please let me know in your next reply
  • Do not reboot your computer before performing the next step as the malware programs will start again

===================================================


Re-installing and Running Combofix

--------------------

  • Right click on the ComboFix Icon Posted Image on your desktop and select Delete (along with any other copies)
  • Please download ComboFix from one of these locations and save it to your desktop:

    Bleepingcomputer

    ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe.
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your machine running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 20 March 2012 - 01:55 AM

Greetings Oh My


I ran rkill a few times, it always finishes successfully creating a log on C drive root.
Deleted combofix and downloaded new one, but the behavior is the same as yesterday, it keeps writing over and over again that folder "32788R22FWJFW" on c drive (which is sort of clone of my-computer root folde)

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 20 March 2012 - 10:05 PM

Greetings sympa,


Thank you for your patience and efforts. There is a reason for all these steps. The way we run Combofix is important. When one thing does not work, we make an adjustment to try to get it to run, but that adjustment can create some limitations in what ComboFix evaluates and reports. These steps allow us to try to get ComboFix to run in the most powerful way possible.

Please pay particular attention to how far ComboFix progresses (which stage does it get to?). If it appears ComboFix has stalled, check to see if your computer clock is running. If so, most likely ComboFix is still working. Please give it more time. If it seems like it didn't complete successfully restart your computer and check to see if there is a file located at C:\ComboFix.txt. If that file exists please copy and paste the contents in your reply.


===================================================


We want to make sure we are not dealing with a compromised ComboFix download so please right click the ComboFix icon on your desktop and select Delete.


===================================================


Running ComboFix /killall

--------------------

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Press windows key Posted Image + r on your keyboard at the same time
  • Copy and paste the below information in the run box, including the quotation marks

    "%userprofile%\desktop\combofix.exe" /killall

  • Press Enter
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • How is your machine running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 March 2012 - 02:44 AM

hi

it looks like the same behavior as previous, when i run combo-fix the green progress bar gets to the end, but aside from that loop folder which it creates on c drive, nothing else is produced,no log file
I 've waited about 15 minutes and after restarted but no log file was produced

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,791 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 AM

Posted 23 March 2012 - 10:18 AM

Greetings sympa,


It is not uncommon for ComboFix to take an extended period of time to run, depending on the state of the computer. I would like you to try it again with the /killall switch. This time, if it appears as if it is not running, please check to see if your computer clock is running (lower right hand corner). If that is running, then so is ComboFix.

If your computer freezes and neither Combofix or your computer clock is running, then please try this.


===================================================


ComboFix in Safe Mode

--------------------

Restart your computer.

  • Gently tap the F8 key repeatedly until you are presented with a Windows Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter on your keyboard to boot into Safe Mode
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 sympa

sympa
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 26 March 2012 - 08:53 AM

greetings Oh My

Running combofix in safe mode with the kill switch worked, produced the needed file


ComboFix 12-03-22.01 - Tizian 26.03.2012 13:09:51.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2848 [GMT 3:00]
Running from: c:\documents and settings\Tizian\desktop\combofix.exe
Command switches used :: /killall
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\000000c0.@
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\000000cb.$
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\000000cf.$
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\80000000.$
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\800000c0.$
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\800000cb.$
c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d\U\800000cf.$
c:\recycled\Recycled
c:\windows\$NtUninstallKB1231$
c:\windows\$NtUninstallKB1231$\2856566324
c:\windows\$NtUninstallKB1231$\3598527821\@
c:\windows\$NtUninstallKB1231$\3598527821\L\ueaodaar
c:\windows\$NtUninstallKB1231$\3598527821\loader.tlb
c:\windows\$NtUninstallKB1231$\3598527821\U\@00000001
c:\windows\$NtUninstallKB1231$\3598527821\U\@000000c0
c:\windows\$NtUninstallKB1231$\3598527821\U\@000000cb
c:\windows\$NtUninstallKB1231$\3598527821\U\@000000cf
c:\windows\$NtUninstallKB1231$\3598527821\U\@80000000
c:\windows\$NtUninstallKB1231$\3598527821\U\@800000c0
c:\windows\$NtUninstallKB1231$\3598527821\U\@800000cb
c:\windows\$NtUninstallKB1231$\3598527821\U\@800000cf
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\dds_log_ad13.cmd
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\MRV6X32P.dll
c:\windows\system32\winlogon.bak
c:\windows\Temp\_ex-08.exe
c:\windows\Temp\_ex-68.exe
.
Infected copy of c:\windows\system32\drivers\ati2mtag.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\DRIVERS\mrxsmb.sys was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_usbatapi2000
-------\Service_usbatapi2000
.
.
((((((((((((((((((((((((( Files Created from 2012-02-26 to 2012-03-26 )))))))))))))))))))))))))))))))
.
.
2012-03-10 18:52 . 2012-03-10 18:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-10 11:47 . 2012-03-10 11:47 -------- d-----w- c:\program files\Orban
2012-03-10 11:24 . 2012-03-19 14:41 -------- d-----w- c:\documents and settings\Admin
2012-03-10 11:19 . 2012-03-10 11:19 -------- d-----w- c:\documents and settings\Tizian\Local Settings\Application Data\COMODO
2012-03-09 12:25 . 2012-03-09 12:25 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-09 09:23 . 2012-03-09 09:23 -------- d-----w- c:\program files\CCleaner
2012-03-09 09:15 . 2012-03-09 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2012-03-09 09:15 . 2012-03-09 09:15 -------- d-----w- c:\program files\COMODO
2012-02-27 16:05 . 2012-02-27 16:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-02-27 12:43 . 2012-03-26 10:13 -------- d-sh--w- c:\documents and settings\Tizian\Local Settings\Application Data\d67d2d4d
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-10 18:52 . 2010-05-25 08:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-09 18:33 . 2011-06-14 18:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 12:26 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-03 09:22 . 2005-10-06 00:06 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-17 21:00 . 2011-12-19 16:59 494968 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-01-11 19:06 . 2012-02-16 12:01 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-02-20 14:24 139784 ----a-r- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-20 6676808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\COMODO\\COMODO Internet Security\\cfpupdat.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
.
R0 firedrv;Generic OHCILynx-1394 (intek);c:\windows\system32\drivers\firedrv.sys [16.11.2007 10:56 103528]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [19.12.2011 19:59 18056]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [19.12.2011 19:59 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19.12.2011 19:59 31704]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [20.06.2011 11:03 2337144]
S2 gupdate;Serviciul Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07.03.2011 18:08 136176]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [07.03.2011 18:08 136176]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
usbatapi2000
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 15:08]
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-07 15:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=8
mStart Page = hxxp://www.yahoo.com/?ilc=8
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
Toolbar-Locked - (no file)
SafeBoot-07241534.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-26 13:15
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(736)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-26 13:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-26 10:17
.
Pre-Run: 28.373.704.704 bytes free
Post-Run: 29.593.063.424 bytes free
.
- - End Of File - - DD3FBF3ED74585B8BB15EF6EF27C0DCF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users