Rootkit Infection

Zephyr234 · February 9, 2012

Hello, first of all I want to say how great it is of the admins here to help those of us less knowledgeable folk. I'm posting because for a week now I continually get alerts of both tidserv and zero access rootkit infections. I've downloaded and run the specialized fixes from Combofix, TDSS Killer, and NAV. Only combofix helped briefly with the symptoms, but I'm unable to get rid of the malware. Per instructions, I won't post any log results unless/until you request me to do so.

Thanks in advance for any help!

Elise · February 10, 2012

Hello, could you please post me the Combofix and tdsskiller logs?

Zephyr234 · February 10, 2012

Thanks Elise, I have pasted the contents of both logs below. Let me know if you prefer I just attach text files in the future.

ComboFix 12-02-10.01 - Billy 02/10/2012 11:14:48.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1513 [GMT -5:00]

Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\$NtUninstallKB23364$\1177232323

c:\windows\$NtUninstallKB23364$\3155683155\@

c:\windows\$NtUninstallKB23364$\3155683155\cfg.ini

c:\windows\$NtUninstallKB23364$\3155683155\Desktop.ini

c:\windows\$NtUninstallKB23364$\3155683155\L\fmlqknoz

c:\windows\$NtUninstallKB23364$\3155683155\U\00000001.@

c:\windows\$NtUninstallKB23364$\3155683155\U\00000002.@

c:\windows\$NtUninstallKB23364$\3155683155\U\00000004.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000000.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000004.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000032.@

c:\windows\$NtUninstallKB23364$\3155683155\version

.

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected

Restored copy from - The cat found it

.

((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))

.

2012-02-10 16:14 . 2012-02-10 16:14 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2012-02-10 16:14 . 2012-02-10 16:14 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2012-02-10 16:14 . 2012-02-10 16:14 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2012-02-10 16:14 . 2012-02-10 16:14 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2012-02-10 16:14 . 2012-02-10 16:14 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2012-02-10 16:14 . 2012-02-10 16:14 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2012-02-10 16:14 . 2012-02-10 16:14 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2012-02-10 16:14 . 2012-02-10 16:14 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2012-02-10 16:14 . 2012-02-10 16:14 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2012-02-10 16:14 . 2012-02-10 16:14 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2012-02-10 16:14 . 2012-02-10 16:14 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2012-02-10 16:14 . 2012-02-10 16:14 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2012-02-10 16:13 . 2012-02-10 16:13 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2012-02-10 16:13 . 2012-02-10 16:13 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2012-02-10 16:13 . 2012-02-10 16:13 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2012-02-10 16:13 . 2012-02-10 16:13 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2012-02-10 16:13 . 2012-02-10 16:13 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys

2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys

2012-02-10 04:23 . 2012-02-08 22:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2012-02-08 22:15 . 2012-02-08 22:38 -------- d-----w- C:\TDSSKiller_Quarantine

2012-02-07 22:43 . 2012-02-07 22:43 -------- d-----w- c:\documents and settings\Billy\Local Settings\Application Data\Help

2012-02-07 04:22 . 2012-02-07 04:22 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp

2012-02-07 03:20 . 2012-02-07 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2012-02-06 23:39 . 2012-02-07 05:02 -------- d-----w- c:\program files\Symantec

2012-02-06 23:39 . 2012-02-07 05:02 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL

2012-02-06 23:39 . 2012-02-07 05:02 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2012-02-06 23:39 . 2012-02-07 20:31 -------- d-----w- c:\windows\system32\drivers\NAV

2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Norton AntiVirus

2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\program files\Windows Sidebar

2012-02-06 23:39 . 2012-02-06 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2012-02-06 23:38 . 2012-02-06 23:38 -------- d-----w- c:\program files\NortonInstaller

2012-02-05 19:55 . 2012-02-10 15:30 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-02-04 20:49 . 2012-02-04 20:49 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-03 20:59 . 2012-02-03 20:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2012-01-21 20:22 . 2012-01-21 20:22 -------- d-----w- c:\program files\iPod

2012-01-13 02:18 . 2012-01-13 02:18 29184 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA9871.exe

2012-01-13 02:18 . 2012-01-13 02:18 28160 ----a-r- c:\documents and settings\Billy\Application Data\Microsoft\Installer\{975EA987-5D79-4A1C-AD71-D27B28347B48}\Icon975EA987.exe

2012-01-13 02:18 . 2012-01-13 02:18 -------- d-----w- c:\documents and settings\Billy\Application Data\Across Lite 2.0

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-10 20:24 . 2010-05-03 02:17 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-25 21:57 . 2008-01-10 17:53 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2008-01-10 17:53 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-18 12:35 . 2008-01-10 17:52 60416 ----a-w- c:\windows\system32\packager.exe

2011-11-18 01:38 . 2011-06-14 06:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-16 14:21 . 2008-01-10 17:53 354816 ----a-w- c:\windows\system32\winhttp.dll

2011-11-16 14:21 . 2008-01-10 17:52 152064 ----a-w- c:\windows\system32\schannel.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2012-02-08 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys

[7] 2012-02-08 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2012-02-08 22:18 . 19DD19FB992D6BF67811913B6FEAE577 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys

[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys

.

[7] 2012-02-08 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ipsec.sys

[7] 2012-02-08 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys

[-] 2012-02-08 22:18 . 19DD19FB992D6BF67811913B6FEAE577 . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys

[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys

[7] 2004-08-03 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys

.

((((((((((((((((((((((((((((( SnapShot@2012-02-09_03.24.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-10 17:52 . 2012-02-09 04:29 89036 c:\windows\system32\perfc009.dat

- 2008-01-10 17:52 . 2012-02-09 03:28 89036 c:\windows\system32\perfc009.dat

+ 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\SiSRaid.dll

+ 2008-01-10 17:53 . 2008-04-14 00:12 5632 c:\windows\system32\cdaudio.dll

+ 2008-01-10 17:52 . 2012-02-09 04:29 507450 c:\windows\system32\perfh009.dat

- 2008-01-10 17:52 . 2012-02-09 03:28 507450 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"Akamai NetSession Interface"="c:\documents and settings\Billy\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-02-02 3329824]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"RTHDCPL"="RTHDCPL.EXE" [2007-03-13 16125440]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]

"TFNF5"="TFNF5.exe" [2006-04-11 622592]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]

"000StTHK"="000StTHK.exe" [2001-06-23 24576]

"NDSTray.exe"="NDSTray.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]

"TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 110592]

"TPSMain"="TPSMain.exe" [2006-07-27 315392]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

"Citi Virtual Account Numbers"="c:\progra~1\VIRTUA~1\CitiVAN.exe" [2007-12-07 270336]

"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]

2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"1220:TCP"= 1220:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1305000.091\SYMDS.SYS [2011-07-26 340088]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1305000.091\SYMEFA.SYS [2011-11-24 905336]

S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2007-04-27 21120]

S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 6528]

S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120207.003\BHDrvx86.sys [2012-01-21 820344]

S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1305000.091\ccSetx86.sys [2011-11-04 132744]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1305000.091\Ironx86.SYS [2011-11-17 149624]

S1 TMEI3E;TMEI3E;c:\windows\system32\Drivers\TMEI3E.SYS [2004-06-16 5888]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336]

S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-06 13568]

S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-06 33024]

S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-03 27016]

S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-11-03 497280]

S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe [2011-11-30 138248]

S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-05-06 3456]

S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\DRIVERS\tdudf.sys [2007-03-26 105856]

S2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\Tmesrv31.exe [2005-12-14 126976]

S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\DRIVERS\trudf.sys [2007-02-19 134016]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-07 106104]

S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120209.002\IDSxpx86.sys [2012-02-03 356280]

S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-01-23 36608]

S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\DRIVERS\TEchoCan.sys [2007-02-22 435072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

Akamai REG_MULTI_SZ Akamai

NecUsbSevice REG_MULTI_SZ NecUsb

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

USRpdA

MTDVC2_ENUM

lxbt_device

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-WBS-Billy.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-13 08:44]

.

2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://nytimes.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: lextranet.com\v5

TCP: DhcpNameServer = 207.69.188.185 207.69.188.186

DPF: {0F7A9297-7268-11D1-B81A-00A076C01B0A} - hxxp://www.cartesianinc.com/Exec/CpcViewAX/CpcViewAX.cab

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-10 11:28

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

c:\windows\$NtUninstallKB23364$:SummaryInformation 0 bytes hidden from API

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.5.0.145\diMaster.dll\" /prefetch:1"

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(616)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\windows\system32\biologon.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\crypto.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCP80.dll

.

- - - - - - - > 'lsass.exe'(672)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(2328)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\program files\TOSHIBA\TME3\TMEEJMD.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Protector Suite QL\mysafe.dll

c:\program files\Protector Suite QL\infra.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\TPwrCfg.DLL

c:\windows\system32\TPwrReg.dll

c:\windows\system32\TPSTrace.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\TFNF5.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

c:\program files\Protector Suite QL\psqltray.exe

c:\windows\system32\thpsrv.exe

c:\windows\system32\TPSMain.exe

c:\windows\system32\TPSBattM.exe

c:\windows\system32\OBroker.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\windows\system32\ThpSrv.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\program files\TOSHIBA\TME3\TMEEJME.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\SearchIndexer.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\SearchProtocolHost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2012-02-10 11:29:32 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-10 16:29

ComboFix2.txt 2012-02-10 05:40

ComboFix3.txt 2012-02-10 00:41

ComboFix4.txt 2012-02-09 22:16

ComboFix5.txt 2012-02-10 05:47

.

Pre-Run: 89,199,890,432 bytes free

Post-Run: 89,200,394,240 bytes free

.

- - End Of File - - 8712EBE29334FC082C87FEA76CE317E2

17:14:33.0093 2916 TDSS rootkit removing tool 2.7.10.0 Feb 7 2012 15:14:46

17:14:33.0609 2916 ============================================================

17:14:33.0609 2916 Current date / time: 2012/02/08 17:14:33.0609

17:14:33.0609 2916 SystemInfo:

17:14:33.0609 2916

17:14:33.0609 2916 OS Version: 5.1.2600 ServicePack: 3.0

17:14:33.0609 2916 Product type: Workstation

17:14:33.0609 2916 ComputerName: WBS

17:14:33.0609 2916 UserName: Billy

17:14:33.0609 2916 Windows directory: C:\WINDOWS

17:14:33.0609 2916 System windows directory: C:\WINDOWS

17:14:33.0609 2916 Processor architecture: Intel x86

17:14:33.0609 2916 Number of processors: 2

17:14:33.0609 2916 Page size: 0x1000

17:14:33.0609 2916 Boot type: Normal boot

17:14:33.0609 2916 ============================================================

17:14:34.0265 2916 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

17:14:34.0265 2916 \Device\Harddisk0\DR0:

17:14:34.0265 2916 MBR used

17:14:34.0265 2916 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x120FEEB0

17:14:34.0312 2916 Initialize success

17:14:34.0312 2916 ============================================================

17:14:54.0515 5144 ============================================================

17:14:54.0515 5144 Scan started

17:14:54.0515 5144 Mode: Manual;

17:14:54.0515 5144 ============================================================

17:14:55.0468 5144 Abiosdsk - ok

17:14:55.0484 5144 abp480n5 - ok

17:14:55.0531 5144 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

17:14:55.0546 5144 ACPI - ok

17:14:55.0593 5144 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

17:14:55.0593 5144 ACPIEC - ok

17:14:55.0609 5144 adpu160m - ok

17:14:55.0656 5144 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

17:14:55.0656 5144 aec - ok

17:14:55.0718 5144 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys

17:14:55.0718 5144 AegisP - ok

17:14:55.0765 5144 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

17:14:55.0781 5144 AFD - ok

17:14:55.0875 5144 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

17:14:55.0906 5144 AgereSoftModem - ok

17:14:56.0000 5144 Aha154x - ok

17:14:56.0015 5144 aic78u2 - ok

17:14:56.0031 5144 aic78xx - ok

17:14:56.0062 5144 AliIde - ok

17:14:56.0078 5144 amsint - ok

17:14:56.0125 5144 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

17:14:56.0125 5144 ApfiltrService - ok

17:14:56.0156 5144 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

17:14:56.0156 5144 Arp1394 - ok

17:14:56.0171 5144 asc - ok

17:14:56.0187 5144 asc3350p - ok

17:14:56.0203 5144 asc3550 - ok

17:14:56.0250 5144 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

17:14:56.0250 5144 AsyncMac - ok

17:14:56.0281 5144 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

17:14:56.0281 5144 atapi - ok

17:14:56.0296 5144 Atdisk - ok

17:14:56.0328 5144 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

17:14:56.0328 5144 Atmarpc - ok

17:14:56.0375 5144 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

17:14:56.0375 5144 audstub - ok

17:14:56.0390 5144 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

17:14:56.0390 5144 Beep - ok

17:14:56.0593 5144 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120121.002\BHDrvx86.sys

17:14:56.0593 5144 BHDrvx86 - ok

17:14:56.0718 5144 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

17:14:56.0718 5144 cbidf2k - ok

17:14:56.0781 5144 ccSet_NAV (599e7f6259a127c174c49938d2aa6a60) C:\WINDOWS\system32\drivers\NAV\1305000.091\ccSetx86.sys

17:14:56.0781 5144 ccSet_NAV - ok

17:14:56.0796 5144 cd20xrnt - ok

17:14:56.0843 5144 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

17:14:56.0843 5144 Cdaudio - ok

17:14:56.0890 5144 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

17:14:56.0890 5144 Cdfs - ok

17:14:56.0921 5144 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

17:14:56.0921 5144 Cdrom - ok

17:14:56.0968 5144 Changer - ok

17:14:57.0000 5144 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

17:14:57.0000 5144 CmBatt - ok

17:14:57.0000 5144 CmdIde - ok

17:14:57.0015 5144 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

17:14:57.0015 5144 Compbatt - ok

17:14:57.0031 5144 Cpqarray - ok

17:14:57.0046 5144 dac2w2k - ok

17:14:57.0062 5144 dac960nt - ok

17:14:57.0078 5144 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

17:14:57.0078 5144 Disk - ok

17:14:57.0125 5144 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

17:14:57.0140 5144 dmboot - ok

17:14:57.0156 5144 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

17:14:57.0156 5144 dmio - ok

17:14:57.0171 5144 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

17:14:57.0171 5144 dmload - ok

17:14:57.0281 5144 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

17:14:57.0281 5144 DMusic - ok

17:14:57.0296 5144 dpti2o - ok

17:14:57.0328 5144 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

17:14:57.0328 5144 drmkaud - ok

17:14:57.0375 5144 e1express (8942419786970adb32b05bb7950aee72) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

17:14:57.0390 5144 e1express - ok

17:14:57.0546 5144 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

17:14:57.0562 5144 eeCtrl - ok

17:14:57.0578 5144 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

17:14:57.0578 5144 EraserUtilRebootDrv - ok

17:14:57.0640 5144 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

17:14:57.0640 5144 Fastfat - ok

17:14:57.0687 5144 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

17:14:57.0687 5144 Fdc - ok

17:14:57.0734 5144 FdRedir (3314f3134ac59771a133a0cd3d343fff) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys

17:14:57.0734 5144 FdRedir - ok

17:14:57.0750 5144 FileDisk2 (7b33f094a7a42a0225c344f5b25b1b05) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys

17:14:57.0750 5144 FileDisk2 - ok

17:14:57.0765 5144 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

17:14:57.0765 5144 Fips - ok

17:14:57.0781 5144 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

17:14:57.0796 5144 Flpydisk - ok

17:14:57.0812 5144 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

17:14:57.0812 5144 FltMgr - ok

17:14:57.0875 5144 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

17:14:57.0875 5144 fssfltr - ok

17:14:58.0031 5144 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

17:14:58.0031 5144 Fs_Rec - ok

17:14:58.0046 5144 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

17:14:58.0046 5144 Ftdisk - ok

17:14:58.0109 5144 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

17:14:58.0109 5144 GEARAspiWDM - ok

17:14:58.0125 5144 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

17:14:58.0125 5144 Gpc - ok

17:14:58.0171 5144 guardian2 (7031a936832967a93b0e5d5f1c76745a) C:\WINDOWS\system32\Drivers\oz776.sys

17:14:58.0171 5144 guardian2 - ok

17:14:58.0203 5144 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

17:14:58.0203 5144 HDAudBus - ok

17:14:58.0218 5144 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

17:14:58.0234 5144 HidUsb - ok

17:14:58.0250 5144 hpn - ok

17:14:58.0296 5144 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

17:14:58.0312 5144 HTTP - ok

17:14:58.0328 5144 i2omgmt - ok

17:14:58.0328 5144 i2omp - ok

17:14:58.0343 5144 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

17:14:58.0343 5144 i8042prt - ok

17:14:58.0546 5144 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

17:14:58.0640 5144 ialm - ok

17:14:58.0781 5144 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys

17:14:58.0781 5144 iaStor - ok

17:14:58.0937 5144 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120207.005\IDSxpx86.sys

17:14:58.0937 5144 IDSxpx86 - ok

17:14:58.0953 5144 IFXTPM (2cdf483f8fc2bf3f7b93e3bdd734cfbd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS

17:14:58.0953 5144 IFXTPM - ok

17:14:58.0984 5144 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

17:14:58.0984 5144 Imapi - ok

17:14:59.0015 5144 ini910u - ok

17:14:59.0203 5144 IntcAzAudAddService (474d59c18652c8ef0151a9efae9ee619) C:\WINDOWS\system32\drivers\RtkHDAud.sys

17:14:59.0343 5144 IntcAzAudAddService - ok

17:14:59.0437 5144 IntelIde - ok

17:14:59.0484 5144 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

17:14:59.0500 5144 intelppm - ok

17:14:59.0515 5144 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

17:14:59.0515 5144 Ip6Fw - ok

17:14:59.0562 5144 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

17:14:59.0562 5144 IpFilterDriver - ok

17:14:59.0609 5144 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

17:14:59.0609 5144 IpInIp - ok

17:14:59.0640 5144 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

17:14:59.0640 5144 IpNat - ok

17:14:59.0687 5144 IPSec (ac7006a9d7e13de5bf41a4a8762d2336) C:\WINDOWS\system32\DRIVERS\ipsec.sys

17:14:59.0687 5144 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: ac7006a9d7e13de5bf41a4a8762d2336, Fake md5: 23c74d75e36e7158768dd63d92789a91

17:14:59.0687 5144 IPSec ( Virus.Win32.ZAccess.k ) - infected

17:14:59.0687 5144 IPSec - detected Virus.Win32.ZAccess.k (0)

17:14:59.0718 5144 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

17:14:59.0718 5144 IRENUM - ok

17:14:59.0765 5144 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

17:14:59.0765 5144 isapnp - ok

17:14:59.0875 5144 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

17:14:59.0875 5144 ISWKL - ok

17:14:59.0890 5144 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

17:14:59.0890 5144 Kbdclass - ok

17:14:59.0921 5144 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

17:14:59.0921 5144 kbdhid - ok

17:15:00.0031 5144 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

17:15:00.0031 5144 kmixer - ok

17:15:00.0078 5144 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

17:15:00.0078 5144 KSecDD - ok

17:15:00.0093 5144 lbrtfdc - ok

17:15:00.0140 5144 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

17:15:00.0140 5144 mnmdd - ok

17:15:00.0171 5144 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

17:15:00.0171 5144 Modem - ok

17:15:00.0187 5144 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

17:15:00.0187 5144 Mouclass - ok

17:15:00.0234 5144 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

17:15:00.0234 5144 mouhid - ok

17:15:00.0265 5144 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

17:15:00.0265 5144 MountMgr - ok

17:15:00.0281 5144 mraid35x - ok

17:15:00.0312 5144 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

17:15:00.0312 5144 MRxDAV - ok

17:15:00.0375 5144 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

17:15:00.0375 5144 MRxSmb - ok

17:15:00.0390 5144 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

17:15:00.0390 5144 Msfs - ok

17:15:00.0437 5144 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

17:15:00.0437 5144 MSKSSRV - ok

17:15:00.0453 5144 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

17:15:00.0453 5144 MSPCLOCK - ok

17:15:00.0453 5144 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

17:15:00.0453 5144 MSPQM - ok

17:15:00.0500 5144 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

17:15:00.0500 5144 mssmbios - ok

17:15:00.0531 5144 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

17:15:00.0546 5144 Mup - ok

17:15:00.0734 5144 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120207.033\NAVENG.SYS

17:15:00.0734 5144 NAVENG - ok

17:15:00.0796 5144 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120207.033\NAVEX15.SYS

17:15:00.0812 5144 NAVEX15 - ok

17:15:00.0953 5144 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

17:15:00.0953 5144 NDIS - ok

17:15:01.0015 5144 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

17:15:01.0015 5144 NdisTapi - ok

17:15:01.0031 5144 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

17:15:01.0031 5144 Ndisuio - ok

17:15:01.0046 5144 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

17:15:01.0062 5144 NdisWan - ok

17:15:01.0109 5144 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

17:15:01.0109 5144 NDProxy - ok

17:15:01.0125 5144 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

17:15:01.0125 5144 NetBIOS - ok

17:15:01.0156 5144 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

17:15:01.0171 5144 NetBT - ok

17:15:01.0203 5144 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys

17:15:01.0203 5144 Netdevio - ok

17:15:01.0328 5144 NETw4x32 (a9574f52e2fd5c1c1b4807a326e0488f) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

17:15:01.0390 5144 NETw4x32 - ok

17:15:01.0515 5144 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

17:15:01.0515 5144 NIC1394 - ok

17:15:01.0562 5144 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

17:15:01.0562 5144 Npfs - ok

17:15:01.0593 5144 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

17:15:01.0609 5144 Ntfs - ok

17:15:01.0671 5144 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

17:15:01.0671 5144 NuidFltr - ok

17:15:01.0718 5144 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

17:15:01.0718 5144 Null - ok

17:15:01.0750 5144 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

17:15:01.0750 5144 NwlnkFlt - ok

17:15:01.0781 5144 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

17:15:01.0781 5144 NwlnkFwd - ok

17:15:01.0796 5144 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

17:15:01.0812 5144 ohci1394 - ok

17:15:01.0843 5144 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

17:15:01.0843 5144 Parport - ok

17:15:01.0859 5144 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

17:15:01.0859 5144 PartMgr - ok

17:15:01.0890 5144 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

17:15:01.0890 5144 ParVdm - ok

17:15:01.0906 5144 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

17:15:01.0906 5144 PCI - ok

17:15:01.0906 5144 PCIDump - ok

17:15:01.0921 5144 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

17:15:01.0921 5144 PCIIde - ok

17:15:01.0937 5144 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

17:15:01.0937 5144 Pcmcia - ok

17:15:01.0953 5144 PDCOMP - ok

17:15:01.0968 5144 PDFRAME - ok

17:15:01.0968 5144 PDRELI - ok

17:15:01.0984 5144 PDRFRAME - ok

17:15:02.0000 5144 perc2 - ok

17:15:02.0015 5144 perc2hib - ok

17:15:02.0046 5144 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

17:15:02.0046 5144 PptpMiniport - ok

17:15:02.0062 5144 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

17:15:02.0062 5144 PSched - ok

17:15:02.0078 5144 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

17:15:02.0078 5144 Ptilink - ok

17:15:02.0093 5144 ql1080 - ok

17:15:02.0093 5144 Ql10wnt - ok

17:15:02.0109 5144 ql12160 - ok

17:15:02.0125 5144 ql1240 - ok

17:15:02.0140 5144 ql1280 - ok

17:15:02.0156 5144 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

17:15:02.0156 5144 RasAcd - ok

17:15:02.0171 5144 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

17:15:02.0171 5144 Rasl2tp - ok

17:15:02.0296 5144 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

17:15:02.0296 5144 RasPppoe - ok

17:15:02.0296 5144 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

17:15:02.0296 5144 Raspti - ok

17:15:02.0343 5144 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

17:15:02.0343 5144 Rdbss - ok

17:15:02.0359 5144 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

17:15:02.0359 5144 RDPCDD - ok

17:15:02.0375 5144 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

17:15:02.0375 5144 rdpdr - ok

17:15:02.0421 5144 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

17:15:02.0437 5144 RDPWD - ok

17:15:02.0468 5144 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

17:15:02.0468 5144 redbook - ok

17:15:02.0531 5144 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys

17:15:02.0531 5144 s24trans - ok

17:15:02.0578 5144 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

17:15:02.0578 5144 sdbus - ok

17:15:02.0640 5144 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

17:15:02.0640 5144 Secdrv - ok

17:15:02.0656 5144 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

17:15:02.0656 5144 serenum - ok

17:15:02.0671 5144 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

17:15:02.0671 5144 Serial - ok

17:15:02.0718 5144 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

17:15:02.0718 5144 Sfloppy - ok

17:15:02.0734 5144 Simbad - ok

17:15:02.0843 5144 smihlp (94eede27fd7d46707be49127922695a7) C:\Program Files\Protector Suite QL\smihlp.sys

17:15:02.0843 5144 smihlp - ok

17:15:02.0875 5144 Sparrow - ok

17:15:02.0890 5144 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

17:15:02.0890 5144 splitter - ok

17:15:02.0937 5144 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

17:15:02.0937 5144 sr - ok

17:15:02.0953 5144 srescan - ok

17:15:03.0031 5144 SRTSP (c16d048faf2978d2121f9f40594a6bdc) C:\WINDOWS\System32\Drivers\NAV\1305000.091\SRTSP.SYS

17:15:03.0046 5144 SRTSP - ok

17:15:03.0156 5144 SRTSPX (f0d02c2e25970c9c72a5cd278c17cdb6) C:\WINDOWS\system32\drivers\NAV\1305000.091\SRTSPX.SYS

17:15:03.0156 5144 SRTSPX - ok

17:15:03.0218 5144 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

17:15:03.0218 5144 Srv - ok

17:15:03.0265 5144 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

17:15:03.0265 5144 swenum - ok

17:15:03.0281 5144 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

17:15:03.0281 5144 swmidi - ok

17:15:03.0296 5144 symc810 - ok

17:15:03.0312 5144 symc8xx - ok

17:15:03.0359 5144 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMDS.SYS

17:15:03.0359 5144 SymDS - ok

17:15:03.0406 5144 SymEFA (4e55148a2e044d02245cbcdbb266b98c) C:\WINDOWS\system32\drivers\NAV\1305000.091\SYMEFA.SYS

17:15:03.0421 5144 SymEFA - ok

17:15:03.0453 5144 SymEvent (74e2521e96176a4449570e50be91954d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

17:15:03.0453 5144 SymEvent - ok

17:15:03.0468 5144 SymIM - ok

17:15:03.0484 5144 SymIMMP - ok

17:15:03.0546 5144 SymIRON (2c356cca706505cf63cbe39d532b9236) C:\WINDOWS\system32\drivers\NAV\1305000.091\Ironx86.SYS

17:15:03.0546 5144 SymIRON - ok

17:15:03.0687 5144 SYMTDI (508bd882040f9cb12319e3a4fc78edb9) C:\WINDOWS\System32\Drivers\NAV\1305000.091\SYMTDI.SYS

17:15:03.0687 5144 SYMTDI - ok

17:15:03.0703 5144 sym_hi - ok

17:15:03.0718 5144 sym_u3 - ok

17:15:03.0765 5144 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

17:15:03.0765 5144 sysaudio - ok

17:15:03.0781 5144 tbiosdrv - ok

17:15:03.0843 5144 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

17:15:03.0859 5144 Tcpip - ok

17:15:03.0921 5144 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys

17:15:03.0921 5144 TcUsb - ok

17:15:03.0968 5144 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys

17:15:03.0968 5144 tdcmdpst - ok

17:15:04.0015 5144 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

17:15:04.0015 5144 TDPIPE - ok

17:15:04.0140 5144 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

17:15:04.0140 5144 TDTCP - ok

17:15:04.0171 5144 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys

17:15:04.0171 5144 tdudf - ok

17:15:04.0218 5144 TEchoCan (65855534483d0c1330703100b31cac00) C:\WINDOWS\system32\DRIVERS\TEchoCan.sys

17:15:04.0234 5144 TEchoCan - ok

17:15:04.0265 5144 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

17:15:04.0265 5144 TermDD - ok

17:15:04.0296 5144 Thpdrv (8f26e2f303693f77e3c3a406afc45e52) C:\WINDOWS\system32\DRIVERS\thpdrv.sys

17:15:04.0296 5144 Thpdrv - ok

17:15:04.0328 5144 Thpevm (beeca51c9ef368a1038e455278e4715e) C:\WINDOWS\system32\DRIVERS\Thpevm.SYS

17:15:04.0328 5144 Thpevm - ok

17:15:04.0390 5144 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys

17:15:04.0390 5144 tifm21 - ok

17:15:04.0421 5144 TMEI3E (684bfb1e9abb05d3f48c53f3cd16a3e6) C:\WINDOWS\system32\Drivers\TMEI3E.SYS

17:15:04.0421 5144 TMEI3E - ok

17:15:04.0453 5144 TosIde - ok

17:15:04.0468 5144 Tosrfcom - ok

17:15:04.0484 5144 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys

17:15:04.0484 5144 tosrfec - ok

17:15:04.0500 5144 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys

17:15:04.0515 5144 trudf - ok

17:15:04.0531 5144 TVALZ (73d3312955f805054e32fabdca5230b1) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS

17:15:04.0531 5144 TVALZ - ok

17:15:04.0546 5144 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

17:15:04.0562 5144 Udfs - ok

17:15:04.0578 5144 ultra - ok

17:15:04.0609 5144 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

17:15:04.0625 5144 Update - ok

17:15:04.0656 5144 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys

17:15:04.0656 5144 USBAAPL - ok

17:15:04.0687 5144 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

17:15:04.0687 5144 usbccgp - ok

17:15:04.0718 5144 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

17:15:04.0718 5144 usbehci - ok

17:15:04.0843 5144 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

17:15:04.0843 5144 usbhub - ok

17:15:04.0890 5144 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

17:15:04.0890 5144 usbscan - ok

17:15:04.0906 5144 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

17:15:04.0906 5144 USBSTOR - ok

17:15:04.0937 5144 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

17:15:04.0937 5144 usbuhci - ok

17:15:04.0968 5144 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

17:15:04.0968 5144 VgaSave - ok

17:15:04.0984 5144 ViaIde - ok

17:15:05.0000 5144 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

17:15:05.0000 5144 VolSnap - ok

17:15:05.0078 5144 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys

17:15:05.0125 5144 Vsdatant - ok

17:15:05.0140 5144 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

17:15:05.0140 5144 Wanarp - ok

17:15:05.0187 5144 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

17:15:05.0203 5144 Wdf01000 - ok

17:15:05.0296 5144 WDICA - ok

17:15:05.0359 5144 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

17:15:05.0359 5144 wdmaud - ok

17:15:05.0484 5144 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

17:15:05.0484 5144 WudfPf - ok

17:15:05.0515 5144 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

17:15:05.0515 5144 WudfRd - ok

17:15:05.0546 5144 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0

17:15:05.0703 5144 \Device\Harddisk0\DR0 - ok

17:15:05.0703 5144 Boot (0x1200) (5981a8aaa969632dfc1476aeb9c5a07c) \Device\Harddisk0\DR0\Partition0

17:15:05.0703 5144 \Device\Harddisk0\DR0\Partition0 - ok

17:15:05.0703 5144 ============================================================

17:15:05.0703 5144 Scan finished

17:15:05.0703 5144 ============================================================

17:15:05.0718 3156 Detected object count: 1

17:15:05.0718 3156 Actual detected object count: 1

17:15:19.0718 3156 C:\WINDOWS\system32\DRIVERS\ipsec.sys - copied to quarantine

17:15:19.0968 3156 Backup copy found, using it..

17:15:20.0015 3156 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot

17:15:22.0218 3156 IPSec ( Virus.Win32.ZAccess.k ) - User select action: Cure

17:16:03.0281 4692 Deinitialize success

Elise · February 10, 2012

I suspect this may be a newer variant. Before investigating this, please read the following first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

:reg
hkey_local_machine\system\currentcontrolset\services\USRpdA /s
hkey_local_machine\system\currentcontrolset\services\MTDVC2_ENUM /s
hkey_local_machine\system\currentcontrolset\services\lxbt_device /s

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Zephyr234 · February 10, 2012

I think you're right about the newer version bit, this malware, btw, has now twice deleted combo fix from my desktop!

I unplugged my pc and am writing from my iPhone.

I don't have recovery disks and would have to reformat from the hd. My two questions are 1) with an xp pro os, will it be safe to reformat, then connect to the Internet then download ms updates, zone alarm, etc.? And 2) I backed up my files to a thumb drive AFTER infection, is there any way to ensure I won't be reintroducing the malware when I put all that back? (photos, chessbase files, word docs, iTunes, etc.)

Thank you for your warnings.

Elise · February 10, 2012

If you backed up after the infection, I would go through with the cleanup, and reformat/reinstall afterwards, to make sure you're not restoring infected files.

Zephyr234 · February 10, 2012

Ok, you mean cleanup, then redownload onto thumb drive, then reformat, right?

I guess that means I'll plug my pc back in now, will be easier to type at least.

Elise · February 10, 2012

Yes, this rootkit infects a few semi-random files as well, and as it appears to be a newer variant better safe than sorry. Once clean you can take your time to copy all important data, download installers of important software (like AV), then reformat and reinstall, then reinstall AV and such and finally restore backed up files.

If you want to do this, please post me the systemlook log.

Zephyr234 · February 10, 2012

I want to and will post, sorry for delay, pc is freezing up despite multiple restarts, will post log as soon as I can.

Elise · February 10, 2012

No problem! If it continues to give you trouble, reboot in safe mode with networking and try it from there.

Zephyr234 · February 10, 2012

I think this malware is always one step ahead of me. I have pasted the systemlook log below:

SystemLook 30.07.11 by jpshortstuff

Log created at 15:27 on 10/02/2012 by Billy

Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\USRpdA]

"Type"= 0x0000000020 (32)

"Start"= 0x0000000002 (2)

"ErrorControl"= 0x0000000000 (0)

"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"

"DisplayName"="Vmx86"

"ObjectName"="LocalSystem"

"Description"="Vmx86"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\USRpdA\Parameters]

"ServiceDll"="%systemroot%\system32\asctrm.dll"

"ServiceDllUnloadOnStop"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\USRpdA\Security]

"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\USRpdA\Enum]

"0"="Root\LEGACY_USRPDA\0000"

"Count"= 0x0000000001 (1)

"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\MTDVC2_ENUM]

(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lxbt_device]

(Unable to open key - key not found)

-= EOF =-

Elise · February 10, 2012

Please go to http://www.virustotal.com and upload the following file: c:\windows\system32\asctrm.dll

Once finished, please post me the link to the scan results.

Zephyr234 · February 10, 2012

I'm afraid there is no such file in my C/windows/system32 folder, the closest thing I have is asctrls.ocx

Elise · February 10, 2012

Can you just copy/paste the filename in the Open box and then upload it?

Zephyr234 · February 10, 2012

That's the first thing I tried, I know it's weird, because the systemlook log said "ServiceDll"="%systemroot%\system32\asctrm.dll"

I'll try running the systemlook again and immediately go for the file id'd by system look.

Elise · February 10, 2012

In that case lets just remove it as it is most likely the culprit. In worst case we have a backup so we can always put it back.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


NetSvc::
USRpdA

Driver::
USRpdA

Rootkit::
c:\windows\system32\asctrm.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Zephyr234 · February 10, 2012

I apologize, but in safe mode, I can't figure out how to disable NAV. Unfortunately, my computer seems not to function when I start it in regular mode. I could just uninstall NAV, although I'd rather not if avoidable ...

Zephyr234 · February 11, 2012

After nearly five hours of waiting, unsuccessfully, for NAV to uninstall itself, I finally gave up and just followed your instructions with NAV running. I have pasted the contents of the combofix (with your recommended CFScript dropped into it) log file below:

ComboFix 12-02-10.01 - Billy 02/10/2012 21:29:08.8.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1737 [GMT -5:00]

Running from: c:\documents and settings\Billy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Billy\Desktop\CFScript.txt

AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\$NtUninstallKB23364$

c:\windows\$NtUninstallKB23364$\3155683155\@

c:\windows\$NtUninstallKB23364$\3155683155\cfg.ini

c:\windows\$NtUninstallKB23364$\3155683155\Desktop.ini

c:\windows\$NtUninstallKB23364$\3155683155\L\fmlqknoz

c:\windows\$NtUninstallKB23364$\3155683155\U\00000001.@

c:\windows\$NtUninstallKB23364$\3155683155\U\00000002.@

c:\windows\$NtUninstallKB23364$\3155683155\U\00000004.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000000.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000004.@

c:\windows\$NtUninstallKB23364$\3155683155\U\80000032.@

c:\windows\$NtUninstallKB23364$\3155683155\version

c:\windows\$NtUninstallKB23364$\4284606208

c:\windows\system32\msdtc.dll

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - The cat found it

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_USRPDA

-------\Service_USRpdA

.

((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))

.

2012-02-11 02:23 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search

2012-02-10 21:30 . 2012-02-10 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search

2012-02-10 21:27 . 2012-02-10 21:27 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2012-02-10 21:25 . 2012-02-10 21:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2012-02-10 15:40 . 2008-04-13 19:18 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys

2012-02-10 15:40 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2012-02-10 04:23 . 2012-02-10 17:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2012-02-10 04:23 . 2012-02-08 22:18 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys

2012-02-09 01:31 . 2012-02-09 01:31 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2012-02-08 22:15 . 2012-02-10 16:49 -------- d-----w- C:\TDSSKiller_Quarantine