Rootkit Zero Access

voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
I've got a customers machine that has Rootkit.ZeroAccess. I ran Combofix yesterday and had to let it run overnight, as it took forever to delete a folder. I regret not saving that log file (and I hate that combofix overwrites old ones). The first time it ran was without the recovery console. After that Igot recovery console installed and it has come up with the rootkit warning.

But here are my logs.

TDSS Killer
12:18:05.0234 0428 TDSS rootkit removing tool 2.7.38.0 May 25 2012 17:35:31
12:18:05.0265 0428 ============================================================
12:18:05.0265 0428 Current date / time: 2012/06/13 12:18:05.0265
12:18:05.0265 0428 SystemInfo:
12:18:05.0265 0428
12:18:05.0265 0428 OS Version: 5.1.2600 ServicePack: 2.0
12:18:05.0265 0428 Product type: Workstation
12:18:05.0265 0428 ComputerName: OWNER-7DE43097D
12:18:05.0265 0428 UserName: Owner
12:18:05.0265 0428 Windows directory: C:\WINDOWS
12:18:05.0265 0428 System windows directory: C:\WINDOWS
12:18:05.0265 0428 Processor architecture: Intel x86
12:18:05.0265 0428 Number of processors: 1
12:18:05.0265 0428 Page size: 0x1000
12:18:05.0265 0428 Boot type: Normal boot
12:18:05.0265 0428 ============================================================
12:18:06.0640 0428 Drive \Device\Harddisk0\DR0 - Size: 0x9516AE000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1431, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
12:18:06.0640 0428 Drive \Device\Harddisk1\DR2 - Size: 0x1DD800000 (7.46 Gb), SectorSize: 0x200, Cylinders: 0x3CD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:18:06.0640 0428 ============================================================
12:18:06.0640 0428 \Device\Harddisk0\DR0:
12:18:06.0640 0428 MBR partitions:
12:18:06.0640 0428 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
12:18:06.0640 0428 \Device\Harddisk1\DR2:
12:18:06.0640 0428 MBR partitions:
12:18:06.0640 0428 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0xEEA080
12:18:06.0640 0428 ============================================================
12:18:06.0843 0428 C: <-> \Device\Harddisk0\DR0\Partition0
12:18:06.0843 0428 ============================================================
12:18:06.0843 0428 Initialize success
12:18:06.0843 0428 ============================================================
12:18:07.0656 0560 ============================================================
12:18:07.0656 0560 Scan started
12:18:07.0656 0560 Mode: Manual;
12:18:07.0656 0560 ============================================================
12:18:08.0312 0560 Abiosdsk - ok
12:18:08.0328 0560 abp480n5 - ok
12:18:08.0375 0560 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:18:08.0375 0560 ACPI - ok
12:18:08.0421 0560 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:18:08.0421 0560 ACPIEC - ok
12:18:08.0437 0560 adpu160m - ok
12:18:08.0468 0560 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
12:18:08.0468 0560 aeaudio - ok
12:18:08.0515 0560 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
12:18:08.0531 0560 aec - ok
12:18:08.0546 0560 AegisP (f498fd605c08404b20a48954c722ff74) C:\WINDOWS\system32\DRIVERS\AegisP.sys
12:18:08.0546 0560 AegisP - ok
12:18:08.0578 0560 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\system32\drivers\afd.sys
12:18:08.0578 0560 AFD - ok
12:18:08.0593 0560 Aha154x - ok
12:18:08.0609 0560 aic78u2 - ok
12:18:08.0625 0560 aic78xx - ok
12:18:08.0656 0560 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
12:18:08.0671 0560 Alerter - ok
12:18:08.0687 0560 ALG (f1958fbf86d5c004cf19a5951a9514b7) C:\WINDOWS\System32\alg.exe
12:18:08.0703 0560 ALG - ok
12:18:08.0703 0560 AliIde - ok
12:18:08.0718 0560 amsint - ok
12:18:08.0750 0560 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
12:18:08.0765 0560 AppMgmt - ok
12:18:08.0781 0560 asc - ok
12:18:08.0796 0560 asc3350p - ok
12:18:08.0796 0560 asc3550 - ok
12:18:08.0921 0560 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:18:08.0953 0560 aspnet_state - ok
12:18:08.0984 0560 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:18:09.0000 0560 AsyncMac - ok
12:18:09.0031 0560 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:18:09.0031 0560 atapi - ok
12:18:09.0046 0560 Atdisk - ok
12:18:09.0078 0560 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:18:09.0078 0560 Atmarpc - ok
12:18:09.0109 0560 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
12:18:09.0109 0560 AudioSrv - ok
12:18:09.0156 0560 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:18:09.0156 0560 audstub - ok
12:18:09.0187 0560 b57w2k (a9d0f6efc61d1ff69b55c495f85dd868) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
12:18:09.0203 0560 b57w2k - ok
12:18:09.0234 0560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:18:09.0250 0560 Beep - ok
12:18:09.0312 0560 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
12:18:09.0359 0560 BITS - ok
12:18:09.0390 0560 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
12:18:09.0406 0560 BridgeMP - ok
12:18:09.0437 0560 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
12:18:09.0437 0560 Browser - ok
12:18:09.0468 0560 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:18:09.0468 0560 cbidf2k - ok
12:18:09.0484 0560 cd20xrnt - ok
12:18:09.0515 0560 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:18:09.0515 0560 Cdaudio - ok
12:18:09.0562 0560 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
12:18:09.0562 0560 Cdfs - ok
12:18:09.0609 0560 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:18:09.0609 0560 Cdrom - ok
12:18:09.0625 0560 Changer - ok
12:18:09.0656 0560 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
12:18:09.0656 0560 CiSvc - ok
12:18:09.0703 0560 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:18:09.0812 0560 clr_optimization_v2.0.50727_32 - ok
12:18:09.0828 0560 CmdIde - ok
12:18:09.0843 0560 COMSysApp - ok
12:18:09.0859 0560 Cpqarray - ok
12:18:09.0906 0560 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\system32\cryptsvc.dll
12:18:09.0906 0560 CryptSvc - ok
12:18:09.0921 0560 dac2w2k - ok
12:18:09.0937 0560 dac960nt - ok
12:18:09.0984 0560 DcomLaunch (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\system32\rpcss.dll
12:18:10.0000 0560 DcomLaunch - ok
12:18:10.0046 0560 Dhcp (ef545e1a4b043da4c84e230dd471c55f) C:\WINDOWS\System32\dhcpcsvc.dll
12:18:10.0046 0560 Dhcp - ok
12:18:10.0093 0560 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
12:18:10.0093 0560 Disk - ok
12:18:10.0109 0560 dmadmin - ok
12:18:10.0203 0560 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
12:18:10.0234 0560 dmboot - ok
12:18:10.0281 0560 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
12:18:10.0281 0560 dmio - ok
12:18:10.0312 0560 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:18:10.0312 0560 dmload - ok
12:18:10.0328 0560 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
12:18:10.0328 0560 dmserver - ok
12:18:10.0359 0560 Dnscache (aac8ffbfd61e784fa3bac851d4a0bd5f) C:\WINDOWS\System32\dnsrslvr.dll
12:18:10.0359 0560 Dnscache - ok
12:18:10.0421 0560 Dot4 (ad7fc1963b152b3728e3c4f83554a576) C:\WINDOWS\system32\DRIVERS\Dot4.sys
12:18:10.0421 0560 Dot4 - ok
12:18:10.0453 0560 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
12:18:10.0453 0560 Dot4Print - ok
12:18:10.0468 0560 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
12:18:10.0468 0560 dot4usb - ok
12:18:10.0484 0560 dpti2o - ok
12:18:10.0515 0560 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
12:18:10.0515 0560 drmkaud - ok
12:18:10.0546 0560 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
12:18:10.0546 0560 ERSvc - ok
12:18:10.0593 0560 Eventlog (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
12:18:10.0593 0560 Eventlog - ok
12:18:10.0640 0560 EventSystem (60d1a6342238378bfb7545c81ee3606c) C:\WINDOWS\system32\es.dll
12:18:10.0640 0560 EventSystem - ok
12:18:10.0703 0560 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
12:18:10.0703 0560 Fastfat - ok
12:18:10.0750 0560 FastUserSwitchingCompatibility (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
12:18:10.0765 0560 FastUserSwitchingCompatibility - ok
12:18:10.0796 0560 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:18:10.0796 0560 Fdc - ok
12:18:10.0828 0560 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
12:18:10.0828 0560 Fips - ok
12:18:10.0921 0560 FLEXnet Licensing Service (227846995afeefa70d328bf5334a86a5) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
12:18:10.0953 0560 FLEXnet Licensing Service - ok
12:18:10.0984 0560 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:18:10.0984 0560 Flpydisk - ok
12:18:11.0031 0560 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:18:11.0031 0560 FltMgr - ok
12:18:11.0375 0560 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:18:11.0421 0560 FontCache3.0.0.0 - ok
12:18:11.0468 0560 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:18:11.0468 0560 Fs_Rec - ok
12:18:11.0484 0560 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:18:11.0500 0560 Ftdisk - ok
12:18:11.0515 0560 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:18:11.0515 0560 Gpc - ok
12:18:11.0578 0560 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:18:11.0578 0560 gupdate - ok
12:18:11.0593 0560 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:18:11.0593 0560 gupdatem - ok
12:18:11.0640 0560 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:18:11.0640 0560 helpsvc - ok
12:18:11.0703 0560 HidServ (9376e6893e52b368abc6255bf54f0b28) C:\WINDOWS\System32\hidserv.dll
12:18:11.0703 0560 HidServ - ok
12:18:11.0734 0560 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:18:11.0734 0560 HidUsb - ok
12:18:11.0750 0560 hpn - ok
12:18:11.0781 0560 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
12:18:11.0796 0560 HTTP - ok
12:18:11.0843 0560 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
12:18:11.0843 0560 HTTPFilter - ok
12:18:11.0859 0560 i2omgmt - ok
12:18:11.0875 0560 i2omp - ok
12:18:11.0921 0560 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:18:11.0921 0560 i8042prt - ok
12:18:12.0015 0560 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
12:18:12.0062 0560 ialm - ok
12:18:12.0187 0560 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:18:12.0218 0560 idsvc - ok
12:18:12.0312 0560 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:18:12.0312 0560 Imapi - ok
12:18:12.0343 0560 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
12:18:12.0359 0560 ImapiService - ok
12:18:12.0375 0560 ini910u - ok
12:18:12.0406 0560 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:18:12.0406 0560 IntelIde - ok
12:18:12.0453 0560 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:18:12.0453 0560 intelppm - ok
12:18:12.0484 0560 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:18:12.0484 0560 Ip6Fw - ok
12:18:12.0531 0560 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:18:12.0531 0560 IpFilterDriver - ok
12:18:12.0546 0560 iphlpsvc - ok
12:18:12.0562 0560 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:18:12.0562 0560 IpInIp - ok
12:18:12.0609 0560 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:18:12.0609 0560 IpNat - ok
12:18:12.0656 0560 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:18:12.0656 0560 IPSec - ok
12:18:12.0687 0560 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:18:12.0687 0560 IRENUM - ok
12:18:12.0734 0560 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:18:12.0734 0560 isapnp - ok
12:18:12.0781 0560 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:18:12.0781 0560 Kbdclass - ok
12:18:12.0828 0560 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:18:12.0828 0560 kbdhid - ok
12:18:12.0875 0560 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
12:18:12.0875 0560 kmixer - ok
12:18:12.0906 0560 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
12:18:12.0906 0560 KSecDD - ok
12:18:12.0953 0560 lanmanserver (0cb3af149a0bac0836022ca307c7a0f8) C:\WINDOWS\System32\srvsvc.dll
12:18:12.0953 0560 lanmanserver - ok
12:18:13.0000 0560 lanmanworkstation (e1f27cfcd114ec9f1e1f44674b2ff9f0) C:\WINDOWS\System32\wkssvc.dll
12:18:13.0000 0560 lanmanworkstation - ok
12:18:13.0015 0560 lbrtfdc - ok
12:18:13.0062 0560 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
12:18:13.0062 0560 LmHosts - ok
12:18:13.0109 0560 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:18:13.0109 0560 mnmdd - ok
12:18:13.0156 0560 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\system32\mnmsrvc.exe
12:18:13.0156 0560 mnmsrvc - ok
12:18:13.0187 0560 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
12:18:13.0187 0560 Modem - ok
12:18:13.0218 0560 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:18:13.0218 0560 Mouclass - ok
12:18:13.0250 0560 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:18:13.0250 0560 mouhid - ok
12:18:13.0281 0560 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
12:18:13.0281 0560 MountMgr - ok
12:18:13.0296 0560 mraid35x - ok
12:18:13.0328 0560 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:18:13.0343 0560 MRxDAV - ok
12:18:13.0390 0560 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:18:13.0406 0560 MRxSmb - ok
12:18:13.0453 0560 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\system32\msdtc.exe
12:18:13.0453 0560 MSDTC - ok
12:18:13.0500 0560 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
12:18:13.0500 0560 Msfs - ok
12:18:13.0500 0560 MSIServer - ok
12:18:13.0531 0560 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:18:13.0531 0560 MSKSSRV - ok
12:18:13.0562 0560 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:18:13.0562 0560 MSPCLOCK - ok
12:18:13.0578 0560 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
12:18:13.0593 0560 MSPQM - ok
12:18:13.0625 0560 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:18:13.0625 0560 mssmbios - ok
12:18:13.0656 0560 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
12:18:13.0656 0560 Mup - ok
12:18:13.0671 0560 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
12:18:13.0687 0560 NDIS - ok
12:18:13.0718 0560 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:18:13.0718 0560 NdisTapi - ok
12:18:13.0765 0560 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:18:13.0765 0560 Ndisuio - ok
12:18:13.0812 0560 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:18:13.0812 0560 NdisWan - ok
12:18:13.0828 0560 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
12:18:13.0828 0560 NDProxy - ok
12:18:13.0859 0560 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:18:13.0859 0560 NetBIOS - ok
12:18:13.0890 0560 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:18:13.0890 0560 NetBT - ok
12:18:13.0937 0560 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
12:18:13.0937 0560 NetDDE - ok
12:18:13.0953 0560 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
12:18:13.0953 0560 NetDDEdsdm - ok
12:18:14.0000 0560 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:18:14.0000 0560 Netlogon - ok
12:18:14.0046 0560 Netman (36739b39267914ba69ad0610a0299732) C:\WINDOWS\System32\netman.dll
12:18:14.0062 0560 Netman - ok
12:18:14.0171 0560 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:18:14.0171 0560 NetTcpPortSharing - ok
12:18:14.0234 0560 Nla (097722f235a1fb698bf9234e01b52637) C:\WINDOWS\System32\mswsock.dll
12:18:14.0234 0560 Nla - ok
12:18:14.0281 0560 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
12:18:14.0281 0560 Npfs - ok
12:18:14.0343 0560 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
12:18:14.0375 0560 Ntfs - ok
12:18:14.0375 0560 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:18:14.0375 0560 NtLmSsp - ok
12:18:14.0468 0560 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
12:18:14.0484 0560 NtmsSvc - ok
12:18:14.0515 0560 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:18:14.0515 0560 Null - ok
12:18:14.0546 0560 NVXBAR (b89cfbe8cb247b57d8c10adaa66b462b) C:\WINDOWS\system32\IntelC52.dll
12:18:14.0546 0560 NVXBAR ( Backdoor.Multi.ZAccess.gen ) - infected
12:18:14.0546 0560 NVXBAR - detected Backdoor.Multi.ZAccess.gen (0)
12:18:14.0562 0560 NWHOST - ok
12:18:14.0593 0560 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:18:14.0593 0560 NwlnkFlt - ok
12:18:14.0609 0560 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:18:14.0609 0560 NwlnkFwd - ok
12:18:14.0734 0560 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
12:18:14.0750 0560 odserv - ok
12:18:14.0796 0560 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:18:14.0812 0560 ose - ok
12:18:14.0843 0560 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
12:18:14.0843 0560 Parport - ok
12:18:14.0875 0560 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
12:18:14.0875 0560 PartMgr - ok
12:18:14.0906 0560 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:18:14.0906 0560 ParVdm - ok
12:18:14.0953 0560 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
12:18:14.0953 0560 PCI - ok
12:18:14.0953 0560 PCIDump - ok
12:18:14.0984 0560 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
12:18:14.0984 0560 PCIIde - ok
12:18:15.0015 0560 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:18:15.0015 0560 Pcmcia - ok
12:18:15.0031 0560 PDCOMP - ok
12:18:15.0046 0560 PDFRAME - ok
12:18:15.0062 0560 PDRELI - ok
12:18:15.0078 0560 PDRFRAME - ok
12:18:15.0093 0560 perc2 - ok
12:18:15.0109 0560 perc2hib - ok
12:18:15.0171 0560 PlugPlay (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
12:18:15.0171 0560 PlugPlay - ok
12:18:15.0218 0560 Pml Driver HPZ12 (f9d3bb81bdf8b279e1f37282cd52a9b5) C:\WINDOWS\system32\HPZipm12.exe
12:18:15.0218 0560 Pml Driver HPZ12 - ok
12:18:15.0265 0560 PolicyAgent (d1e299962b5956005113ec4ab1e0d9b7) C:\WINDOWS\System32\ipsecsvc.dll
12:18:15.0265 0560 PolicyAgent - ok
12:18:15.0312 0560 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:18:15.0312 0560 PptpMiniport - ok
12:18:15.0328 0560 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:18:15.0328 0560 ProtectedStorage - ok
12:18:15.0359 0560 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
12:18:15.0359 0560 PSched - ok
12:18:15.0375 0560 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:18:15.0390 0560 Ptilink - ok
12:18:15.0390 0560 ql1080 - ok
12:18:15.0406 0560 Ql10wnt - ok
12:18:15.0421 0560 ql12160 - ok
12:18:15.0437 0560 ql1240 - ok
12:18:15.0453 0560 ql1280 - ok
12:18:15.0484 0560 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:18:15.0484 0560 RasAcd - ok
12:18:15.0531 0560 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
12:18:15.0531 0560 RasAuto - ok
12:18:15.0562 0560 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:18:15.0562 0560 Rasl2tp - ok
12:18:15.0609 0560 RasMan (49b5eed5fb89d39456a2f616ccd8ba5d) C:\WINDOWS\System32\rasmans.dll
12:18:15.0609 0560 RasMan - ok
12:18:15.0640 0560 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:18:15.0640 0560 RasPppoe - ok
12:18:15.0656 0560 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:18:15.0656 0560 Raspti - ok
12:18:15.0703 0560 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:18:15.0703 0560 Rdbss - ok
12:18:15.0718 0560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:18:15.0734 0560 RDPCDD - ok
12:18:15.0781 0560 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:18:15.0781 0560 rdpdr - ok
12:18:15.0843 0560 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
12:18:15.0843 0560 RDPWD - ok
12:18:15.0875 0560 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
12:18:15.0890 0560 RDSessMgr - ok
12:18:15.0921 0560 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:18:15.0921 0560 redbook - ok
12:18:15.0968 0560 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
12:18:15.0968 0560 RemoteAccess - ok
12:18:16.0000 0560 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
12:18:16.0000 0560 RemoteRegistry - ok
12:18:16.0046 0560 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
12:18:16.0046 0560 RpcLocator - ok
12:18:16.0125 0560 RpcSs (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\system32\rpcss.dll
12:18:16.0125 0560 RpcSs - ok
12:18:16.0171 0560 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:18:16.0171 0560 RSVP - ok
12:18:16.0218 0560 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
12:18:16.0218 0560 SamSs - ok
12:18:16.0265 0560 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
12:18:16.0265 0560 SCardSvr - ok
12:18:16.0296 0560 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
12:18:16.0312 0560 Schedule - ok
12:18:16.0343 0560 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:18:16.0343 0560 Secdrv - ok
12:18:16.0390 0560 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\system32\seclogon.dll
12:18:16.0390 0560 seclogon - ok
12:18:16.0406 0560 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
12:18:16.0406 0560 SENS - ok
12:18:16.0437 0560 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:18:16.0437 0560 serenum - ok
12:18:16.0468 0560 Serial (4228164715806f098669cc960af9fddc) C:\WINDOWS\system32\DRIVERS\serial.sys
12:18:16.0468 0560 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: 4228164715806f098669cc960af9fddc, Fake md5: cd9404d115a00d249f70a371b46d5a26
12:18:16.0468 0560 Serial ( Virus.Win32.ZAccess.g ) - infected
12:18:16.0468 0560 Serial - detected Virus.Win32.ZAccess.g (0)
12:18:16.0515 0560 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:18:16.0515 0560 Sfloppy - ok
12:18:16.0578 0560 SharedAccess (36cc8c01b5e50163037bef56cb96deff) C:\WINDOWS\System32\ipnathlp.dll
12:18:16.0593 0560 SharedAccess - ok
12:18:16.0640 0560 ShellHWDetection (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
12:18:16.0640 0560 ShellHWDetection - ok
12:18:16.0656 0560 Simbad - ok
12:18:16.0734 0560 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
12:18:16.0765 0560 smwdm - ok
12:18:16.0765 0560 Sparrow - ok
12:18:16.0812 0560 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
12:18:16.0812 0560 splitter - ok
12:18:16.0843 0560 Spooler (da81ec57acd4cdc3d4c51cf3d409af9f) C:\WINDOWS\System32\spoolsv.exe
12:18:16.0843 0560 Spooler - ok
12:18:16.0890 0560 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
12:18:16.0890 0560 sr - ok
12:18:16.0921 0560 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
12:18:16.0921 0560 srservice - ok
12:18:16.0968 0560 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
12:18:16.0984 0560 Srv - ok
12:18:17.0031 0560 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
12:18:17.0031 0560 SSDPSRV - ok
12:18:17.0078 0560 stisvc (b6763f8534ac547cf1af98afdff2edc8) C:\WINDOWS\system32\wiaservc.dll
12:18:17.0109 0560 stisvc - ok
12:18:17.0140 0560 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:18:17.0156 0560 swenum - ok
12:18:17.0171 0560 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
12:18:17.0171 0560 swmidi - ok
12:18:17.0187 0560 SwPrv - ok
12:18:17.0218 0560 symc810 - ok
12:18:17.0218 0560 symc8xx - ok
12:18:17.0234 0560 sym_hi - ok
12:18:17.0250 0560 sym_u3 - ok
12:18:17.0296 0560 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
12:18:17.0296 0560 sysaudio - ok
12:18:17.0328 0560 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
12:18:17.0328 0560 SysmonLog - ok
12:18:17.0390 0560 TapiSrv (fb78839b36025aa286a51289ed28b73e) C:\WINDOWS\System32\tapisrv.dll
12:18:17.0390 0560 TapiSrv - ok
12:18:17.0453 0560 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:18:17.0468 0560 Tcpip - ok
12:18:17.0500 0560 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:18:17.0500 0560 TDPIPE - ok
12:18:17.0515 0560 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
12:18:17.0515 0560 TDTCP - ok
12:18:17.0531 0560 tdx - ok
12:18:17.0562 0560 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:18:17.0562 0560 TermDD - ok
12:18:17.0609 0560 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
12:18:17.0625 0560 TermService - ok
12:18:17.0671 0560 Themes (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
12:18:17.0671 0560 Themes - ok
12:18:17.0718 0560 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\system32\tlntsvr.exe
12:18:17.0718 0560 TlntSvr - ok
12:18:17.0718 0560 TosIde - ok
12:18:17.0765 0560 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
12:18:17.0765 0560 TrkWks - ok
12:18:17.0812 0560 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
12:18:17.0812 0560 Udfs - ok
12:18:17.0828 0560 ultra - ok
12:18:17.0890 0560 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
12:18:17.0906 0560 Update - ok
12:18:17.0937 0560 upnphost (aca5d98663d879c6baafcea7e2f1b710) C:\WINDOWS\System32\upnphost.dll
12:18:17.0953 0560 upnphost - ok
12:18:17.0984 0560 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
12:18:17.0984 0560 UPS - ok
12:18:18.0015 0560 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:18:18.0015 0560 usbccgp - ok
12:18:18.0062 0560 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:18:18.0062 0560 usbehci - ok
12:18:18.0093 0560 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:18:18.0109 0560 usbhub - ok
12:18:18.0140 0560 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:18:18.0140 0560 USBSTOR - ok
12:18:18.0171 0560 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:18:18.0171 0560 usbuhci - ok
12:18:18.0218 0560 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
12:18:18.0218 0560 VgaSave - ok
12:18:18.0234 0560 ViaIde - ok
12:18:18.0250 0560 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
12:18:18.0250 0560 VolSnap - ok
12:18:18.0312 0560 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
12:18:18.0312 0560 VSS - ok
12:18:18.0359 0560 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
12:18:18.0375 0560 W32Time - ok
12:18:18.0406 0560 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:18:18.0406 0560 Wanarp - ok
12:18:18.0421 0560 WDICA - ok
12:18:18.0468 0560 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
12:18:18.0468 0560 wdmaud - ok
12:18:18.0531 0560 WebClient (265f534ef76832435afbf771ec97176d) C:\WINDOWS\System32\webclnt.dll
12:18:18.0531 0560 WebClient - ok
12:18:18.0562 0560 WinDefend - ok
12:18:18.0578 0560 WinHttpAutoProxySvc - ok
12:18:18.0656 0560 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:18:18.0656 0560 winmgmt - ok
12:18:18.0703 0560 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
12:18:18.0703 0560 WmdmPmSN - ok
12:18:18.0781 0560 Wmi (1081c185aed0660b2b5f173c3e023b23) C:\WINDOWS\System32\advapi32.dll
12:18:18.0796 0560 Wmi - ok
12:18:18.0843 0560 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:18:18.0843 0560 WmiApSrv - ok
12:18:18.0937 0560 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
12:18:18.0968 0560 WMPNetworkSvc - ok
12:18:19.0015 0560 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\system32\drivers\ws2ifsl.sys
12:18:19.0015 0560 WS2IFSL - ok
12:18:19.0062 0560 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) C:\WINDOWS\system32\wscsvc.dll
12:18:19.0062 0560 wscsvc - ok
12:18:19.0234 0560 wuauserv (6298277b73c77fa99106b271a7525163) C:\WINDOWS\system32\wuaueng.dll
12:18:19.0281 0560 wuauserv - ok
12:18:19.0390 0560 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:18:19.0406 0560 WudfPf - ok
12:18:19.0421 0560 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:18:19.0437 0560 WudfRd - ok
12:18:19.0468 0560 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
12:18:19.0468 0560 WudfSvc - ok
12:18:19.0500 0560 WUSB54GPV4SRV (18eeb910627ddaf40f822966f887bad8) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
12:18:19.0515 0560 WUSB54GPV4SRV - ok
12:18:19.0593 0560 WUSB54Gv4SVC (e8c30ef9bbc6ddb71f0f77fa3a96515f) C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
12:18:19.0593 0560 WUSB54Gv4SVC - ok
12:18:19.0640 0560 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
12:18:19.0750 0560 WZCSVC - ok
12:18:20.0000 0560 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
12:18:20.0015 0560 xmlprov - ok
12:18:20.0046 0560 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:18:20.0500 0560 \Device\Harddisk0\DR0 - ok
12:18:20.0515 0560 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
12:18:20.0515 0560 \Device\Harddisk1\DR2 - ok
12:18:20.0531 0560 Boot (0x1200) (1a0d92a50851bbc78137bf9097746396) \Device\Harddisk0\DR0\Partition0
12:18:20.0531 0560 \Device\Harddisk0\DR0\Partition0 - ok
12:18:20.0546 0560 Boot (0x1200) (e85c424787475980ad2a7714b37561d8) \Device\Harddisk1\DR2\Partition0
12:18:20.0546 0560 \Device\Harddisk1\DR2\Partition0 - ok
12:18:20.0546 0560 ============================================================
12:18:20.0546 0560 Scan finished
12:18:20.0546 0560 ============================================================
12:18:20.0578 1008 Detected object count: 2
12:18:20.0578 1008 Actual detected object count: 2
12:18:37.0578 1008 C:\WINDOWS\system32\IntelC52.dll - copied to quarantine
12:18:37.0593 1008 HKLM\SYSTEM\ControlSet001\services\NVXBAR - will be deleted on reboot
12:18:37.0593 1008 HKLM\SYSTEM\ControlSet002\services\NVXBAR - will be deleted on reboot
12:18:37.0593 1008 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost:netsvcs - cured
12:18:37.0593 1008 C:\WINDOWS\system32\IntelC52.dll - will be deleted on reboot
12:18:37.0593 1008 NVXBAR ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
12:18:37.0687 1008 C:\WINDOWS\system32\DRIVERS\serial.sys - copied to quarantine
12:18:37.0765 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\@ - copied to quarantine
12:18:37.0781 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\L\iwddvjtf - copied to quarantine
12:18:37.0781 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\loader.tlb - copied to quarantine
12:18:37.0796 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@00000001 - copied to quarantine
12:18:37.0812 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000c0 - copied to quarantine
12:18:37.0875 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000cb - copied to quarantine
12:18:37.0890 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000cf - copied to quarantine
12:18:37.0906 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@80000000 - copied to quarantine
12:18:37.0921 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000c0 - copied to quarantine
12:18:37.0937 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000cb - copied to quarantine
12:18:37.0953 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000cf - copied to quarantine
12:18:39.0156 1008 C:\WINDOWS\assembly\GAC_MSIL\desktop.ini - copied to quarantine
12:18:39.0156 1008 C:\WINDOWS\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb - copied to quarantine
12:18:39.0156 1008 C:\Documents and Settings\Owner\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb - copied to quarantine
12:18:40.0296 1008 Backup copy not found, trying to cure infected file..
12:18:40.0296 1008 Cure success, using it..
12:18:40.0296 1008 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured on reboot
12:18:41.0593 1008 C:\WINDOWS\$NtUninstallKB16997$\1052671954 - will be deleted on reboot
12:18:41.0593 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\@ - will be deleted on reboot
12:18:41.0640 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\loader.tlb - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@00000001 - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000c0 - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000cb - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@000000cf - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@80000000 - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000c0 - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000cb - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\$NtUninstallKB16997$\1627643033\U\@800000cf - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\assembly\GAC_MSIL\desktop.ini - will be deleted on reboot
12:18:41.0671 1008 C:\WINDOWS\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb - will be deleted on reboot
12:18:41.0671 1008 C:\Documents and Settings\Owner\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb - will be deleted on reboot
12:18:41.0671 1008 Serial ( Virus.Win32.ZAccess.g ) - User select action: Cure
12:18:43.0859 0480 Deinitialize success
 
Recent combofix

ComboFix 12-06-14.01 - Owner 06/14/2012 11:50:45.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.1235 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\VIRUS\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-14 to 2012-06-14 )))))))))))))))))))))))))))))))
.
.
2012-06-14 15:33 . 2012-06-14 15:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-06-14 15:33 . 2012-06-14 15:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-14 15:33 . 2012-06-14 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-06-14 15:33 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 16:18 . 2012-06-13 16:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-13 16:12 . 2012-06-13 16:12 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2012-06-13 16:05 . 2004-08-04 04:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-06-13 16:05 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-06-13 16:04 . 2004-08-04 02:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-06-13 16:04 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-06-13 15:51 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2012-06-13 15:51 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 16:19 . 2006-02-28 12:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\WUSB54Gv4.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2012 4:05 PM 136176]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [2/28/2006 8:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2012 4:05 PM 136176]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [2/28/2006 8:00 AM 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NWHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-08 20:05]
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-08 20:05]
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1425521274-682003330-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-03 17:34]
.
2012-06-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1425521274-682003330-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-03 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-14 11:56
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-06-14 11:58:23
ComboFix-quarantined-files.txt 2012-06-14 15:58
ComboFix2.txt 2012-06-14 15:25
ComboFix3.txt 2012-06-14 15:07
ComboFix4.txt 2012-06-13 22:38
.
Pre-Run: 24,365,244,416 bytes free
Post-Run: 24,367,927,296 bytes free
.
- - End Of File - - F5BCB46C3A2C0B694F45FA8742389A15
 
And HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:03:23 PM, on 6/14/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
E:\KENNEX\VIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203091145851
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 4584 bytes
 
Just so you know combofix doesn't delete the old logs.

Code: 
ComboFix2.txt 2012-06-14 15:25
ComboFix3.txt 2012-06-14 15:07
ComboFix4.txt 2012-06-13 22:38

Look in the Qoobox folder and you will find them I just can't remember where as I don't normally have more than one instance of combofix ran.

Hows the machine running as of now?
 
I was previously getting redirects when clicking on Google results. I don't seem to be getting that now.

Here's the original ComboFix log.

ComboFix 12-06-13.02 - Owner 06/13/2012 12:30:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.1240 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\VIRUS\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\6103dc99\U
c:\documents and settings\Owner\Local Settings\Application Data\6103dc99\U\800000cb.@
c:\documents and settings\Owner\Local Settings\Application Data\6103dc99\U\800000cf.@
c:\windows\system32\dds_log_ad13.cmd
c:\windows\system32\dds_log_trash.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-05-13 to 2012-06-13 )))))))))))))))))))))))))))))))
.
.
2012-06-13 16:18 . 2012-06-13 16:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-13 16:12 . 2012-06-13 16:12 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2012-06-13 16:05 . 2004-08-04 04:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-06-13 16:05 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-06-13 16:04 . 2004-08-04 02:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-06-13 16:04 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-06-13 15:51 . 2004-08-04 03:08 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2012-06-13 15:51 . 2004-08-04 03:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 16:19 . 2006-02-28 12:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\WUSB54Gv4.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
.
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2012 4:05 PM 136176]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [2/28/2006 8:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/8/2012 4:05 PM 136176]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [2/28/2006 8:00 AM 14336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NWHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-08 20:05]
.
2012-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-08 20:05]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1425521274-682003330-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-03 17:34]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-1425521274-682003330-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-03 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Spotify - c:\documents and settings\Owner\Application Data\Spotify\Spotify.exe
SafeBoot-26518344.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-13 18:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-06-13 18:38:59
ComboFix-quarantined-files.txt 2012-06-13 22:38
.
Pre-Run: 6,911,049,728 bytes free
Post-Run: 24,035,975,168 bytes free
.
- - End Of File - - DAAD6335E260D287B512768C427D187E
 
I'm concerned about this entry here.

S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]


Upload both files to www.virustotal.com and lets see the results.

c:\windows\system32\DRIVERS\tdx.sys

and

c:\windows\system32\tcpipcfg.dll
 
I don't see either of those files. I have hidden files and folders enabled.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-14 14:01:19
-----------------------------
14:01:19.546 OS Version: Windows 5.1.2600 Service Pack 2
14:01:19.546 Number of processors: 1 586 0x209
14:01:19.546 ComputerName: OWNER-7DE43097D UserName: Owner
14:01:20.625 Initialize success
14:02:02.281 AVAST engine defs: 12061400
14:02:13.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:02:13.953 Disk 0 Vendor: ST340014A 3.06 Size: 38166MB BusType: 3
14:02:13.984 Disk 0 MBR read successfully
14:02:13.984 Disk 0 MBR scan
14:02:14.015 Disk 0 Windows XP default MBR code
14:02:14.015 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
14:02:14.015 Disk 0 scanning sectors +78140160
14:02:14.078 Disk 0 scanning C:\WINDOWS\system32\drivers
14:02:22.812 Service scanning
14:02:40.656 Modules scanning
14:02:45.656 Disk 0 trace - called modules:
14:02:45.671 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
14:02:45.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89911ab8]
14:02:46.171 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\00000058[0x897c4f18]
14:02:46.171 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89914d98]
14:02:46.781 AVAST engine scan C:\WINDOWS
14:02:59.625 AVAST engine scan C:\WINDOWS\system32
14:05:41.765 AVAST engine scan C:\WINDOWS\system32\drivers
14:05:55.562 AVAST engine scan C:\Documents and Settings\Owner
14:08:34.296 AVAST engine scan C:\Documents and Settings\All Users
14:08:42.109 Scan finished successfully
14:10:26.656 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
14:10:26.671 The log file has been saved successfully to "E:\aswMBR.txt"
 
Please download and run Farbar Service Scanner.

Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Press Scan.

It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log.
 
Don't kill yourself over it John. I'm sure the customer would agree to a reload. Haven't called them yet. But we'll see what else we can do.

Farbar Service Scanner Version: 09-06-2012
Ran by Owner (administrator) on 14-06-2012 at 15:26:28
Running from "E:\KENNEX\VIRUS"
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-02-28 08:00] - [2006-05-19 08:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys
[2006-02-28 08:00] - [2008-08-14 05:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

C:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-28 08:00] - [2006-02-28 08:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-02-28 08:00] - [2008-06-20 06:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

C:\WINDOWS\system32\Drivers\ipsec.sys
[2006-02-28 08:00] - [2006-02-28 08:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2006-02-28 08:00] - [2008-02-20 01:32] - 0045568 ____A (Microsoft Corporation) AAC8FFBFD61E784FA3BAC851D4A0BD5F

C:\WINDOWS\system32\ipnathlp.dll
[2006-02-28 08:00] - [2006-02-28 08:00] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

C:\WINDOWS\system32\netman.dll
[2006-02-28 08:00] - [2005-08-22 14:29] - 0197632 ____A (Microsoft Corporation) 36739B39267914BA69AD0610A0299732

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2008-02-15 11:36] - [2006-02-28 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\srsvc.dll
[2008-02-15 11:38] - [2006-02-28 08:00] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

C:\WINDOWS\system32\Drivers\sr.sys
[2008-02-15 11:38] - [2006-02-28 08:00] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

C:\WINDOWS\system32\wscsvc.dll
[2006-02-28 08:00] - [2006-02-28 08:00] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2008-02-15 11:36] - [2006-02-28 08:00] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

C:\WINDOWS\system32\wuauserv.dll
[2008-02-15 11:38] - [2006-02-28 08:00] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

C:\WINDOWS\system32\qmgr.dll
[2008-02-15 11:38] - [2006-02-28 08:00] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

C:\WINDOWS\system32\es.dll
[2006-02-28 08:00] - [2008-07-07 16:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

C:\WINDOWS\system32\cryptsvc.dll
[2006-02-28 08:00] - [2006-02-28 08:00] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

C:\WINDOWS\system32\svchost.exe
[2006-02-28 08:00] - [2006-02-28 08:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2006-02-28 08:00] - [2009-02-09 06:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

C:\WINDOWS\system32\services.exe
[2006-02-28 08:00] - [2009-02-06 13:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE



**** End of log ****
 
You must log in or register to reply here.
Back
Top