Rootkit infection - pop up ads, constant pinging, screwed up localhosts

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
←
1
2
3
4
→

You cannot start a new topic
This topic is locked

Rootkit infection - pop up ads, constant pinging, screwed up localhosts

#31 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 February 2012 - 11:17 PM

Hello

we need to sit tight for a little while - this looks like a new version of this virus and need some time to see how to beat it

gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#32 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 12 February 2012 - 11:19 PM

No problem! For what it's worth, I've had the computer on idling at the desktop with MBAM running and haven't had one blocked outbound attempt. Definitely the first time that's been gone since this all started.

Thanks for everything you've done!

#33 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 February 2012 - 11:38 PM

Hello

That is good but I don't think it will last - this thing has been very stubbern and looks like I have at least 5 more just like it.

and that was very nice earlier and I thank you!!

Gringo

<-- Don't worry every little bit helps.

#34 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 13 February 2012 - 12:17 PM

It's the least I could do, you certainly deserve more.

I left the old infected PC on idling for the night. Still nothing bad to report in the MBAM log. I've been using various browsers for most of the morning and haven't received any pop up ads.

I was even finally able to run:

netsh winsock reset

in a command prompt to fix my localhost issue. I always received missing DLL errors before your troubleshooting. After a reboot, the local web server is back up and running.

Only time will tell if it's completely gone. For now, it's running just as well as it was before the infection.

Thank you again! The service you provide is invaluable.

#35 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 14 February 2012 - 02:57 AM

Hello

rerun aswMBR again for me I want to see if it comes back clean

gringo

<-- Don't worry every little bit helps.

#36 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 14 February 2012 - 11:42 PM

Looks like the tdx.sys file still comes back with as infected, but the others are gone.

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-14 20:39:15
-----------------------------
20:39:15.194 OS Version: Windows 6.1.7601 Service Pack 1
20:39:15.195 Number of processors: 4 586 0x1E05
20:39:15.197 ComputerName: STORMS UserName: mick
20:39:19.870 Initialize success
20:40:18.124 AVAST engine defs: 12021401
20:45:39.372 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:45:39.378 Disk 0 Vendor: ST3250318AS CC45 Size: 238418MB BusType: 11
20:45:39.397 Disk 0 MBR read successfully
20:45:39.402 Disk 0 MBR scan
20:45:39.409 Disk 0 Windows 7 default MBR code
20:45:39.416 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
20:45:39.432 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238370 MB offset 80325
20:45:39.442 Disk 0 scanning sectors +488263545
20:45:39.513 Disk 0 scanning C:\Windows\system32\drivers
20:45:48.016 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
20:45:49.882 Disk 0 trace - called modules:
20:45:49.910 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
20:45:49.920 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x9e822030]
20:45:50.259 3 CLASSPNP.SYS[a41d959e] -> nt!IofCallDriver -> [0x9e6a53e0]
20:45:50.270 5 ACPI.sys[a3eb03d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x9e680908]
20:45:55.720 AVAST engine scan C:\Windows
20:45:58.327 AVAST engine scan C:\Windows\system32
20:48:35.135 AVAST engine scan C:\Windows\system32\drivers
20:48:46.457 File: C:\Windows\system32\drivers\tdx.sys **INFECTED** Win32:Sirefef-JQ [Trj]
20:48:49.186 AVAST engine scan C:\Users\mick
21:02:55.863 AVAST engine scan C:\ProgramData
21:21:17.655 Scan finished successfully
21:41:27.596 Disk 0 MBR has been saved successfully to "C:\Users\mick\Desktop\MBR.dat"
21:41:27.601 The log file has been saved successfully to "C:\Users\mick\Desktop\aswMBR.txt"

#37 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 15 February 2012 - 08:07 AM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Next download http://noahdfear.net/downloads/driver.sh to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Confirm that you see driver.sh that you downloaded there
Press Tool at the top
Choose Open Terminal
Type bash driver.sh
Press Enter
After it has finished a report will be located on your USB drive named report.txt
Remove the USB drive and insert back in your working computer and navigate to report.txt

Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

<-- Don't worry every little bit helps.

#38 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 16 February 2012 - 08:42 AM

Hello

I have been looking into somethings and I think I am onto something so I need you to run this again

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Gringo

<-- Don't worry every little bit helps.

#39 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 February 2012 - 01:45 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#40 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 19 February 2012 - 11:47 AM

I've just returned from a trip where I did not have access to the infected PC, sorry!

The external drive I've been using is quite large and has a lot of other important files on it. Do you still need the xPUD logs you requested on the 15th? I'll need to get a different USB drive or clean this one off before I can format it and install xPUD.

I will run Farbar as soon as I hear back from you about xPUD, as I'm not sure if you'd like me to run these in the order you posted them.

Thanks again for your help. The machine is still running without any issues.

#41 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 February 2012 - 01:48 PM

No I want the farbar tool run

when I say a USB drive I am talking about a pen drive, a flash drive or something like that

gringo

<-- Don't worry every little bit helps.

#42 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 19 February 2012 - 08:57 PM

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 11-02-2012
Ran by SYSTEM at 2012-02-19 18:39:58
Running from F:\malware
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2008-08-11] (LogMeIn, Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1797488 2011-01-07] (Microsoft Corporation)
HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1298320 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKU\mick\...\Policies\system: [disableregistrytools] 0
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: acaptuser32.dll

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2011-11-09] (AMD)
3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-04-14] (Acresso Software Inc.)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [136176 2011-10-18] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [136176 2011-10-18] (Google Inc.)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374152 2011-06-16] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136584 2011-06-16] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [31125880 2011-06-12] (Microsoft Corporation)
2 NovacomD; C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe [61440 2011-03-15] (Palm)
2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2011-03-31] ()
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-01-13] ()
2 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [378984 2011-01-07] (NVIDIA Corporation)
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [268528 2010-09-24] (Microsoft Corporation)
2 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [6351600 2010-09-24] (Microsoft Corporation)
3 ZuneWlanCfgSvc; C:\Windows\system32\ZuneWlanCfgSvc.exe [444656 2010-09-24] (Microsoft Corporation)
2 GoToMyPC; "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" Start=service [x]
2 MySQL; C:\PROGRA~1\EASYPH~1.0\MySql\bin\mysqld.exe --defaults-file=C:\PROGRA~1\EASYPH~1.0\MySql\my.ini MySQL [x]
2 PSSdk21; C:\Windows\System32\n3900.dll [x]
3 wampapache; "c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe" -k runservice [x]
3 wampmysqld; c:\wamp\bin\mysql\mysql5.5.20\bin\mysqld.exe wampmysqld [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [8913920 2011-11-09] (Advanced Micro Devices, Inc.)
3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [263680 2011-11-09] (Advanced Micro Devices, Inc.)
3 athur; C:\Windows\System32\DRIVERS\athur.sys [1500160 2010-01-05] (Atheros Communications, Inc.)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdW73.sys [85520 2011-10-17] (Advanced Micro Devices)
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [232512 2011-09-17] (DT Soft Ltd)
3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [25088 2009-10-26] (HTC, Corporation)
3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows ® Win 7 DDK provider)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-06] (Broadcom Corporation)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2008-08-11] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2008-08-11] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2008-08-11] (LogMeIn, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [20464 2011-12-10] (Malwarebytes Corporation)
3 netr73; C:\Windows\System32\DRIVERS\netr73.sys [562464 2010-02-24] (Ralink Technology, Corp.)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [16768 2011-04-08] (Microsoft Corporation)
3 NVHDA; C:\Windows\System32\drivers\nvhda32v.sys [66592 2009-08-21] (NVIDIA Corporation)
3 Point32; C:\Windows\System32\DRIVERS\point32.sys [40800 2011-01-07] (Microsoft Corporation)
1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [74752 2012-02-11] ()
2 UltraMonUtility; \??\C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [17184 2008-11-14] (Realtime Soft Ltd)
3 catchme; \??\C:\Users\mick\AppData\Local\Temp\catchme.sys [x]
1 cdrom; C:\Windows\System32\DRIVERS\cdrom.sys [x]
4 LMIRfsClientNP; [x]
1 NetBT; C:\Windows\System32\DRIVERS\netbt.sys [x]
3 RegKernelHelp; \??\C:\Program Files\Safe Returner\RegKernelHelp.sys [x]
0 vsmraid; C:\Windows\System32\DRIVERS\vsmraid.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: PSSdk21
NETSVC: ndiscm

============ One Month Created Files and Folders ==============

2012-02-16 02:00 - 2011-12-13 19:10 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-16 02:00 - 2011-12-13 19:04 - 1798656 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-16 02:00 - 2011-12-13 18:57 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-16 02:00 - 2011-12-13 18:57 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-16 02:00 - 2011-12-13 18:56 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-16 02:00 - 2011-12-13 18:55 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-16 02:00 - 2011-12-13 18:54 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-16 02:00 - 2011-12-13 18:53 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-16 02:00 - 2011-12-13 18:52 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-16 02:00 - 2011-12-13 18:50 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-16 02:00 - 2011-12-13 18:50 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-16 02:00 - 2011-12-13 18:47 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-15 15:44 - 2012-01-13 19:35 - 2343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-15 15:44 - 2012-01-04 00:59 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-02-15 15:44 - 2012-01-04 00:58 - 0442880 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-02-15 15:44 - 2011-12-29 21:27 - 0478720 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2012-02-15 15:44 - 2011-12-15 23:52 - 0690688 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2012-02-14 20:41 - 2012-02-14 20:41 - 0002059 ____A C:\Users\mick\Desktop\aswMBR.txt
2012-02-13 10:12 - 2012-02-13 10:15 - 0000000 ____D C:\Users\mick\Downloads\registry
2012-02-12 20:38 - 2012-02-12 20:48 - 0022886 ____A C:\Users\mick\Downloads\workmans-comp.pdf
2012-02-12 20:28 - 2012-02-15 15:33 - 0001512 ____A C:\Windows\System32\Drivers\etc\hosts
2012-02-12 20:24 - 2012-02-12 20:24 - 0000000 ____D C:\Program Files\Foxit Software
2012-02-12 20:12 - 2012-02-12 20:12 - 0031398 ____A C:\Users\mick\Downloads\2012- 2 unsigned rejection form.pdf
2012-02-12 17:20 - 2012-02-12 17:33 - 0000000 ___SD C:\ComboFix
2012-02-12 17:18 - 2012-02-12 17:18 - 0000077 ____A C:\Users\mick\Desktop\CFScript.txt
2012-02-12 13:37 - 2012-02-12 13:37 - 0007970 ____A C:\Users\mick\Desktop\hijackthis.log
2012-02-12 13:35 - 2012-02-12 13:35 - 0002959 ____A C:\Users\mick\Desktop\HiJackThis.lnk
2012-02-12 13:35 - 2012-02-12 13:35 - 0000000 ____D C:\Program Files\Trend Micro
2012-02-12 13:34 - 2012-02-12 13:34 - 1402880 ____A C:\Users\mick\Desktop\HiJackThis.msi
2012-02-12 13:08 - 2012-02-13 09:37 - 0001991 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-02-12 13:02 - 2012-02-12 13:02 - 2617176 ____A (VS Revo Group Ltd.) C:\Users\mick\Desktop\revosetup.exe
2012-02-12 13:02 - 2012-02-12 13:02 - 0001228 ____A C:\Users\mick\Desktop\Revo Uninstaller.lnk
2012-02-12 13:02 - 2012-02-12 13:02 - 0000000 ____D C:\Program Files\VS Revo Group
2012-02-12 01:00 - 2012-02-12 01:00 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-12 00:57 - 2009-07-13 15:45 - 0083456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Serial.sys
2012-02-12 00:51 - 2012-02-12 19:19 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2012-02-12 00:41 - 2011-09-17 22:04 - 0232512 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-02-12 00:27 - 2012-02-12 00:27 - 0135520 ____A C:\Windows\Minidump\021212-17144-01.dmp
2012-02-11 23:49 - 2012-02-19 18:40 - 0000000 ____D C:\FRST
2012-02-11 09:30 - 2012-02-11 09:30 - 1932256 ____A (Symantec Corporation) C:\Users\mick\Desktop\FixTDSS.exe
2012-02-11 09:30 - 2012-02-11 09:30 - 0026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-02-11 09:30 - 2012-02-11 09:30 - 0000000 ____D C:\Users\mick\AppData\Roaming\FixTDSS
2012-02-11 09:17 - 2012-02-12 14:54 - 0004016 ____A C:\Users\mick\Desktop\aswMBR-old2.txt
2012-02-11 07:41 - 2012-02-11 07:41 - 0079638 ____A C:\TDSSKiller.2.7.11.0_11.02.2012_08.41.00_log.txt
2012-02-11 07:40 - 2012-02-11 07:40 - 0000346 ____A C:\TDSSKiller.2.7.9.0_11.02.2012_08.40.00_log.txt
2012-02-11 07:40 - 2012-02-09 09:15 - 2059824 ____A (Kaspersky Lab ZAO) C:\Users\mick\Desktop\TDSSKiller.exe
2012-02-11 00:19 - 2012-02-11 00:19 - 0021717 ____A C:\Users\mick\Desktop\combofix-log.txt
2012-02-10 23:18 - 2012-02-10 23:19 - 4400207 ____R (Swearware) C:\Users\mick\Desktop\ComboFix.exe
2012-02-10 19:50 - 2012-02-10 19:50 - 0036791 ____A C:\Users\mick\Desktop\ark.txt
2012-02-10 14:54 - 2012-02-10 14:54 - 2094534 ____A C:\Users\mick\Downloads\Rackspace Instructions.pdf
2012-02-09 15:47 - 2012-02-09 15:47 - 0016577 ____A C:\Users\mick\Desktop\Attach.txt
2012-02-09 15:46 - 2012-02-09 15:46 - 0017730 ____A C:\Users\mick\Desktop\DDS.txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0139196 ____A C:\Users\mick\Desktop\OTL.Txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0057996 ____A C:\Users\mick\Desktop\Extras.Txt
2012-02-09 15:00 - 2012-02-09 15:00 - 0584192 ____A (OldTimer Tools) C:\Users\mick\Desktop\OTL.exe
2012-02-09 14:45 - 2012-02-14 20:41 - 0000512 ____A C:\Users\mick\Desktop\MBR.dat
2012-02-09 14:45 - 2012-02-09 14:52 - 0004143 ____A C:\Users\mick\Desktop\aswMBR-old.txt
2012-02-09 13:47 - 2012-02-09 13:47 - 4733440 ____A (AVAST Software) C:\Users\mick\Desktop\aswMBR.exe
2012-02-09 13:25 - 2012-02-09 13:25 - 1413120 ____A (Option^Explicit Software Solutions) C:\Users\mick\Desktop\winsockfix.exe
2012-02-09 12:27 - 2010-11-20 00:44 - 0388096 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\csc.sys
2012-02-09 12:14 - 2012-02-09 12:12 - 9200064 ____A (OPSWAT, Inc.) C:\Users\mick\Desktop\AppRemover.exe
2012-02-09 12:00 - 2012-02-12 15:37 - 0002012 ____A C:\Users\mick\Desktop\SystemLook.txt
2012-02-09 11:59 - 2012-02-09 11:59 - 0001480 ____A C:\Users\mick\Desktop\FSS.txt
2012-02-09 11:57 - 2012-02-09 11:57 - 0037328 ____A C:\Users\mick\Desktop\RKUnhooker-Report.txt
2012-02-09 11:51 - 2012-02-09 11:51 - 0000470 ____A C:\Users\mick\Desktop\defogger_disable.log
2012-02-09 11:51 - 2012-02-09 11:51 - 0000000 ____A C:\Users\mick\defogger_reenable
2012-02-09 11:46 - 2012-02-09 11:46 - 0446464 ____A (OldTimer Tools) C:\Users\mick\Desktop\TFC.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A C:\Users\mick\Desktop\SystemLook.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A () C:\Users\mick\Desktop\RKUnhookerLE.EXE
2012-02-09 11:45 - 2012-02-09 11:45 - 0050477 ____A C:\Users\mick\Desktop\Defogger.exe
2012-02-09 11:44 - 2012-02-09 11:43 - 0335925 ____A C:\Users\mick\Desktop\FSS.exe
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-09 10:23 - 2012-02-12 13:33 - 0000000 ____D C:\Windows\ERDNT
2012-02-09 10:23 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-02-09 10:23 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-02-09 10:23 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-02-09 10:00 - 2012-02-12 17:20 - 0000000 ____D C:\Qoobox
2012-02-08 23:15 - 2012-02-08 23:15 - 0143696 ____A C:\Windows\Minidump\020912-22308-01.dmp
2012-02-06 21:57 - 2012-02-11 07:41 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-06 21:56 - 2012-02-06 21:57 - 0080352 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.56.21_log.txt
2012-02-06 21:52 - 2012-02-06 21:53 - 0079506 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.52.19_log.txt
2012-02-06 08:04 - 2012-02-06 08:04 - 0607260 ____R (Swearware) C:\Users\mick\Desktop\dds.scr
2012-02-06 08:04 - 2012-02-06 08:04 - 0302592 ____A C:\Users\mick\Desktop\GMER.exe
2012-02-06 08:03 - 2012-02-09 15:44 - 0000000 ____D C:\Users\mick\Downloads\malware
2012-02-05 08:37 - 2012-02-12 13:33 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-04 21:22 - 2012-02-04 21:22 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall (1).exe
2012-02-03 23:50 - 2012-02-03 23:50 - 0000000 ____D C:\Users\mick\Downloads\backups
2012-02-03 23:48 - 2012-02-09 11:28 - 0269398 ____A C:\Windows\ntbtlog.txt
2012-02-03 16:10 - 2012-02-03 16:11 - 0079214 ____A C:\TDSSKiller.2.7.9.0_03.02.2012_17.10.41_log.txt
2012-02-03 16:10 - 2012-02-03 16:10 - 2059312 ____A (Kaspersky Lab ZAO) C:\Users\mick\Downloads\tdsskiller.exe
2012-02-03 16:03 - 2012-02-03 16:03 - 0001759 ____A C:\Users\mick\Desktop\SafeReturner_log.txt
2012-02-03 16:01 - 2012-02-03 16:01 - 0000102 ____A C:\Users\mick\Desktop\catchme.log
2012-02-03 16:00 - 2012-02-03 16:03 - 0000000 ____D C:\Users\All Users\SafeReturner
2012-02-03 16:00 - 2012-02-03 16:03 - 0000000 ____D C:\ProgramData\SafeReturner
2012-02-03 16:00 - 2012-02-03 16:01 - 0000329 ____A C:\Users\mick\Desktop\AntiExeHijack.log
2012-02-03 16:00 - 2012-02-03 16:01 - 0000000 ____D C:\Program Files\Safe Returner
2012-02-03 16:00 - 2012-02-03 16:00 - 0001026 ____A C:\Users\Public\Desktop\Safe Returner.lnk
2012-02-03 16:00 - 2012-02-03 16:00 - 0001006 ____A C:\Users\Public\Desktop\Kill Rogue Process.lnk
2012-02-03 09:13 - 2012-02-03 09:13 - 5154304 ____A C:\Users\mick\Downloads\WindowsDefender.msi
2012-02-03 03:01 - 2012-02-03 03:01 - 0143696 ____A C:\Windows\Minidump\020312-22744-01.dmp
2012-02-02 12:50 - 2012-02-09 07:51 - 0001516 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-02-01 16:40 - 2012-02-01 18:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-01 16:40 - 2012-02-01 18:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\mick\AppData\Roaming\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-02-01 16:40 - 2011-12-10 14:24 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-02-01 16:35 - 2012-02-03 23:49 - 0008687 ____A C:\Users\mick\Downloads\hijackthis.log
2012-02-01 16:34 - 2012-02-01 16:34 - 0401720 ____A (Trend Micro Inc.) C:\Users\mick\Downloads\iexplore.exe
2012-01-31 20:37 - 2012-01-31 20:37 - 3870904 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.110.0-retail-prod.exe
2012-01-31 03:12 - 2011-11-16 21:41 - 0134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-01-31 03:12 - 2011-11-16 21:41 - 0067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-01-31 03:12 - 2011-11-16 21:39 - 0369352 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-01-31 03:12 - 2011-11-16 21:35 - 0314880 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0224768 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0100352 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0015872 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2012-01-31 03:12 - 2011-11-16 21:32 - 1038848 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2012-01-31 03:12 - 2011-11-16 21:29 - 0022528 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\TortoiseSVN
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\Common Files\TortoiseOverlays
2012-01-20 11:55 - 2012-02-16 07:40 - 0000996 ____A C:\Users\mick\Start Menu\Programs\Startup\Dropbox.lnk
2012-01-20 11:55 - 2012-02-16 07:40 - 0000996 ____A C:\Users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

============ 3 Months Modified Files and Folders ===============

2012-02-19 18:40 - 2012-02-11 23:49 - 0000000 ____D C:\FRST
2012-02-19 17:21 - 2010-04-14 14:24 - 1359578 ____A C:\Windows\WindowsUpdate.log
2012-02-19 17:20 - 2011-03-07 10:51 - 0000000 ____D C:\Users\mick\AppData\Local\TSVNCache
2012-02-19 17:20 - 2010-04-14 20:33 - 0000600 ____A C:\Users\mick\winscp.RND
2012-02-19 17:18 - 2011-08-05 09:34 - 0000000 ____D C:\Users\mick\AppData\Roaming\Spotify
2012-02-19 17:18 - 2011-08-05 09:34 - 0000000 ____D C:\Users\mick\AppData\Local\Spotify
2012-02-19 17:16 - 2010-09-07 11:29 - 0000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000UA.job
2012-02-19 16:28 - 2011-10-18 08:17 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-02-19 14:28 - 2011-10-18 08:17 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-02-19 13:23 - 2010-05-22 11:09 - 0000000 ____D C:\Users\All Users\LogMeIn
2012-02-19 13:23 - 2010-05-22 11:09 - 0000000 ____D C:\ProgramData\LogMeIn
2012-02-19 13:16 - 2010-09-07 11:29 - 0000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000Core.job
2012-02-19 08:47 - 2009-07-13 20:34 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-02-19 08:47 - 2009-07-13 20:34 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-02-19 08:31 - 2010-04-14 12:12 - 0730320 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-18 17:43 - 2010-04-14 14:32 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-02-17 16:43 - 2011-09-13 07:49 - 0000000 ____D C:\Users\mick\AppData\Roaming\Dropbox
2012-02-17 13:00 - 2010-05-17 13:51 - 0001456 ____A C:\Users\mick\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-02-16 13:17 - 2010-09-07 11:30 - 0002398 ____A C:\Users\mick\Desktop\Google Chrome.lnk
2012-02-16 07:42 - 2010-04-14 16:35 - 0000000 ____D C:\Users\mick\AppData\Local\Digsby
2012-02-16 07:40 - 2012-01-20 11:55 - 0000996 ____A C:\Users\mick\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-16 07:40 - 2012-01-20 11:55 - 0000996 ____A C:\Users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-02-16 07:40 - 2011-09-13 07:55 - 0001016 ____A C:\Users\mick\Desktop\Dropbox.lnk
2012-02-16 07:38 - 2010-04-14 20:44 - 0000000 ___RD C:\Users\mick\Podcasts
2012-02-16 07:38 - 2010-04-14 14:24 - 0000174 ___SH C:\Users\mick\Start Menu\Programs\Startup\desktop.ini
2012-02-16 07:38 - 2010-04-14 14:24 - 0000174 ___SH C:\Users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-16 02:33 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Microsoft.NET
2012-02-16 02:26 - 2010-04-14 14:54 - 0000000 ____D C:\Users\All Users\NVIDIA
2012-02-16 02:26 - 2010-04-14 14:54 - 0000000 ____D C:\ProgramData\NVIDIA
2012-02-16 02:26 - 2009-07-13 20:53 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-16 02:26 - 2009-07-13 20:39 - 0061722 ____A C:\Windows\setupact.log
2012-02-16 02:25 - 2010-08-18 08:37 - 0000000 ____D C:\Program Files\Microsoft Silverlight
2012-02-16 02:25 - 2010-04-14 12:02 - 2383761408 __ASH C:\hiberfil.sys
2012-02-16 02:25 - 2009-07-13 20:33 - 3863656 ____A C:\Windows\System32\FNTCACHE.DAT
2012-02-16 02:08 - 2010-04-14 17:55 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-02-16 02:08 - 2010-04-14 17:55 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-02-16 02:08 - 2010-04-14 10:07 - 0000000 ____D C:\Config.Msi
2012-02-16 02:05 - 2010-04-18 16:24 - 52550552 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-02-15 15:33 - 2012-02-12 20:28 - 0001512 ____A C:\Windows\System32\Drivers\etc\hosts
2012-02-15 11:01 - 2010-06-18 09:31 - 0000000 ____D C:\Users\mick\AppData\Roaming\FileZilla
2012-02-14 20:41 - 2012-02-14 20:41 - 0002059 ____A C:\Users\mick\Desktop\aswMBR.txt
2012-02-14 20:41 - 2012-02-09 14:45 - 0000512 ____A C:\Users\mick\Desktop\MBR.dat
2012-02-14 18:41 - 2011-02-23 09:05 - 0000000 ____D C:\Users\mick\AppData\Roaming\TeraCopy
2012-02-13 10:15 - 2012-02-13 10:12 - 0000000 ____D C:\Users\mick\Downloads\registry
2012-02-13 09:41 - 2010-10-01 19:30 - 0000000 ____D C:\Users\mick\AppData\Local\Deployment
2012-02-13 09:41 - 2010-10-01 19:30 - 0000000 ____D C:\Users\mick\AppData\Local\Apps\2.0
2012-02-13 09:37 - 2012-02-12 13:08 - 0001991 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-02-13 09:30 - 2011-06-10 08:03 - 0000000 ____D C:\Users\mick\AppData\Roaming\Notepad++
2012-02-13 09:30 - 2011-06-10 08:03 - 0000000 ____D C:\Program Files\Notepad++
2012-02-12 20:48 - 2012-02-12 20:38 - 0022886 ____A C:\Users\mick\Downloads\workmans-comp.pdf
2012-02-12 20:48 - 2010-04-27 14:42 - 0000060 ____A C:\Windows\wpd99.drv
2012-02-12 20:48 - 2010-04-27 14:42 - 0000000 ____D C:\Users\All Users\pdf995
2012-02-12 20:48 - 2010-04-27 14:42 - 0000000 ____D C:\ProgramData\pdf995
2012-02-12 20:24 - 2012-02-12 20:24 - 0000000 ____D C:\Program Files\Foxit Software
2012-02-12 20:12 - 2012-02-12 20:12 - 0031398 ____A C:\Users\mick\Downloads\2012- 2 unsigned rejection form.pdf
2012-02-12 20:12 - 2010-04-14 14:45 - 0000000 ____D C:\Users\mick\AppData\Roaming\Adobe
2012-02-12 19:19 - 2012-02-12 00:51 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2012-02-12 17:34 - 2010-04-14 14:54 - 0053648 ____A C:\Windows\PFRO.log
2012-02-12 17:33 - 2012-02-12 17:20 - 0000000 ___SD C:\ComboFix
2012-02-12 17:25 - 2009-07-13 18:37 - 0000000 _SHDC C:\Windows\$NtUninstallKB39289$
2012-02-12 17:20 - 2012-02-09 10:00 - 0000000 ____D C:\Qoobox
2012-02-12 17:18 - 2012-02-12 17:18 - 0000077 ____A C:\Users\mick\Desktop\CFScript.txt
2012-02-12 15:37 - 2012-02-09 12:00 - 0002012 ____A C:\Users\mick\Desktop\SystemLook.txt
2012-02-12 14:54 - 2012-02-11 09:17 - 0004016 ____A C:\Users\mick\Desktop\aswMBR-old2.txt
2012-02-12 13:37 - 2012-02-12 13:37 - 0007970 ____A C:\Users\mick\Desktop\hijackthis.log
2012-02-12 13:35 - 2012-02-12 13:35 - 0002959 ____A C:\Users\mick\Desktop\HiJackThis.lnk
2012-02-12 13:35 - 2012-02-12 13:35 - 0000000 ____D C:\Program Files\Trend Micro
2012-02-12 13:34 - 2012-02-12 13:34 - 1402880 ____A C:\Users\mick\Desktop\HiJackThis.msi
2012-02-12 13:33 - 2012-02-09 10:23 - 0000000 ____D C:\Windows\ERDNT
2012-02-12 13:33 - 2012-02-05 08:37 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-12 13:08 - 2010-04-14 17:30 - 0000000 ____D C:\Program Files\Adobe
2012-02-12 13:07 - 2010-04-14 17:30 - 0000000 ____D C:\Users\All Users\Adobe
2012-02-12 13:07 - 2010-04-14 17:30 - 0000000 ____D C:\ProgramData\Adobe
2012-02-12 13:02 - 2012-02-12 13:02 - 2617176 ____A (VS Revo Group Ltd.) C:\Users\mick\Desktop\revosetup.exe
2012-02-12 13:02 - 2012-02-12 13:02 - 0001228 ____A C:\Users\mick\Desktop\Revo Uninstaller.lnk
2012-02-12 13:02 - 2012-02-12 13:02 - 0000000 ____D C:\Program Files\VS Revo Group
2012-02-12 01:00 - 2012-02-12 01:00 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-12 01:00 - 2011-10-18 08:17 - 0000000 ____D C:\Program Files\Google
2012-02-12 01:00 - 2009-07-13 18:04 - 0000215 ____A C:\Windows\system.ini
2012-02-12 00:57 - 2009-07-13 18:03 - 55029760 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-02-12 00:57 - 2009-07-13 18:03 - 22806528 ____A C:\Windows\System32\config\SYSTEM.bak
2012-02-12 00:57 - 2009-07-13 18:03 - 0245760 ____A C:\Windows\System32\config\DEFAULT.bak
2012-02-12 00:57 - 2009-07-13 18:03 - 0028672 ____A C:\Windows\System32\config\SAM.bak
2012-02-12 00:57 - 2009-07-13 18:03 - 0024576 ____A C:\Windows\System32\config\SECURITY.bak
2012-02-12 00:42 - 2009-07-13 20:53 - 0032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-12 00:27 - 2012-02-12 00:27 - 0135520 ____A C:\Windows\Minidump\021212-17144-01.dmp
2012-02-12 00:27 - 2010-04-26 08:02 - 104038760 ____A C:\Windows\MEMORY.DMP
2012-02-12 00:27 - 2010-04-26 08:02 - 0000000 ____D C:\Windows\Minidump
2012-02-11 10:42 - 2011-04-05 09:21 - 0074752 ____A C:\Windows\System32\Drivers\tdx.sys
2012-02-11 10:37 - 2011-04-05 09:21 - 0078336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.sys
2012-02-11 09:30 - 2012-02-11 09:30 - 1932256 ____A (Symantec Corporation) C:\Users\mick\Desktop\FixTDSS.exe
2012-02-11 09:30 - 2012-02-11 09:30 - 0026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-02-11 09:30 - 2012-02-11 09:30 - 0000000 ____D C:\Users\mick\AppData\Roaming\FixTDSS
2012-02-11 07:41 - 2012-02-11 07:41 - 0079638 ____A C:\TDSSKiller.2.7.11.0_11.02.2012_08.41.00_log.txt
2012-02-11 07:41 - 2012-02-06 21:57 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-11 07:40 - 2012-02-11 07:40 - 0000346 ____A C:\TDSSKiller.2.7.9.0_11.02.2012_08.40.00_log.txt
2012-02-11 00:19 - 2012-02-11 00:19 - 0021717 ____A C:\Users\mick\Desktop\combofix-log.txt
2012-02-10 23:19 - 2012-02-10 23:18 - 4400207 ____R (Swearware) C:\Users\mick\Desktop\ComboFix.exe
2012-02-10 19:50 - 2012-02-10 19:50 - 0036791 ____A C:\Users\mick\Desktop\ark.txt
2012-02-10 14:54 - 2012-02-10 14:54 - 2094534 ____A C:\Users\mick\Downloads\Rackspace Instructions.pdf
2012-02-09 15:47 - 2012-02-09 15:47 - 0016577 ____A C:\Users\mick\Desktop\Attach.txt
2012-02-09 15:46 - 2012-02-09 15:46 - 0017730 ____A C:\Users\mick\Desktop\DDS.txt
2012-02-09 15:44 - 2012-02-06 08:03 - 0000000 ____D C:\Users\mick\Downloads\malware
2012-02-09 15:11 - 2012-02-09 15:11 - 0139196 ____A C:\Users\mick\Desktop\OTL.Txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0057996 ____A C:\Users\mick\Desktop\Extras.Txt
2012-02-09 15:00 - 2012-02-09 15:00 - 0584192 ____A (OldTimer Tools) C:\Users\mick\Desktop\OTL.exe
2012-02-09 14:52 - 2012-02-09 14:45 - 0004143 ____A C:\Users\mick\Desktop\aswMBR-old.txt
2012-02-09 13:47 - 2012-02-09 13:47 - 4733440 ____A (AVAST Software) C:\Users\mick\Desktop\aswMBR.exe
2012-02-09 13:25 - 2012-02-09 13:25 - 1413120 ____A (Option^Explicit Software Solutions) C:\Users\mick\Desktop\winsockfix.exe
2012-02-09 12:12 - 2012-02-09 12:14 - 9200064 ____A (OPSWAT, Inc.) C:\Users\mick\Desktop\AppRemover.exe
2012-02-09 11:59 - 2012-02-09 11:59 - 0001480 ____A C:\Users\mick\Desktop\FSS.txt
2012-02-09 11:57 - 2012-02-09 11:57 - 0037328 ____A C:\Users\mick\Desktop\RKUnhooker-Report.txt
2012-02-09 11:51 - 2012-02-09 11:51 - 0000470 ____A C:\Users\mick\Desktop\defogger_disable.log
2012-02-09 11:51 - 2012-02-09 11:51 - 0000000 ____A C:\Users\mick\defogger_reenable
2012-02-09 11:51 - 2010-04-14 14:24 - 0000000 ____D C:\users\mick
2012-02-09 11:46 - 2012-02-09 11:46 - 0446464 ____A (OldTimer Tools) C:\Users\mick\Desktop\TFC.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A C:\Users\mick\Desktop\SystemLook.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A () C:\Users\mick\Desktop\RKUnhookerLE.EXE
2012-02-09 11:45 - 2012-02-09 11:45 - 0050477 ____A C:\Users\mick\Desktop\Defogger.exe
2012-02-09 11:43 - 2012-02-09 11:44 - 0335925 ____A C:\Users\mick\Desktop\FSS.exe
2012-02-09 11:28 - 2012-02-03 23:48 - 0269398 ____A C:\Windows\ntbtlog.txt
2012-02-09 11:12 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\NDF
2012-02-09 11:07 - 2010-08-18 09:10 - 0000000 ____D C:\Users\mick\AppData\Local\ElevatedDiagnostics
2012-02-09 11:03 - 2009-07-13 18:37 - 0000000 ___RD C:\users\Public
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-09 10:12 - 2010-04-14 15:15 - 0000000 ____D C:\Users\All Users\avg9
2012-02-09 10:12 - 2010-04-14 15:15 - 0000000 ____D C:\ProgramData\avg9
2012-02-09 10:04 - 2010-10-22 08:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-02-09 10:04 - 2010-10-22 08:49 - 0000000 ____D C:\ProgramData\MFAData
2012-02-09 09:15 - 2012-02-11 07:40 - 2059824 ____A (Kaspersky Lab ZAO) C:\Users\mick\Desktop\TDSSKiller.exe
2012-02-09 08:30 - 2011-06-14 16:56 - 0000000 ____D C:\wamp
2012-02-09 07:51 - 2012-02-02 12:50 - 0001516 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-02-08 23:15 - 2012-02-08 23:15 - 0143696 ____A C:\Windows\Minidump\020912-22308-01.dmp
2012-02-08 11:54 - 2010-04-14 15:32 - 0000000 ____D C:\htdocs
2012-02-08 09:31 - 2011-06-14 16:01 - 0000000 ____D C:\Users\mick\Downloads\AMP
2012-02-06 21:57 - 2012-02-06 21:56 - 0080352 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.56.21_log.txt
2012-02-06 21:53 - 2012-02-06 21:52 - 0079506 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.52.19_log.txt
2012-02-06 21:50 - 2011-12-17 19:59 - 0242754 ____A C:\shared.log
2012-02-06 20:55 - 2011-12-17 20:54 - 0282864 ____A C:\Windows\System32\PnkBstrB.xtr
2012-02-06 20:55 - 2011-12-17 19:55 - 0282864 ____A C:\Windows\System32\PnkBstrB.exe
2012-02-06 20:55 - 2011-12-17 19:55 - 0280904 ____A C:\Windows\System32\PnkBstrB.ex0
2012-02-06 20:55 - 2011-12-17 19:55 - 0139176 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-02-06 08:04 - 2012-02-06 08:04 - 0607260 ____R (Swearware) C:\Users\mick\Desktop\dds.scr
2012-02-06 08:04 - 2012-02-06 08:04 - 0302592 ____A C:\Users\mick\Desktop\GMER.exe
2012-02-04 21:25 - 2010-04-18 09:22 - 0000000 ____D C:\Program Files\Java
2012-02-04 21:22 - 2012-02-04 21:22 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall (1).exe
2012-02-03 23:50 - 2012-02-03 23:50 - 0000000 ____D C:\Users\mick\Downloads\backups
2012-02-03 23:49 - 2012-02-01 16:35 - 0008687 ____A C:\Users\mick\Downloads\hijackthis.log
2012-02-03 16:11 - 2012-02-03 16:10 - 0079214 ____A C:\TDSSKiller.2.7.9.0_03.02.2012_17.10.41_log.txt
2012-02-03 16:10 - 2012-02-03 16:10 - 2059312 ____A (Kaspersky Lab ZAO) C:\Users\mick\Downloads\tdsskiller.exe
2012-02-03 16:03 - 2012-02-03 16:03 - 0001759 ____A C:\Users\mick\Desktop\SafeReturner_log.txt
2012-02-03 16:03 - 2012-02-03 16:00 - 0000000 ____D C:\Users\All Users\SafeReturner
2012-02-03 16:03 - 2012-02-03 16:00 - 0000000 ____D C:\ProgramData\SafeReturner
2012-02-03 16:01 - 2012-02-03 16:01 - 0000102 ____A C:\Users\mick\Desktop\catchme.log
2012-02-03 16:01 - 2012-02-03 16:00 - 0000329 ____A C:\Users\mick\Desktop\AntiExeHijack.log
2012-02-03 16:01 - 2012-02-03 16:00 - 0000000 ____D C:\Program Files\Safe Returner
2012-02-03 16:00 - 2012-02-03 16:00 - 0001026 ____A C:\Users\Public\Desktop\Safe Returner.lnk
2012-02-03 16:00 - 2012-02-03 16:00 - 0001006 ____A C:\Users\Public\Desktop\Kill Rogue Process.lnk
2012-02-03 09:13 - 2012-02-03 09:13 - 5154304 ____A C:\Users\mick\Downloads\WindowsDefender.msi
2012-02-03 03:01 - 2012-02-03 03:01 - 0143696 ____A C:\Windows\Minidump\020312-22744-01.dmp
2012-02-02 09:18 - 2010-05-17 10:37 - 0000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
2012-02-02 09:18 - 2010-05-17 10:37 - 0000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2012-02-01 18:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-01 18:40 - 2012-02-01 16:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\mick\AppData\Roaming\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-02-01 16:34 - 2012-02-01 16:34 - 0401720 ____A (Trend Micro Inc.) C:\Users\mick\Downloads\iexplore.exe
2012-02-01 07:34 - 2010-04-14 16:35 - 0000000 ____D C:\Program Files\Digsby
2012-02-01 02:17 - 2011-12-17 20:54 - 0000000 ____D C:\Program Files\Battlelog Web Plugins
2012-01-31 20:37 - 2012-01-31 20:37 - 3870904 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.110.0-retail-prod.exe
2012-01-30 16:30 - 2010-07-28 15:57 - 0000000 ____D C:\Users\mick\Downloads\360 mod
2012-01-30 09:46 - 2011-08-05 09:34 - 0000000 ____D C:\Program Files\Spotify
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\TortoiseSVN
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\Common Files\TortoiseOverlays
2012-01-23 13:09 - 2011-09-17 22:05 - 0000000 ____D C:\Users\All Users\Rosetta Stone
2012-01-23 13:09 - 2011-09-17 22:05 - 0000000 ____D C:\ProgramData\Rosetta Stone
2012-01-16 14:25 - 2012-01-16 14:24 - 0004807 ____A C:\Windows\System32\jupdate-1.6.0_30-b12.log
2012-01-16 14:23 - 2012-01-16 14:23 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall.exe
2012-01-14 10:37 - 2012-01-14 10:37 - 0000000 ____D C:\Program Files\K-Lite Codec Pack
2012-01-13 19:35 - 2012-02-15 15:44 - 2343424 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-13 18:35 - 2011-12-17 19:55 - 0076888 ____A C:\Windows\System32\PnkBstrA.exe
2012-01-13 18:28 - 2011-12-17 19:28 - 0000943 ____A C:\Users\Public\Desktop\Origin.lnk
2012-01-13 18:27 - 2011-12-17 19:28 - 0001561 ____A C:\Windows\KB893803v2.log
2012-01-13 18:27 - 2011-12-17 19:28 - 0000000 ____D C:\Program Files\Origin
2012-01-09 10:03 - 2010-08-16 09:59 - 0000000 ____D C:\Program Files\FileZilla FTP Client
2012-01-04 00:59 - 2012-02-15 15:44 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-01-04 00:58 - 2012-02-15 15:44 - 0442880 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-01-02 23:28 - 2012-01-02 23:28 - 2570286 ____A C:\Windows\System32\abgx360.exe
2011-12-29 21:27 - 2012-02-15 15:44 - 0478720 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2011-12-28 18:10 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\LiveKernelReports
2011-12-28 13:58 - 2011-08-10 09:59 - 0000000 ____D C:\Users\mick\AppData\Local\CloudBerry S3 Explorer PRO
2011-12-28 12:41 - 2011-08-10 09:59 - 0001318 ____A C:\Users\Public\Desktop\CloudBerry S3 Explorer PRO.lnk
2011-12-22 17:14 - 2011-12-22 17:14 - 0001102 ____A C:\Users\mick\Documents\joseph-blank.txt
2011-12-20 16:53 - 2010-04-14 20:53 - 0000000 ____D C:\Torrents
2011-12-19 16:51 - 2011-12-19 16:51 - 0000000 ____D C:\Windows\pss
2011-12-17 21:39 - 2010-07-07 19:48 - 0000000 ____D C:\Program Files\Common Files\Blizzard Entertainment
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\mick\AppData\Roaming\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\mick\AppData\Local\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\All Users\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\ProgramData\ATI
2011-12-17 21:05 - 2011-03-15 17:04 - 0000000 ____D C:\Program Files\ATI Technologies
2011-12-17 21:05 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\DriverStore
2011-12-17 20:54 - 2011-12-17 20:54 - 0000000 ____D C:\Users\mick\Documents\Battlefield 3
2011-12-17 20:54 - 2011-12-17 20:54 - 0000000 ____D C:\Users\mick\AppData\Local\PunkBuster
2011-12-17 20:52 - 2011-12-17 20:52 - 0000000 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.104.0-retail-prod.exe
2011-12-17 20:29 - 2011-12-17 19:55 - 0138056 ____A C:\Users\mick\AppData\Roaming\PnkBstrK.sys
2011-12-17 19:59 - 2011-12-17 19:59 - 0000000 ____D C:\Users\All Users\EA Core
2011-12-17 19:59 - 2011-12-17 19:59 - 0000000 ____D C:\ProgramData\EA Core
2011-12-17 19:59 - 2011-12-17 19:28 - 0000000 ____D C:\Users\All Users\Electronic Arts
2011-12-17 19:59 - 2011-12-17 19:28 - 0000000 ____D C:\ProgramData\Electronic Arts
2011-12-17 19:58 - 2011-12-17 19:28 - 0000000 ____D C:\Users\All Users\Origin
2011-12-17 19:58 - 2011-12-17 19:28 - 0000000 ____D C:\ProgramData\Origin
2011-12-17 19:55 - 2011-12-17 19:55 - 0000000 ___HD C:\Program Files\Common Files\EAInstaller
2011-12-17 19:55 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\LogFiles
2011-12-17 19:39 - 2011-12-17 19:28 - 0000000 ____D C:\Program Files\Origin Games
2011-12-17 19:37 - 2011-12-17 19:31 - 0000000 ____D C:\Users\mick\AppData\Roaming\Origin
2011-12-17 19:28 - 2011-12-17 19:28 - 0000000 ____D C:\Users\mick\AppData\Local\Origin
2011-12-17 19:27 - 2010-04-20 23:20 - 0000000 ____D C:\World of Warcraft
2011-12-17 19:01 - 2011-12-17 17:21 - 0000000 ____D C:\Users\mick\Desktop\Battlefield 3
2011-12-17 10:16 - 2010-11-02 08:46 - 0000000 ____D C:\Program Files\SystemRequirementsLab
2011-12-17 10:16 - 2010-11-02 08:42 - 0000000 ____D C:\Users\mick\AppData\Roaming\SystemRequirementsLab
2011-12-15 23:52 - 2012-02-15 15:44 - 0690688 ____A (Microsoft Corporation) C:\Windows\System32\msvcrt.dll
2011-12-14 03:03 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\rescache
2011-12-14 02:06 - 2011-06-21 16:20 - 0000039 ____A C:\Windows\vbaddin.ini
2011-12-13 19:30 - 2012-02-16 02:00 - 12282368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-13 19:10 - 2012-02-16 02:00 - 9705472 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-13 19:04 - 2012-02-16 02:00 - 1798656 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-13 18:57 - 2012-02-16 02:00 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-13 18:57 - 2012-02-16 02:00 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-13 18:56 - 2012-02-16 02:00 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-13 18:55 - 2012-02-16 02:00 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-13 18:54 - 2012-02-16 02:00 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-13 18:53 - 2012-02-16 02:00 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-13 18:52 - 2012-02-16 02:00 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-13 18:50 - 2012-02-16 02:00 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-13 18:50 - 2012-02-16 02:00 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-13 18:47 - 2012-02-16 02:00 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-10 14:24 - 2012-02-01 16:40 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-07 12:57 - 2010-05-22 11:08 - 0001024 ____A C:\.rnd
2011-12-07 12:55 - 2011-12-07 12:55 - 0000000 ____D C:\usr
2011-12-07 12:48 - 2011-12-07 12:48 - 0000000 ____D C:\OpenSSL
2011-12-07 11:51 - 2010-04-26 12:20 - 0000000 ____D C:\Program Files\Common Files\Adobe AIR

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 4055.11 MB
Available physical RAM: 3341.2 MB
Total Pagefile: 4053.39 MB
Available Pagefile: 3345.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.21 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:232.78 GB) (Free:48.91 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
3 Drive e: (Athenaeum) (Fixed) (Total:372.61 GB) (Free:123.71 GB) NTFS
4 Drive f: () (Fixed) (Total:76.32 GB) (Free:66.1 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 7168 KB
Disk 1 Online 372 GB 1024 KB
Disk 2 Online 76 GB 13 MB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 232 GB 39 MB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 232 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 372 GB 31 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E Athenaeum NTFS Partition 372 GB Healthy

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 76 GB 31 KB

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Partition 76 GB Healthy

==========================================================

Last Boot: 2012-02-18 23:56

======================= End Of Log ==========================

#43 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 February 2012 - 09:05 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
dds_trash_log.cmd
tdx.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

<-- Don't worry every little bit helps.

#44 Wizzums

Member

Group: Members
Posts: 27
Joined: 09-February 12

Posted 19 February 2012 - 09:20 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 19:08 on 19/02/2012 by mick
Administrator - Elevation successful

========== filefind ==========

Searching for "dds_trash_log.cmd"
C:\Windows\System32\dds_trash_log.cmd --ahs-- 0 bytes [16:37 05/02/2012] [21:33 12/02/2012] D41D8CD98F00B204E9800998ECF8427E

Searching for "tdx.sys"
C:\Users\mick\AppData\Roaming\FixTDSS\Archive\tdx.sys --a---- 74240 bytes [17:30 11/02/2012] [15:42 11/02/2012] CB39E896A2A83702D1737BFD402B3542
C:\Windows\ERDNT\cache\tdx.sys --a---- 74752 bytes [07:53 11/02/2012] [18:42 11/02/2012] B459575348C20E8121D6039DA063C704
C:\Windows\System32\drivers\tdx.sys --a---- 74752 bytes [17:21 05/04/2011] [18:42 11/02/2012] AE9E96679923DF875047FD1D35813ACD
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --a---- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] CB39E896A2A83702D1737BFD402B3542
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [17:21 05/04/2011] [18:42 11/02/2012] AE9E96679923DF875047FD1D35813ACD

-= EOF =-

#45 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,571
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 19 February 2012 - 09:36 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

KillAll::

File::
C:\Windows\System32\dds_trash_log.cmd

FCopy::
C:\Windows\ERDNT\cache\tdx.sys | C:\Windows\System32\drivers\tdx.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo