Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection - pop up ads, constant pinging, screwed up localhosts


  • This topic is locked This topic is locked
55 replies to this topic

#1 Wizzums

Wizzums

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 10 February 2012 - 11:16 PM

Lots of ping attempts being blocked by Malewarebytes. My local webserver running WAMP 2.2 no longer loads, even after restoring my hosts file that had been hijacked. I also get lots of pop up ads in Firefox. Thanks in advance for the help!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0
Run by mick at 16:45:32 on 2012-02-09
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.1752 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Users\mick\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conhost.exe
C:\Users\mick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 127.0.0.1:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
EB: DebugBar: {947e34e9-1d85-43cb-9cbf-5c492118fdd5} - c:\program files\core services\debugbar\DebugInfoBar.dll
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\mick\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\mick\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{20a36691-b09b-4ef2-a371-64a5bd265e20}\IcoUltraMon.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
Trusted Zone: teamitec.com\www
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{03D1D6F5-08AB-4A93-A887-532E0D7325EE} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{03D1D6F5-08AB-4A93-A887-532E0D7325EE}\3786565607 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{03D1D6F5-08AB-4A93-A887-532E0D7325EE}\378656560796E676 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{03D1D6F5-08AB-4A93-A887-532E0D7325EE}\4646D2772747 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{314F5D1B-FD8A-4353-A073-97FF3F4A9AE2} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BADCDE2B-0376-4F49-8345-E44E9D97FDE2} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BADCDE2B-0376-4F49-8345-E44E9D97FDE2}\378656560796E676 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C02FD8E7-C6B0-4473-9779-CBD722EE3E64} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F5323192-E78B-4EE7-A427-CE0E105E6603} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mick\appdata\roaming\mozilla\firefox\profiles\rgl6tyt3.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\battlelog web plugins\1.110.0\npesnlaunch.dll
FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.4\npesnsonar.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\mick\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-9 232512]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-9 176128]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-5-22 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-1 652360]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2011-3-15 61440]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-3-31 80896]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-1-7 378984]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-7-27 2337144]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-11-9 8913920]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-11-9 263680]
R3 athur;Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2011-5-23 1500160]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-8-6 273960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-1 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-18 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-18 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 netr73;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr73.sys [2010-2-24 562464]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-4-14 66592]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-17 1343400]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-02-09 20:44:40 -------- d-----w- C:\$RECYCLE.BIN
2012-02-09 20:42:48 -------- d-----w- c:\users\mick\appdata\local\temp
2012-02-09 20:29:50 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 20:27:24 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-09 18:34:08 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-09 18:23:29 98816 ----a-w- c:\windows\sed.exe
2012-02-09 18:23:29 518144 ----a-w- c:\windows\SWREG.exe
2012-02-09 18:23:29 256000 ----a-w- c:\windows\PEV.exe
2012-02-09 18:23:29 208896 ----a-w- c:\windows\MBR.exe
2012-02-07 05:57:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-05 16:37:05 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 00:00:38 -------- d-----w- c:\programdata\SafeReturner
2012-02-04 00:00:33 -------- d-----w- c:\program files\Safe Returner
2012-02-02 00:40:44 -------- d-----w- c:\users\mick\appdata\roaming\Malwarebytes
2012-02-02 00:40:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-02 00:40:32 -------- d-----w- c:\programdata\Malwarebytes
2012-02-02 00:40:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-31 11:12:09 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 11:12:09 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 11:12:09 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 11:12:09 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 11:12:09 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 11:12:09 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 11:12:09 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 11:12:08 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-31 11:12:08 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 11:12:08 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-26 20:12:38 -------- d-----w- c:\program files\TortoiseSVN
2012-01-26 20:12:38 -------- d-----w- c:\program files\common files\TortoiseOverlays
2012-01-16 22:25:45 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-01-14 18:37:01 175616 ----a-w- c:\windows\system32\unrar.dll
2012-01-14 18:37:00 -------- d-----w- c:\program files\K-Lite Codec Pack
2012-01-11 15:39:03 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-11 15:39:03 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-11 15:39:03 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-11 15:39:03 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2012-02-07 04:55:43 139176 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-07 04:55:34 282864 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-07 04:55:34 282864 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-07 04:55:12 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-01-14 02:35:10 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-01-03 07:28:06 2570286 ----a-w- c:\windows\system32\abgx360.exe
2011-12-18 04:29:22 138056 ----a-w- c:\users\mick\appdata\roaming\PnkBstrK.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01:00 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-18 15:42:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-17 05:38:39 1288472 ----a-w- c:\windows\system32\ntdll.dll
.
============= FINISH: 16:46:19.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 11 February 2012 - 02:15 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo





more than one AV


Code:
Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

<insert av's>

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2012 - 03:16 AM

Thanks for the fast response. I uninstalled AVG a number of days ago via AppRemover (http://www.appremover.com/). When running ComboFix just now, I was prompted that AVG was still actively running.

Computer behavior is the same as before, lots of outgoing pings, no localhost functionality. It's hard to test the pop ups since they're random.




ComboFix 12-02-10.03 - mick 02/11/2012 0:29.3.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2248 [GMT -7:00]
Running from: c:\users\mick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB39289$\1552991721\@
c:\windows\$NtUninstallKB39289$\1552991721\cfg.ini
c:\windows\$NtUninstallKB39289$\1552991721\Desktop.ini
c:\windows\$NtUninstallKB39289$\1552991721\L\xadqgnnk
c:\windows\$NtUninstallKB39289$\1552991721\oemid
c:\windows\$NtUninstallKB39289$\1552991721\U\00000001.@
c:\windows\$NtUninstallKB39289$\1552991721\U\00000002.@
c:\windows\$NtUninstallKB39289$\1552991721\U\00000004.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000000.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000004.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000032.@
c:\windows\$NtUninstallKB39289$\1552991721\version
c:\windows\$NtUninstallKB39289$\2255156422
.
Infected copy of c:\windows\system32\drivers\tdx.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 07:48 . 2012-02-11 07:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-11 07:42 . 2012-02-11 07:48 -------- d-----w- c:\users\mick\AppData\Local\temp
2012-02-11 07:42 . 2012-02-11 07:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 07:25 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 20:27 . 2010-11-20 08:44 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-09 18:34 . 2011-09-18 06:04 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-07 05:57 . 2012-02-07 05:57 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-05 16:37 . 2012-02-11 07:44 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 00:00 . 2012-02-04 00:03 -------- d-----w- c:\programdata\SafeReturner
2012-02-04 00:00 . 2012-02-04 00:01 -------- d-----w- c:\program files\Safe Returner
2012-02-02 00:40 . 2012-02-02 00:40 -------- d-----w- c:\users\mick\AppData\Roaming\Malwarebytes
2012-02-02 00:40 . 2012-02-02 02:40 -------- d-----w- c:\programdata\Malwarebytes
2012-02-02 00:40 . 2012-02-02 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 00:40 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 11:12 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 11:12 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 11:12 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 11:12 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 11:12 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 11:12 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 11:12 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 11:12 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 11:12 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-31 11:12 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 20:12 . 2012-01-26 20:12 -------- d-----w- c:\program files\TortoiseSVN
2012-01-26 20:12 . 2012-01-26 20:12 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2012-01-16 22:25 . 2011-08-15 02:02 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-14 18:37 . 2011-03-02 11:43 175616 ----a-w- c:\windows\system32\unrar.dll
2012-01-14 18:37 . 2012-01-14 18:37 -------- d-----w- c:\program files\K-Lite Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-07 04:55 . 2011-12-18 03:55 139176 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-07 04:55 . 2011-12-18 04:54 282864 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-07 04:55 . 2011-12-18 03:55 282864 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-07 04:55 . 2011-12-18 03:55 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-01-14 02:35 . 2011-12-18 03:55 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-01-03 07:28 . 2012-01-03 07:28 2570286 ----a-w- c:\windows\system32\abgx360.exe
2011-12-18 04:29 . 2011-12-18 03:55 138056 ----a-w- c:\users\mick\AppData\Roaming\PnkBstrK.sys
2011-11-24 04:25 . 2011-12-13 19:43 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 22:50 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-18 15:42 . 2011-05-22 18:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-17 05:38 . 2012-01-10 22:50 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-02-01 15:35 . 2011-03-10 19:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\mick\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{20A36691-B09B-4EF2-A371-64A5BD265E20}\IcoUltraMon.ico [2010-4-18 29310]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^Users^mick^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-23 01:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-31 07:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-23 05:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-07 19:29 136176 ----atw- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Home Storage Manager]
2009-10-27 22:06 152936 ----a-w- c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 06:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-11-10 05:45 343168 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-09-24 20:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netr73;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr73.sys [2010-02-24 562464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RegKernelHelp;RegKernelHelp;c:\program files\Safe Returner\RegKernelHelp.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-17 1343400]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-09-18 232512]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 176128]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-06-16 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [2011-03-15 61440]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2011-03-31 80896]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-11-14 17184]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-11-10 8913920]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-11-10 263680]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [2010-01-06 1500160]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-06 273960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PSSdk21
npapimon
pvservice
ndiscm
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 16:17]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 16:17]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000Core.job
- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-07 19:29]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000UA.job
- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-07 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 127.0.0.1:80
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: mswsock.dll
Trusted Zone: teamitec.com\www
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\mick\AppData\Roaming\Mozilla\Firefox\Profiles\rgl6tyt3.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3764)
c:\windows\system32\MSWSOCK.dll
mswsock.DLL 749a0000 245760 \\?\globalroot\systemroot\system32\mswsock.DLL
c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\System32\ping.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-02-11 01:00:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 08:00
ComboFix2.txt 2012-02-09 20:56
ComboFix3.txt 2012-02-09 19:03
.
Pre-Run: 48,749,510,656 bytes free
Post-Run: 48,669,716,480 bytes free
.
- - End Of File - - D974AF0D4DC7A549A2ACEC036F93240D

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 11 February 2012 - 03:29 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2012 - 12:21 PM

Here's my TDSSKiller log. It found an infection in my C:\Windows\System32\Drivers\tdx.sys file that was cured. It asked for a reboot, which I did.

08:41:00.0165 5408 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
08:41:00.0541 5408 ============================================================
08:41:00.0541 5408 Current date / time: 2012/02/11 08:41:00.0541
08:41:00.0541 5408 SystemInfo:
08:41:00.0541 5408
08:41:00.0541 5408 OS Version: 6.1.7601 ServicePack: 1.0
08:41:00.0541 5408 Product type: Workstation
08:41:00.0541 5408 ComputerName: STORMS
08:41:00.0541 5408 UserName: mick
08:41:00.0541 5408 Windows directory: C:\Windows
08:41:00.0541 5408 System windows directory: C:\Windows
08:41:00.0541 5408 Processor architecture: Intel x86
08:41:00.0541 5408 Number of processors: 4
08:41:00.0542 5408 Page size: 0x1000
08:41:00.0542 5408 Boot type: Normal boot
08:41:00.0542 5408 ============================================================
08:41:02.0547 5408 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
08:41:02.0547 5408 \Device\Harddisk0\DR0:
08:41:02.0547 5408 MBR used
08:41:02.0547 5408 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x1D1915B4
08:41:02.0577 5408 Initialize success
08:41:02.0577 5408 ============================================================
08:41:08.0561 5568 ============================================================
08:41:08.0561 5568 Scan started
08:41:08.0561 5568 Mode: Manual;
08:41:08.0561 5568 ============================================================
08:41:09.0659 5568 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
08:41:09.0663 5568 1394ohci - ok
08:41:09.0729 5568 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
08:41:09.0732 5568 ACPI - ok
08:41:09.0875 5568 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
08:41:09.0876 5568 AcpiPmi - ok
08:41:09.0967 5568 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
08:41:09.0975 5568 adp94xx - ok
08:41:10.0001 5568 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
08:41:10.0007 5568 adpahci - ok
08:41:10.0121 5568 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
08:41:10.0124 5568 adpu320 - ok
08:41:10.0198 5568 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
08:41:10.0203 5568 AFD - ok
08:41:10.0267 5568 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
08:41:10.0270 5568 agp440 - ok
08:41:10.0310 5568 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
08:41:10.0312 5568 aic78xx - ok
08:41:10.0383 5568 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
08:41:10.0384 5568 aliide - ok
08:41:10.0453 5568 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
08:41:10.0455 5568 amdagp - ok
08:41:10.0479 5568 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
08:41:10.0481 5568 amdide - ok
08:41:10.0542 5568 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
08:41:10.0545 5568 AmdK8 - ok
08:41:10.0759 5568 amdkmdag (ab70f110143892eb41aa46500aa5cf00) C:\Windows\system32\DRIVERS\atikmdag.sys
08:41:10.0891 5568 amdkmdag - ok
08:41:10.0923 5568 amdkmdap (32d68d05b871eed5572d0c2c764ea4ec) C:\Windows\system32\DRIVERS\atikmpag.sys
08:41:10.0924 5568 amdkmdap - ok
08:41:11.0008 5568 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
08:41:11.0010 5568 AmdPPM - ok
08:41:11.0074 5568 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
08:41:11.0076 5568 amdsata - ok
08:41:11.0118 5568 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
08:41:11.0122 5568 amdsbs - ok
08:41:11.0163 5568 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
08:41:11.0163 5568 amdxata - ok
08:41:11.0268 5568 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
08:41:11.0270 5568 AppID - ok
08:41:11.0385 5568 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
08:41:11.0388 5568 arc - ok
08:41:11.0405 5568 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
08:41:11.0408 5568 arcsas - ok
08:41:11.0454 5568 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
08:41:11.0456 5568 AsyncMac - ok
08:41:11.0481 5568 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
08:41:11.0481 5568 atapi - ok
08:41:11.0570 5568 athur (d79a49fc67421c7bb7dcbd188a442288) C:\Windows\system32\DRIVERS\athur.sys
08:41:11.0597 5568 athur - ok
08:41:11.0737 5568 AtiHDAudioService (7725aecceddf81bd8374c77157e450ea) C:\Windows\system32\drivers\AtihdW73.sys
08:41:11.0738 5568 AtiHDAudioService - ok
08:41:11.0874 5568 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
08:41:11.0881 5568 b06bdrv - ok
08:41:11.0952 5568 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
08:41:11.0957 5568 b57nd60x - ok
08:41:12.0073 5568 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
08:41:12.0074 5568 Beep - ok
08:41:12.0141 5568 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
08:41:12.0142 5568 blbdrive - ok
08:41:12.0219 5568 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
08:41:12.0221 5568 bowser - ok
08:41:12.0255 5568 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
08:41:12.0257 5568 BrFiltLo - ok
08:41:12.0278 5568 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
08:41:12.0280 5568 BrFiltUp - ok
08:41:12.0392 5568 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
08:41:12.0394 5568 BridgeMP - ok
08:41:12.0458 5568 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
08:41:12.0462 5568 Brserid - ok
08:41:12.0486 5568 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
08:41:12.0488 5568 BrSerWdm - ok
08:41:12.0509 5568 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
08:41:12.0510 5568 BrUsbMdm - ok
08:41:12.0525 5568 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
08:41:12.0527 5568 BrUsbSer - ok
08:41:12.0548 5568 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
08:41:12.0550 5568 BTHMODEM - ok
08:41:12.0680 5568 catchme - ok
08:41:12.0786 5568 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
08:41:12.0788 5568 cdfs - ok
08:41:12.0861 5568 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
08:41:12.0862 5568 cdrom - ok
08:41:12.0971 5568 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
08:41:12.0973 5568 circlass - ok
08:41:13.0034 5568 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
08:41:13.0038 5568 CLFS - ok
08:41:13.0115 5568 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
08:41:13.0117 5568 CmBatt - ok
08:41:13.0167 5568 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
08:41:13.0169 5568 cmdide - ok
08:41:13.0255 5568 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
08:41:13.0258 5568 CNG - ok
08:41:13.0304 5568 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
08:41:13.0306 5568 Compbatt - ok
08:41:13.0366 5568 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
08:41:13.0367 5568 CompositeBus - ok
08:41:13.0430 5568 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
08:41:13.0431 5568 crcdisk - ok
08:41:13.0528 5568 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
08:41:13.0532 5568 CSC - ok
08:41:13.0683 5568 dc3d (734bbe7c66e6fd6047a1bd29b9343b30) C:\Windows\system32\DRIVERS\dc3d.sys
08:41:13.0684 5568 dc3d - ok
08:41:13.0720 5568 DfsC - ok
08:41:13.0772 5568 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
08:41:13.0772 5568 discache - ok
08:41:13.0855 5568 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
08:41:13.0856 5568 Disk - ok
08:41:13.0968 5568 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
08:41:13.0970 5568 drmkaud - ok
08:41:14.0048 5568 dtsoftbus01 (c0c7ceccb6c85994c2bc92d58e52d3f2) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
08:41:14.0050 5568 dtsoftbus01 - ok
08:41:14.0101 5568 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
08:41:14.0108 5568 DXGKrnl - ok
08:41:14.0262 5568 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
08:41:14.0313 5568 ebdrv - ok
08:41:14.0443 5568 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
08:41:14.0450 5568 elxstor - ok
08:41:14.0497 5568 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
08:41:14.0499 5568 ErrDev - ok
08:41:14.0598 5568 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
08:41:14.0601 5568 exfat - ok
08:41:14.0623 5568 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
08:41:14.0625 5568 fastfat - ok
08:41:14.0728 5568 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
08:41:14.0730 5568 fdc - ok
08:41:14.0787 5568 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
08:41:14.0788 5568 FileInfo - ok
08:41:14.0805 5568 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
08:41:14.0807 5568 Filetrace - ok
08:41:14.0871 5568 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
08:41:14.0873 5568 flpydisk - ok
08:41:14.0896 5568 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
08:41:14.0899 5568 FltMgr - ok
08:41:15.0020 5568 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
08:41:15.0022 5568 FsDepends - ok
08:41:15.0036 5568 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
08:41:15.0036 5568 Fs_Rec - ok
08:41:15.0107 5568 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
08:41:15.0110 5568 fvevol - ok
08:41:15.0194 5568 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
08:41:15.0195 5568 gagp30kx - ok
08:41:15.0344 5568 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
08:41:15.0346 5568 hcw85cir - ok
08:41:15.0422 5568 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
08:41:15.0427 5568 HdAudAddService - ok
08:41:15.0544 5568 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
08:41:15.0546 5568 HDAudBus - ok
08:41:15.0575 5568 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
08:41:15.0577 5568 HidBatt - ok
08:41:15.0602 5568 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
08:41:15.0605 5568 HidBth - ok
08:41:15.0668 5568 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
08:41:15.0670 5568 HidIr - ok
08:41:15.0768 5568 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
08:41:15.0769 5568 HidUsb - ok
08:41:15.0857 5568 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
08:41:15.0859 5568 HpSAMD - ok
08:41:15.0947 5568 HTCAND32 (950cc1e6ae3a6cd23e0945cde089b02c) C:\Windows\system32\Drivers\ANDROIDUSB.sys
08:41:15.0949 5568 HTCAND32 - ok
08:41:16.0035 5568 htcnprot (339adefad60353f960e3ca67ce468c24) C:\Windows\system32\DRIVERS\htcnprot.sys
08:41:16.0037 5568 htcnprot - ok
08:41:16.0103 5568 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
08:41:16.0111 5568 HTTP - ok
08:41:16.0155 5568 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
08:41:16.0156 5568 hwpolicy - ok
08:41:16.0262 5568 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
08:41:16.0264 5568 i8042prt - ok
08:41:16.0340 5568 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\drivers\iaStorV.sys
08:41:16.0346 5568 iaStorV - ok
08:41:16.0390 5568 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
08:41:16.0391 5568 iirsp - ok
08:41:16.0498 5568 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
08:41:16.0499 5568 intelide - ok
08:41:16.0562 5568 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
08:41:16.0563 5568 intelppm - ok
08:41:16.0652 5568 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:41:16.0654 5568 IpFilterDriver - ok
08:41:16.0711 5568 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
08:41:16.0713 5568 IPMIDRV - ok
08:41:16.0760 5568 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
08:41:16.0762 5568 IPNAT - ok
08:41:16.0821 5568 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
08:41:16.0822 5568 IRENUM - ok
08:41:16.0863 5568 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
08:41:16.0865 5568 isapnp - ok
08:41:16.0884 5568 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
08:41:16.0889 5568 iScsiPrt - ok
08:41:16.0999 5568 k57nd60x (7ea81534e80570bdf6ee4a4248bba4d6) C:\Windows\system32\DRIVERS\k57nd60x.sys
08:41:17.0002 5568 k57nd60x - ok
08:41:17.0112 5568 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
08:41:17.0113 5568 kbdclass - ok
08:41:17.0178 5568 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
08:41:17.0179 5568 kbdhid - ok
08:41:17.0244 5568 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
08:41:17.0246 5568 KSecDD - ok
08:41:17.0263 5568 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
08:41:17.0265 5568 KSecPkg - ok
08:41:17.0368 5568 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
08:41:17.0369 5568 lltdio - ok
08:41:17.0552 5568 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
08:41:17.0553 5568 LMIInfo - ok
08:41:17.0694 5568 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\Windows\system32\DRIVERS\lmimirr.sys
08:41:17.0694 5568 lmimirr - ok
08:41:17.0770 5568 LMIRfsClientNP - ok
08:41:17.0860 5568 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\Windows\system32\drivers\LMIRfsDriver.sys
08:41:17.0860 5568 LMIRfsDriver - ok
08:41:17.0962 5568 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
08:41:17.0965 5568 LSI_FC - ok
08:41:17.0982 5568 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
08:41:17.0985 5568 LSI_SAS - ok
08:41:17.0999 5568 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
08:41:18.0001 5568 LSI_SAS2 - ok
08:41:18.0023 5568 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
08:41:18.0026 5568 LSI_SCSI - ok
08:41:18.0085 5568 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
08:41:18.0087 5568 luafv - ok
08:41:18.0153 5568 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
08:41:18.0154 5568 MBAMProtector - ok
08:41:18.0267 5568 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
08:41:18.0269 5568 megasas - ok
08:41:18.0291 5568 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
08:41:18.0296 5568 MegaSR - ok
08:41:18.0364 5568 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
08:41:18.0366 5568 Modem - ok
08:41:18.0431 5568 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
08:41:18.0432 5568 monitor - ok
08:41:18.0483 5568 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
08:41:18.0484 5568 mouclass - ok
08:41:18.0560 5568 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
08:41:18.0561 5568 mouhid - ok
08:41:18.0627 5568 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
08:41:18.0629 5568 mountmgr - ok
08:41:18.0678 5568 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
08:41:18.0682 5568 mpio - ok
08:41:18.0709 5568 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
08:41:18.0712 5568 mpsdrv - ok
08:41:18.0755 5568 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
08:41:18.0758 5568 MRxDAV - ok
08:41:18.0858 5568 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:41:18.0860 5568 mrxsmb - ok
08:41:18.0913 5568 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:41:18.0916 5568 mrxsmb10 - ok
08:41:18.0931 5568 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:41:18.0934 5568 mrxsmb20 - ok
08:41:18.0967 5568 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\drivers\msahci.sys
08:41:18.0968 5568 msahci - ok
08:41:18.0991 5568 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\drivers\msdsm.sys
08:41:18.0994 5568 msdsm - ok
08:41:19.0029 5568 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
08:41:19.0031 5568 Msfs - ok
08:41:19.0049 5568 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
08:41:19.0050 5568 mshidkmdf - ok
08:41:19.0092 5568 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
08:41:19.0093 5568 msisadrv - ok
08:41:19.0185 5568 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
08:41:19.0187 5568 MSKSSRV - ok
08:41:19.0206 5568 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
08:41:19.0208 5568 MSPCLOCK - ok
08:41:19.0230 5568 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
08:41:19.0231 5568 MSPQM - ok
08:41:19.0261 5568 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
08:41:19.0264 5568 MsRPC - ok
08:41:19.0313 5568 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
08:41:19.0313 5568 mssmbios - ok
08:41:19.0399 5568 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
08:41:19.0401 5568 MSTEE - ok
08:41:19.0421 5568 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
08:41:19.0423 5568 MTConfig - ok
08:41:19.0442 5568 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
08:41:19.0443 5568 Mup - ok
08:41:19.0578 5568 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
08:41:19.0582 5568 NativeWifiP - ok
08:41:19.0665 5568 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
08:41:19.0682 5568 NDIS - ok
08:41:19.0778 5568 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
08:41:19.0780 5568 NdisCap - ok
08:41:19.0841 5568 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
08:41:19.0843 5568 NdisTapi - ok
08:41:19.0933 5568 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
08:41:19.0934 5568 Ndisuio - ok
08:41:19.0984 5568 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
08:41:19.0987 5568 NdisWan - ok
08:41:20.0056 5568 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
08:41:20.0058 5568 NDProxy - ok
08:41:20.0168 5568 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
08:41:20.0169 5568 NetBIOS - ok
08:41:20.0184 5568 NetBT - ok
08:41:20.0304 5568 netr73 (00ebe302169c7b783a29b6df3c9e5b28) C:\Windows\system32\DRIVERS\netr73.sys
08:41:20.0321 5568 netr73 - ok
08:41:20.0418 5568 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
08:41:20.0421 5568 nfrd960 - ok
08:41:20.0514 5568 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
08:41:20.0515 5568 Npfs - ok
08:41:20.0534 5568 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
08:41:20.0535 5568 nsiproxy - ok
08:41:20.0619 5568 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
08:41:20.0644 5568 Ntfs - ok
08:41:20.0760 5568 NuidFltr (28613c245d9f26190dcee18430a4ebbe) C:\Windows\system32\DRIVERS\NuidFltr.sys
08:41:20.0760 5568 NuidFltr - ok
08:41:20.0788 5568 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
08:41:20.0789 5568 Null - ok
08:41:20.0887 5568 NVHDA (a82534d453425f5fee4b6a583fdcf3eb) C:\Windows\system32\drivers\nvhda32v.sys
08:41:20.0890 5568 NVHDA - ok
08:41:21.0118 5568 nvlddmkm (73a70f1d89c942eedd99a3f10459b051) C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:41:21.0261 5568 nvlddmkm - ok
08:41:21.0357 5568 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
08:41:21.0361 5568 nvraid - ok
08:41:21.0471 5568 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
08:41:21.0475 5568 nvstor - ok
08:41:21.0602 5568 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
08:41:21.0605 5568 nv_agp - ok
08:41:21.0664 5568 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
08:41:21.0666 5568 ohci1394 - ok
08:41:21.0748 5568 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
08:41:21.0750 5568 Parport - ok
08:41:21.0791 5568 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
08:41:21.0792 5568 partmgr - ok
08:41:21.0814 5568 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
08:41:21.0816 5568 Parvdm - ok
08:41:21.0897 5568 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
08:41:21.0899 5568 pci - ok
08:41:22.0012 5568 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
08:41:22.0014 5568 pciide - ok
08:41:22.0047 5568 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
08:41:22.0051 5568 pcmcia - ok
08:41:22.0074 5568 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
08:41:22.0075 5568 pcw - ok
08:41:22.0153 5568 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
08:41:22.0171 5568 PEAUTH - ok
08:41:22.0349 5568 Point32 (420336f91eb745811cf130c80ede0653) C:\Windows\system32\DRIVERS\point32.sys
08:41:22.0350 5568 Point32 - ok
08:41:22.0434 5568 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
08:41:22.0437 5568 PptpMiniport - ok
08:41:22.0463 5568 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
08:41:22.0465 5568 Processor - ok
08:41:22.0538 5568 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
08:41:22.0540 5568 Psched - ok
08:41:22.0675 5568 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
08:41:22.0702 5568 ql2300 - ok
08:41:22.0753 5568 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
08:41:22.0756 5568 ql40xx - ok
08:41:22.0780 5568 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
08:41:22.0782 5568 QWAVEdrv - ok
08:41:22.0847 5568 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
08:41:22.0848 5568 RasAcd - ok
08:41:22.0918 5568 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
08:41:22.0920 5568 RasAgileVpn - ok
08:41:22.0943 5568 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:41:22.0945 5568 Rasl2tp - ok
08:41:23.0015 5568 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
08:41:23.0017 5568 RasPppoe - ok
08:41:23.0035 5568 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
08:41:23.0037 5568 RasSstp - ok
08:41:23.0084 5568 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
08:41:23.0087 5568 rdbss - ok
08:41:23.0104 5568 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
08:41:23.0106 5568 rdpbus - ok
08:41:23.0211 5568 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:41:23.0211 5568 RDPCDD - ok
08:41:23.0257 5568 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
08:41:23.0261 5568 RDPDR - ok
08:41:23.0368 5568 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
08:41:23.0368 5568 RDPENCDD - ok
08:41:23.0382 5568 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
08:41:23.0382 5568 RDPREFMP - ok
08:41:23.0423 5568 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
08:41:23.0427 5568 RDPWD - ok
08:41:23.0488 5568 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
08:41:23.0491 5568 rdyboost - ok
08:41:23.0612 5568 RegKernelHelp - ok
08:41:23.0747 5568 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
08:41:23.0749 5568 rspndr - ok
08:41:23.0803 5568 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
08:41:23.0805 5568 s3cap - ok
08:41:23.0884 5568 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
08:41:23.0887 5568 sbp2port - ok
08:41:23.0936 5568 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
08:41:23.0938 5568 scfilter - ok
08:41:24.0030 5568 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
08:41:24.0032 5568 secdrv - ok
08:41:24.0123 5568 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
08:41:24.0125 5568 Serenum - ok
08:41:24.0160 5568 Serial - ok
08:41:24.0208 5568 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
08:41:24.0210 5568 sermouse - ok
08:41:24.0280 5568 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
08:41:24.0282 5568 sffdisk - ok
08:41:24.0302 5568 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
08:41:24.0304 5568 sffp_mmc - ok
08:41:24.0327 5568 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
08:41:24.0328 5568 sffp_sd - ok
08:41:24.0357 5568 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
08:41:24.0359 5568 sfloppy - ok
08:41:24.0503 5568 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
08:41:24.0505 5568 sisagp - ok
08:41:24.0572 5568 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
08:41:24.0575 5568 SiSRaid2 - ok
08:41:24.0596 5568 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
08:41:24.0599 5568 SiSRaid4 - ok
08:41:24.0615 5568 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
08:41:24.0617 5568 Smb - ok
08:41:24.0679 5568 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
08:41:24.0680 5568 spldr - ok
08:41:24.0742 5568 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
08:41:24.0747 5568 srv - ok
08:41:24.0768 5568 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
08:41:24.0773 5568 srv2 - ok
08:41:24.0792 5568 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
08:41:24.0794 5568 srvnet - ok
08:41:24.0921 5568 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
08:41:24.0923 5568 stexstor - ok
08:41:24.0980 5568 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
08:41:24.0981 5568 storflt - ok
08:41:25.0023 5568 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
08:41:25.0025 5568 storvsc - ok
08:41:25.0087 5568 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
08:41:25.0088 5568 swenum - ok
08:41:25.0254 5568 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
08:41:25.0280 5568 Tcpip - ok
08:41:25.0379 5568 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
08:41:25.0390 5568 TCPIP6 - ok
08:41:25.0447 5568 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
08:41:25.0448 5568 tcpipreg - ok
08:41:25.0528 5568 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
08:41:25.0530 5568 TDPIPE - ok
08:41:25.0544 5568 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
08:41:25.0546 5568 TDTCP - ok
08:41:25.0583 5568 tdx (38f57d262164cb35bc8659785703cd6b) C:\Windows\system32\DRIVERS\tdx.sys
08:41:25.0584 5568 Suspicious file (Forged): C:\Windows\system32\DRIVERS\tdx.sys. Real md5: 38f57d262164cb35bc8659785703cd6b, Fake md5: cb39e896a2a83702d1737bfd402b3542
08:41:25.0585 5568 tdx ( Virus.Win32.ZAccess.c ) - infected
08:41:25.0585 5568 tdx - detected Virus.Win32.ZAccess.c (0)
08:41:25.0713 5568 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
08:41:25.0714 5568 TermDD - ok
08:41:25.0848 5568 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:41:25.0850 5568 tssecsrv - ok
08:41:25.0920 5568 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
08:41:25.0922 5568 TsUsbFlt - ok
08:41:26.0036 5568 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
08:41:26.0039 5568 tunnel - ok
08:41:26.0075 5568 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
08:41:26.0078 5568 uagp35 - ok
08:41:26.0125 5568 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
08:41:26.0129 5568 udfs - ok
08:41:26.0239 5568 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
08:41:26.0241 5568 uliagpkx - ok
08:41:26.0337 5568 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
08:41:26.0338 5568 UltraMonUtility - ok
08:41:26.0412 5568 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
08:41:26.0413 5568 umbus - ok
08:41:26.0443 5568 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
08:41:26.0445 5568 UmPass - ok
08:41:26.0492 5568 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
08:41:26.0494 5568 usbccgp - ok
08:41:26.0539 5568 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
08:41:26.0542 5568 usbcir - ok
08:41:26.0602 5568 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
08:41:26.0604 5568 usbehci - ok
08:41:26.0654 5568 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
08:41:26.0658 5568 usbhub - ok
08:41:26.0755 5568 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
08:41:26.0757 5568 usbohci - ok
08:41:26.0858 5568 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
08:41:26.0860 5568 usbprint - ok
08:41:26.0905 5568 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
08:41:26.0908 5568 usbscan - ok
08:41:26.0947 5568 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:41:26.0949 5568 USBSTOR - ok
08:41:27.0016 5568 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
08:41:27.0019 5568 usbuhci - ok
08:41:27.0068 5568 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
08:41:27.0070 5568 vdrvroot - ok
08:41:27.0137 5568 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
08:41:27.0140 5568 vga - ok
08:41:27.0164 5568 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
08:41:27.0165 5568 VgaSave - ok
08:41:27.0216 5568 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
08:41:27.0219 5568 vhdmp - ok
08:41:27.0329 5568 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
08:41:27.0331 5568 viaagp - ok
08:41:27.0363 5568 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
08:41:27.0366 5568 ViaC7 - ok
08:41:27.0414 5568 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
08:41:27.0416 5568 viaide - ok
08:41:27.0438 5568 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
08:41:27.0441 5568 vmbus - ok
08:41:27.0464 5568 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
08:41:27.0466 5568 VMBusHID - ok
08:41:27.0486 5568 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
08:41:27.0487 5568 volmgr - ok
08:41:27.0514 5568 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
08:41:27.0518 5568 volmgrx - ok
08:41:27.0539 5568 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
08:41:27.0543 5568 volsnap - ok
08:41:27.0609 5568 vsmraid - ok
08:41:27.0658 5568 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
08:41:27.0660 5568 vwifibus - ok
08:41:27.0683 5568 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
08:41:27.0684 5568 vwififlt - ok
08:41:27.0768 5568 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
08:41:27.0771 5568 WacomPen - ok
08:41:27.0931 5568 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
08:41:27.0933 5568 WANARP - ok
08:41:27.0937 5568 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
08:41:27.0938 5568 Wanarpv6 - ok
08:41:28.0058 5568 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
08:41:28.0060 5568 Wd - ok
08:41:28.0088 5568 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
08:41:28.0094 5568 Wdf01000 - ok
08:41:28.0192 5568 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
08:41:28.0193 5568 WfpLwf - ok
08:41:28.0214 5568 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
08:41:28.0216 5568 WIMMount - ok
08:41:28.0381 5568 WinUSB (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUSB.sys
08:41:28.0384 5568 WinUSB - ok
08:41:28.0528 5568 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
08:41:28.0530 5568 WmiAcpi - ok
08:41:28.0667 5568 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
08:41:28.0668 5568 ws2ifsl - ok
08:41:28.0799 5568 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
08:41:28.0802 5568 WudfPf - ok
08:41:28.0935 5568 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:41:28.0938 5568 WUDFRd - ok
08:41:29.0062 5568 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
08:41:29.0131 5568 \Device\Harddisk0\DR0 - ok
08:41:29.0139 5568 Boot (0x1200) (de9d59eb43fd66b3beddbf347ceae470) \Device\Harddisk0\DR0\Partition0
08:41:29.0141 5568 \Device\Harddisk0\DR0\Partition0 - ok
08:41:29.0142 5568 ============================================================
08:41:29.0142 5568 Scan finished
08:41:29.0142 5568 ============================================================
08:41:29.0156 5560 Detected object count: 1
08:41:29.0156 5560 Actual detected object count: 1
08:41:37.0048 5560 C:\Windows\system32\DRIVERS\tdx.sys - copied to quarantine
08:41:37.0218 5560 Backup copy found, using it..
08:41:37.0226 5560 C:\Windows\system32\DRIVERS\tdx.sys - will be cured on reboot
08:41:40.0341 5560 tdx ( Virus.Win32.ZAccess.c ) - User select action: Cure
08:41:53.0369 5360 Deinitialize success



aswMBR log:

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-11 08:45:46
-----------------------------
08:45:46.437 OS Version: Windows 6.1.7601 Service Pack 1
08:45:46.437 Number of processors: 4 586 0x1E05
08:45:46.438 ComputerName: STORMS UserName: mick
08:45:49.860 Initialize success
08:46:27.339 AVAST engine defs: 12021100
08:47:12.882 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
08:47:12.885 Disk 0 Vendor: ST3250318AS CC45 Size: 238418MB BusType: 11
08:47:12.893 Disk 0 MBR read successfully
08:47:12.897 Disk 0 MBR scan
08:47:12.902 Disk 0 Windows 7 default MBR code
08:47:12.907 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
08:47:12.920 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238370 MB offset 80325
08:47:12.927 Disk 0 scanning sectors +488263545
08:47:13.001 Disk 0 scanning C:\Windows\system32\drivers
08:47:18.215 File: C:\Windows\system32\drivers\dtsoftbus01.sys **INFECTED** Win32:Sirefef-JQ [Trj]
08:47:26.409 Disk 0 trace - called modules:
08:47:26.436 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xb8947fc0]<<
08:47:26.444 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x9e823550]
08:47:26.454 3 CLASSPNP.SYS[a439b59e] -> nt!IofCallDriver -> [0x9fbcfd00]
08:47:26.462 \Driver\00001078[0x9fbee730] -> IRP_MJ_CREATE -> 0xb8947fc0
08:47:29.234 AVAST engine scan C:\Windows
08:47:32.188 AVAST engine scan C:\Windows\system32
08:50:34.795 AVAST engine scan C:\Windows\system32\drivers
08:50:41.509 File: C:\Windows\system32\drivers\dtsoftbus01.sys **INFECTED** Win32:Sirefef-JQ [Trj]
08:51:06.271 AVAST engine scan C:\Users\mick
09:10:50.132 AVAST engine scan C:\ProgramData
09:56:41.658 Scan finished successfully
10:17:58.110 Disk 0 MBR has been saved successfully to "C:\Users\mick\Desktop\MBR.dat"
10:17:58.115 The log file has been saved successfully to "C:\Users\mick\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 11 February 2012 - 12:29 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 11 February 2012 - 02:57 PM

I downloaded fixTDSS to my desktop, double clicked it and followed the prompts. It said it needed to restart and I accepted. When the machine rebooted, it showed the Windows 7 loading screen for about 5-6 seconds and then bluescreened due to Ntfs.sys. When it rebooted itself again, it gave me the option to start windows normally or go through startup recovery. I chose windows normally to see if it would BSOD again, which it did (Ntfs.sys again).

Upon third reboot, I chose startup recovery. It prompted me for system restore, which I declined, and it began to automatically try and fix the errors. During the process, it says the system may reboot several times. The system reboots, bluescreens from ndis.sys and reboots back to the startup recovery/windows normal boot selection.

I selected startup recovery again, but don't get prompted for the system restore - as if it's picking back up from its previous scan. It then pops up and says Startup Repair cannot repair this computer automatically and gives me the option to send information about the problem or not send. I select the default, which is do not send.

I now have two links:
View diagnostic and repair details
View advanced options for system recovery and support

I select the first link to view diagnostics, it pops up with a box containing a log of the scan performed. I can select the text but not copy it, and there's no option for saving the log. I close the box.

I select the advanced options and it allows me to choose system restore. I have three to choose from, the most recent is from ComboFix. I click the "Scan for affected programs" button and it comes back with "None detected". I began the system restore.

It came back with:

System Restore did not complete successfully. Your computer's system files and settings were not changed.

Details:System Restore failed to extract the file
(C:\Windows\$NtUninstallKB39289$\1552991721) from the restore point.
The restore point was damaged or was deleted during the restore.

You can try System Restore again and choose a different restore point. If you continue to see this error, you can try an advanced recovery method. For more information, see What is Recovery? (a link)


I click OK and I'm back at the System Restore screen with the following options:
Startup Repair - Automatically fix problems that are preventing Windows from starting
System Restore - Restore Windows to an earlier point in time
System Image Recovery - Recover your computer using a system you created earlier
Windows Memory Diagnostic - Check your computer for memory hardware errors
Command Prompt - Open a command prompt window


Any advice? I have a second computer I'm using to communicate with you. I also have an external drive to move files from this PC to the infected one, if necessary.

Thanks again for all your help!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 12 February 2012 - 01:44 AM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.



Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 12 February 2012 - 01:51 AM

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 11-02-2012
Ran by SYSTEM at 2012-02-11 23:49:28
Running from E:\malware
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2008-08-11] (LogMeIn, Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1797488 2011-01-07] (Microsoft Corporation)
HKLM\...\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1298320 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKLM\...\Runonce: [FixTDSS] cmd /c start /D "C:\Users\mick\Desktop" /B FixTDSS.exe -postboot [x]
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
AppInit_DLLs: C:\Windows\System32\acaptuser32.dll

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [176128 2011-11-09] (AMD)
3 FLEXnet Licensing Service; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" [655624 2010-04-14] (Acresso Software Inc.)
2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [136176 2011-10-18] (Google Inc.)
3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [136176 2011-10-18] (Google Inc.)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374152 2011-06-16] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136584 2011-06-16] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2010-11-08] (LogMeIn, Inc.)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
3 Microsoft SharePoint Workspace Audit Service; "C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice [31125880 2011-06-12] (Microsoft Corporation)
2 NovacomD; C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe [61440 2011-03-15] (Palm)
2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2011-03-31] ()
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2012-01-13] ()
2 PSSdk21; C:\Windows\System32\n3900.dll [5632 2009-07-13] (Oak Technology Inc.)
2 Stereo Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [378984 2011-01-07] (NVIDIA Corporation)
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
3 SwitchBoard; "C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [517096 2010-02-19] (Adobe Systems Incorporated)
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [268528 2010-09-24] (Microsoft Corporation)
2 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [6351600 2010-09-24] (Microsoft Corporation)
3 ZuneWlanCfgSvc; C:\Windows\system32\ZuneWlanCfgSvc.exe [444656 2010-09-24] (Microsoft Corporation)
2 GoToMyPC; "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" Start=service [x]
2 MySQL; C:\PROGRA~1\EASYPH~1.0\MySql\bin\mysqld.exe --defaults-file=C:\PROGRA~1\EASYPH~1.0\MySql\my.ini MySQL [x]
3 wampapache; "c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe" -k runservice [x]
3 wampmysqld; c:\wamp\bin\mysql\mysql5.5.20\bin\mysqld.exe wampmysqld [x]

========================== Drivers (Whitelisted) =============

3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [8913920 2011-11-09] (Advanced Micro Devices, Inc.)
3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [263680 2011-11-09] (Advanced Micro Devices, Inc.)
3 athur; C:\Windows\System32\DRIVERS\athur.sys [1500160 2010-01-05] (Atheros Communications, Inc.)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdW73.sys [85520 2011-10-17] (Advanced Micro Devices)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [232512 2011-09-17] ()
0 FixTDSS; C:\Windows\System32\drivers\FixTDSS.sys [26872 2012-02-11] (Symantec Corporation)
3 HTCAND32; C:\Windows\System32\Drivers\ANDROIDUSB.sys [25088 2009-10-26] (HTC, Corporation)
3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2010-06-23] (Windows ® Win 7 DDK provider)
3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-06] (Broadcom Corporation)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2008-08-11] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2008-08-11] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2008-08-11] (LogMeIn, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [20464 2011-12-10] (Malwarebytes Corporation)
3 netr73; C:\Windows\System32\DRIVERS\netr73.sys [562464 2010-02-24] (Ralink Technology, Corp.)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [16768 2011-04-08] (Microsoft Corporation)
3 NVHDA; C:\Windows\System32\drivers\nvhda32v.sys [66592 2009-08-21] (NVIDIA Corporation)
3 Point32; C:\Windows\System32\DRIVERS\point32.sys [40800 2011-01-07] (Microsoft Corporation)
2 UltraMonUtility; \??\C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [17184 2008-11-14] (Realtime Soft Ltd)
3 catchme; \??\C:\Users\mick\AppData\Local\Temp\catchme.sys [x]
4 LMIRfsClientNP; [x]
3 RegKernelHelp; \??\C:\Program Files\Safe Returner\RegKernelHelp.sys [x]
1 Serial; C:\Windows\System32\DRIVERS\serial.sys [x]
0 vsmraid; C:\Windows\System32\DRIVERS\vsmraid.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: PSSdk21
NETSVC: npapimon
NETSVC: pvservice
NETSVC: ndiscm

============ One Month Created Files and Folders ==============

2012-02-11 09:30 - 2012-02-11 09:30 - 1932256 ____A (Symantec Corporation) C:\Users\mick\Desktop\FixTDSS.exe
2012-02-11 09:30 - 2012-02-11 09:30 - 0026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-02-11 09:30 - 2012-02-11 09:30 - 0000000 ____D C:\Users\mick\AppData\Roaming\FixTDSS
2012-02-11 09:17 - 2012-02-11 09:17 - 0002016 ____A C:\Users\mick\Desktop\aswMBR.txt
2012-02-11 07:41 - 2012-02-11 07:41 - 0079638 ____A C:\TDSSKiller.2.7.11.0_11.02.2012_08.41.00_log.txt
2012-02-11 07:40 - 2012-02-11 07:40 - 0000346 ____A C:\TDSSKiller.2.7.9.0_11.02.2012_08.40.00_log.txt
2012-02-11 07:40 - 2012-02-09 09:15 - 2059824 ____A (Kaspersky Lab ZAO) C:\Users\mick\Desktop\TDSSKiller.exe
2012-02-11 00:19 - 2012-02-11 00:19 - 0021717 ____A C:\Users\mick\Desktop\combofix-log.txt
2012-02-11 00:00 - 2012-02-11 00:00 - 0021717 ____A C:\ComboFix.txt
2012-02-10 23:48 - 2012-02-10 23:48 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-10 23:18 - 2012-02-10 23:19 - 4400207 ____R (Swearware) C:\Users\mick\Desktop\ComboFix.exe
2012-02-10 19:50 - 2012-02-10 19:50 - 0036791 ____A C:\Users\mick\Desktop\ark.txt
2012-02-10 14:54 - 2012-02-10 14:54 - 2094534 ____A C:\Users\mick\Downloads\Rackspace Instructions.pdf
2012-02-09 15:47 - 2012-02-09 15:47 - 0016577 ____A C:\Users\mick\Desktop\Attach.txt
2012-02-09 15:46 - 2012-02-09 15:46 - 0017730 ____A C:\Users\mick\Desktop\DDS.txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0139196 ____A C:\Users\mick\Desktop\OTL.Txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0057996 ____A C:\Users\mick\Desktop\Extras.Txt
2012-02-09 15:00 - 2012-02-09 15:00 - 0584192 ____A (OldTimer Tools) C:\Users\mick\Desktop\OTL.exe
2012-02-09 14:45 - 2012-02-11 09:17 - 0000512 ____A C:\Users\mick\Desktop\MBR.dat
2012-02-09 14:45 - 2012-02-09 14:52 - 0004143 ____A C:\Users\mick\Desktop\aswMBR-old.txt
2012-02-09 13:47 - 2012-02-09 13:47 - 4733440 ____A (AVAST Software) C:\Users\mick\Desktop\aswMBR.exe
2012-02-09 13:25 - 2012-02-09 13:25 - 1413120 ____A (Option^Explicit Software Solutions) C:\Users\mick\Desktop\winsockfix.exe
2012-02-09 12:27 - 2010-11-20 00:44 - 0388096 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\csc.sys
2012-02-09 12:14 - 2012-02-09 12:12 - 9200064 ____A (OPSWAT, Inc.) C:\Users\mick\Desktop\AppRemover.exe
2012-02-09 12:00 - 2012-02-09 12:06 - 0001218 ____A C:\Users\mick\Desktop\SystemLook.txt
2012-02-09 11:59 - 2012-02-09 11:59 - 0001480 ____A C:\Users\mick\Desktop\FSS.txt
2012-02-09 11:57 - 2012-02-09 11:57 - 0037328 ____A C:\Users\mick\Desktop\RKUnhooker-Report.txt
2012-02-09 11:51 - 2012-02-09 11:51 - 0000470 ____A C:\Users\mick\Desktop\defogger_disable.log
2012-02-09 11:51 - 2012-02-09 11:51 - 0000000 ____A C:\Users\mick\defogger_reenable
2012-02-09 11:46 - 2012-02-09 11:46 - 0446464 ____A (OldTimer Tools) C:\Users\mick\Desktop\TFC.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A C:\Users\mick\Desktop\SystemLook.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A () C:\Users\mick\Desktop\RKUnhookerLE.EXE
2012-02-09 11:45 - 2012-02-09 11:45 - 0050477 ____A C:\Users\mick\Desktop\Defogger.exe
2012-02-09 11:44 - 2012-02-09 11:43 - 0335925 ____A C:\Users\mick\Desktop\FSS.exe
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-09 10:34 - 2011-09-17 22:04 - 0232512 ____A C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-02-09 10:23 - 2012-02-10 23:27 - 0000000 ____D C:\Windows\ERDNT
2012-02-09 10:23 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-02-09 10:23 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-02-09 10:23 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-02-09 10:23 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-02-09 10:00 - 2012-02-11 00:00 - 0000000 ____D C:\Qoobox
2012-02-08 23:15 - 2012-02-08 23:15 - 0143696 ____A C:\Windows\Minidump\020912-22308-01.dmp
2012-02-06 21:57 - 2012-02-11 07:41 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-06 21:56 - 2012-02-06 21:57 - 0080352 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.56.21_log.txt
2012-02-06 21:52 - 2012-02-06 21:53 - 0079506 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.52.19_log.txt
2012-02-06 08:04 - 2012-02-06 08:04 - 0607260 ____R (Swearware) C:\Users\mick\Desktop\dds.scr
2012-02-06 08:04 - 2012-02-06 08:04 - 0302592 ____A C:\Users\mick\Desktop\GMER.exe
2012-02-06 08:03 - 2012-02-09 15:44 - 0000000 ____D C:\Users\mick\Downloads\malware
2012-02-05 08:37 - 2012-02-11 07:42 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-04 21:22 - 2012-02-04 21:22 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall (1).exe
2012-02-03 23:50 - 2012-02-03 23:50 - 0000000 ____D C:\Users\mick\Downloads\backups
2012-02-03 23:48 - 2012-02-09 11:28 - 0269398 ____A C:\Windows\ntbtlog.txt
2012-02-03 16:10 - 2012-02-03 16:11 - 0079214 ____A C:\TDSSKiller.2.7.9.0_03.02.2012_17.10.41_log.txt
2012-02-03 16:10 - 2012-02-03 16:10 - 2059312 ____A (Kaspersky Lab ZAO) C:\Users\mick\Downloads\tdsskiller.exe
2012-02-03 16:03 - 2012-02-03 16:03 - 0001759 ____A C:\Users\mick\Desktop\SafeReturner_log.txt
2012-02-03 16:01 - 2012-02-03 16:01 - 0000102 ____A C:\Users\mick\Desktop\catchme.log
2012-02-03 16:00 - 2012-02-03 16:03 - 0000000 ____D C:\Users\All Users\SafeReturner
2012-02-03 16:00 - 2012-02-03 16:03 - 0000000 ____D C:\ProgramData\SafeReturner
2012-02-03 16:00 - 2012-02-03 16:01 - 0000329 ____A C:\Users\mick\Desktop\AntiExeHijack.log
2012-02-03 16:00 - 2012-02-03 16:01 - 0000000 ____D C:\Program Files\Safe Returner
2012-02-03 16:00 - 2012-02-03 16:00 - 0001026 ____A C:\Users\Public\Desktop\Safe Returner.lnk
2012-02-03 16:00 - 2012-02-03 16:00 - 0001006 ____A C:\Users\Public\Desktop\Kill Rogue Process.lnk
2012-02-03 09:13 - 2012-02-03 09:13 - 5154304 ____A C:\Users\mick\Downloads\WindowsDefender.msi
2012-02-03 03:01 - 2012-02-03 03:01 - 0143696 ____A C:\Windows\Minidump\020312-22744-01.dmp
2012-02-02 12:50 - 2012-02-09 07:51 - 0001516 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-02-01 16:40 - 2012-02-01 18:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-01 16:40 - 2012-02-01 18:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\mick\AppData\Roaming\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-02-01 16:40 - 2011-12-10 14:24 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-02-01 16:35 - 2012-02-03 23:49 - 0008687 ____A C:\Users\mick\Downloads\hijackthis.log
2012-02-01 16:34 - 2012-02-01 16:34 - 0401720 ____A (Trend Micro Inc.) C:\Users\mick\Downloads\iexplore.exe
2012-02-01 16:29 - 2012-02-01 16:29 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\mick\Downloads\mbam-setup-1.60.1.1000.exe
2012-01-31 20:37 - 2012-01-31 20:37 - 3870904 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.110.0-retail-prod.exe
2012-01-31 03:12 - 2011-11-16 21:41 - 0134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-01-31 03:12 - 2011-11-16 21:41 - 0067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-01-31 03:12 - 2011-11-16 21:39 - 0369352 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-01-31 03:12 - 2011-11-16 21:35 - 0314880 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0224768 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0100352 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2012-01-31 03:12 - 2011-11-16 21:34 - 0015872 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2012-01-31 03:12 - 2011-11-16 21:32 - 1038848 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2012-01-31 03:12 - 2011-11-16 21:29 - 0022528 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\TortoiseSVN
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\Common Files\TortoiseOverlays
2012-01-26 12:07 - 2012-01-26 12:08 - 13697024 ____A C:\Users\mick\Downloads\TortoiseSVN-1.7.4.22459-win32-svn-1.7.2.msi
2012-01-20 11:55 - 2012-01-20 11:55 - 0001020 ____A C:\Users\mick\Start Menu\Programs\Startup\Dropbox.lnk
2012-01-20 11:55 - 2012-01-20 11:55 - 0001020 ____A C:\Users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-01-16 14:25 - 2011-08-14 18:02 - 0214408 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-01-16 14:25 - 2011-08-14 18:02 - 0173960 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-01-16 14:25 - 2011-08-14 18:02 - 0173960 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-01-16 14:24 - 2012-01-16 14:25 - 0004807 ____A C:\Windows\System32\jupdate-1.6.0_30-b12.log
2012-01-16 14:23 - 2012-01-16 14:23 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall.exe
2012-01-14 10:37 - 2012-01-14 10:37 - 0000000 ____D C:\Program Files\K-Lite Codec Pack
2012-01-14 10:37 - 2011-03-02 03:43 - 0175616 ____A C:\Windows\System32\unrar.dll
2012-01-14 10:34 - 2012-01-14 10:35 - 7413286 ____A ( ) C:\Users\mick\Downloads\K-Lite_Codec_Pack_810_Basic.exe
2012-01-12 10:22 - 2012-01-12 10:23 - 52017986 ____A C:\Users\mick\Downloads\kelli_garner_bully_hd_03.avi


============ 3 Months Modified Files and Folders ===============

2012-02-11 23:49 - 2012-02-11 23:49 - 0000000 ____D C:\FRST
2012-02-11 10:42 - 2011-04-05 09:21 - 0074752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.sys
2012-02-11 10:40 - 2011-04-05 09:21 - 0187904 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netbt.sys
2012-02-11 10:37 - 2011-04-05 09:21 - 0078336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.sys
2012-02-11 09:31 - 2010-04-14 14:24 - 1121185 ____A C:\Windows\WindowsUpdate.log
2012-02-11 09:30 - 2012-02-11 09:30 - 1932256 ____A (Symantec Corporation) C:\Users\mick\Desktop\FixTDSS.exe
2012-02-11 09:30 - 2012-02-11 09:30 - 0026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-02-11 09:30 - 2012-02-11 09:30 - 0000000 ____D C:\Users\mick\AppData\Roaming\FixTDSS
2012-02-11 09:30 - 2011-03-07 10:51 - 0000000 ____D C:\Users\mick\AppData\Local\TSVNCache
2012-02-11 09:28 - 2011-10-18 08:17 - 0000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-02-11 09:17 - 2012-02-11 09:17 - 0002016 ____A C:\Users\mick\Desktop\aswMBR.txt
2012-02-11 09:17 - 2012-02-09 14:45 - 0000512 ____A C:\Users\mick\Desktop\MBR.dat
2012-02-11 09:16 - 2010-09-07 11:29 - 0000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000UA.job
2012-02-11 07:50 - 2009-07-13 20:34 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-02-11 07:50 - 2009-07-13 20:34 - 0014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-02-11 07:46 - 2010-04-14 12:12 - 0730320 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-11 07:44 - 2011-09-13 07:49 - 0000000 ____D C:\Users\mick\AppData\Roaming\Dropbox
2012-02-11 07:42 - 2012-02-05 08:37 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-02-11 07:42 - 2011-10-18 08:17 - 0000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-02-11 07:42 - 2010-04-14 14:54 - 0000000 ____D C:\Users\All Users\NVIDIA
2012-02-11 07:42 - 2010-04-14 14:54 - 0000000 ____D C:\ProgramData\NVIDIA
2012-02-11 07:42 - 2010-04-14 12:02 - 2383761408 __ASH C:\hiberfil.sys
2012-02-11 07:42 - 2009-07-13 20:53 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-11 07:42 - 2009-07-13 20:39 - 0060770 ____A C:\Windows\setupact.log
2012-02-11 07:41 - 2012-02-11 07:41 - 0079638 ____A C:\TDSSKiller.2.7.11.0_11.02.2012_08.41.00_log.txt
2012-02-11 07:41 - 2012-02-06 21:57 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-02-11 07:40 - 2012-02-11 07:40 - 0000346 ____A C:\TDSSKiller.2.7.9.0_11.02.2012_08.40.00_log.txt
2012-02-11 00:19 - 2012-02-11 00:19 - 0021717 ____A C:\Users\mick\Desktop\combofix-log.txt
2012-02-11 00:00 - 2012-02-11 00:00 - 0021717 ____A C:\ComboFix.txt
2012-02-11 00:00 - 2012-02-09 10:00 - 0000000 ____D C:\Qoobox
2012-02-10 23:48 - 2012-02-10 23:48 - 0000000 ____D C:\$RECYCLE.BIN
2012-02-10 23:48 - 2009-07-13 18:04 - 0000215 ____A C:\Windows\system.ini
2012-02-10 23:43 - 2010-04-14 14:54 - 0049338 ____A C:\Windows\PFRO.log
2012-02-10 23:27 - 2012-02-09 10:23 - 0000000 ____D C:\Windows\ERDNT
2012-02-10 23:27 - 2009-07-13 18:03 - 55029760 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-02-10 23:27 - 2009-07-13 18:03 - 22806528 ____A C:\Windows\System32\config\SYSTEM.bak
2012-02-10 23:27 - 2009-07-13 18:03 - 0262144 ____A C:\Windows\System32\config\DEFAULT.bak
2012-02-10 23:27 - 2009-07-13 18:03 - 0028672 ____A C:\Windows\System32\config\SAM.bak
2012-02-10 23:27 - 2009-07-13 18:03 - 0024576 ____A C:\Windows\System32\config\SECURITY.bak
2012-02-10 23:19 - 2012-02-10 23:18 - 4400207 ____R (Swearware) C:\Users\mick\Desktop\ComboFix.exe
2012-02-10 23:15 - 2010-05-22 11:09 - 0000000 ____D C:\Users\All Users\LogMeIn
2012-02-10 23:15 - 2010-05-22 11:09 - 0000000 ____D C:\ProgramData\LogMeIn
2012-02-10 19:50 - 2012-02-10 19:50 - 0036791 ____A C:\Users\mick\Desktop\ark.txt
2012-02-10 14:55 - 2010-06-18 09:31 - 0000000 ____D C:\Users\mick\AppData\Roaming\FileZilla
2012-02-10 14:54 - 2012-02-10 14:54 - 2094534 ____A C:\Users\mick\Downloads\Rackspace Instructions.pdf
2012-02-10 13:16 - 2010-09-07 11:29 - 0000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000Core.job
2012-02-10 08:21 - 2010-04-14 20:33 - 0000600 ____A C:\Users\mick\winscp.RND
2012-02-10 08:20 - 2011-02-23 09:05 - 0000000 ____D C:\Users\mick\AppData\Roaming\TeraCopy
2012-02-10 07:45 - 2010-04-14 16:35 - 0000000 ____D C:\Users\mick\AppData\Local\Digsby
2012-02-09 15:47 - 2012-02-09 15:47 - 0016577 ____A C:\Users\mick\Desktop\Attach.txt
2012-02-09 15:46 - 2012-02-09 15:46 - 0017730 ____A C:\Users\mick\Desktop\DDS.txt
2012-02-09 15:44 - 2012-02-06 08:03 - 0000000 ____D C:\Users\mick\Downloads\malware
2012-02-09 15:11 - 2012-02-09 15:11 - 0139196 ____A C:\Users\mick\Desktop\OTL.Txt
2012-02-09 15:11 - 2012-02-09 15:11 - 0057996 ____A C:\Users\mick\Desktop\Extras.Txt
2012-02-09 15:00 - 2012-02-09 15:00 - 0584192 ____A (OldTimer Tools) C:\Users\mick\Desktop\OTL.exe
2012-02-09 14:52 - 2012-02-09 14:45 - 0004143 ____A C:\Users\mick\Desktop\aswMBR-old.txt
2012-02-09 13:47 - 2012-02-09 13:47 - 4733440 ____A (AVAST Software) C:\Users\mick\Desktop\aswMBR.exe
2012-02-09 13:25 - 2012-02-09 13:25 - 1413120 ____A (Option^Explicit Software Solutions) C:\Users\mick\Desktop\winsockfix.exe
2012-02-09 12:12 - 2012-02-09 12:14 - 9200064 ____A (OPSWAT, Inc.) C:\Users\mick\Desktop\AppRemover.exe
2012-02-09 12:06 - 2012-02-09 12:00 - 0001218 ____A C:\Users\mick\Desktop\SystemLook.txt
2012-02-09 11:59 - 2012-02-09 11:59 - 0001480 ____A C:\Users\mick\Desktop\FSS.txt
2012-02-09 11:57 - 2012-02-09 11:57 - 0037328 ____A C:\Users\mick\Desktop\RKUnhooker-Report.txt
2012-02-09 11:51 - 2012-02-09 11:51 - 0000470 ____A C:\Users\mick\Desktop\defogger_disable.log
2012-02-09 11:51 - 2012-02-09 11:51 - 0000000 ____A C:\Users\mick\defogger_reenable
2012-02-09 11:51 - 2010-04-14 14:24 - 0000000 ____D C:\users\mick
2012-02-09 11:46 - 2012-02-09 11:46 - 0446464 ____A (OldTimer Tools) C:\Users\mick\Desktop\TFC.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A C:\Users\mick\Desktop\SystemLook.exe
2012-02-09 11:45 - 2012-02-09 11:45 - 0139264 ____A () C:\Users\mick\Desktop\RKUnhookerLE.EXE
2012-02-09 11:45 - 2012-02-09 11:45 - 0050477 ____A C:\Users\mick\Desktop\Defogger.exe
2012-02-09 11:43 - 2012-02-09 11:44 - 0335925 ____A C:\Users\mick\Desktop\FSS.exe
2012-02-09 11:28 - 2012-02-03 23:48 - 0269398 ____A C:\Windows\ntbtlog.txt
2012-02-09 11:12 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\NDF
2012-02-09 11:07 - 2010-08-18 09:10 - 0000000 ____D C:\Users\mick\AppData\Local\ElevatedDiagnostics
2012-02-09 11:03 - 2009-07-13 18:37 - 0000000 ___RD C:\users\Public
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-02-09 10:34 - 2012-02-09 10:34 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-02-09 10:12 - 2010-04-14 15:15 - 0000000 ____D C:\Users\All Users\avg9
2012-02-09 10:12 - 2010-04-14 15:15 - 0000000 ____D C:\ProgramData\avg9
2012-02-09 10:04 - 2010-10-22 08:49 - 0000000 ____D C:\Users\All Users\MFAData
2012-02-09 10:04 - 2010-10-22 08:49 - 0000000 ____D C:\ProgramData\MFAData
2012-02-09 09:15 - 2012-02-11 07:40 - 2059824 ____A (Kaspersky Lab ZAO) C:\Users\mick\Desktop\TDSSKiller.exe
2012-02-09 08:30 - 2011-06-14 16:56 - 0000000 ____D C:\wamp
2012-02-09 07:51 - 2012-02-02 12:50 - 0001516 ____A C:\Windows\System32\Drivers\etc\hosts.bak
2012-02-08 23:15 - 2012-02-08 23:15 - 0143696 ____A C:\Windows\Minidump\020912-22308-01.dmp
2012-02-08 23:15 - 2010-04-26 08:02 - 233615735 ____A C:\Windows\MEMORY.DMP
2012-02-08 23:15 - 2010-04-26 08:02 - 0000000 ____D C:\Windows\Minidump
2012-02-08 20:02 - 2011-08-05 09:34 - 0000000 ____D C:\Users\mick\AppData\Roaming\Spotify
2012-02-08 11:58 - 2010-04-14 10:07 - 0000000 ____D C:\Config.Msi
2012-02-08 11:54 - 2010-04-14 15:32 - 0000000 ____D C:\htdocs
2012-02-08 09:31 - 2011-06-14 16:01 - 0000000 ____D C:\Users\mick\Downloads\AMP
2012-02-07 17:24 - 2011-08-05 09:34 - 0000000 ____D C:\Users\mick\AppData\Local\Spotify
2012-02-06 21:57 - 2012-02-06 21:56 - 0080352 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.56.21_log.txt
2012-02-06 21:53 - 2012-02-06 21:52 - 0079506 ____A C:\TDSSKiller.2.7.9.0_06.02.2012_22.52.19_log.txt
2012-02-06 21:50 - 2011-12-17 19:59 - 0242754 ____A C:\shared.log
2012-02-06 20:55 - 2011-12-17 20:54 - 0282864 ____A C:\Windows\System32\PnkBstrB.xtr
2012-02-06 20:55 - 2011-12-17 19:55 - 0282864 ____A C:\Windows\System32\PnkBstrB.exe
2012-02-06 20:55 - 2011-12-17 19:55 - 0280904 ____A C:\Windows\System32\PnkBstrB.ex0
2012-02-06 20:55 - 2011-12-17 19:55 - 0139176 ____A C:\Windows\System32\Drivers\PnkBstrK.sys
2012-02-06 12:28 - 2010-05-17 13:51 - 0001456 ____A C:\Users\mick\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-02-06 08:04 - 2012-02-06 08:04 - 0607260 ____R (Swearware) C:\Users\mick\Desktop\dds.scr
2012-02-06 08:04 - 2012-02-06 08:04 - 0302592 ____A C:\Users\mick\Desktop\GMER.exe
2012-02-04 21:25 - 2010-04-18 09:22 - 0000000 ____D C:\Program Files\Java
2012-02-04 21:22 - 2012-02-04 21:22 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall (1).exe
2012-02-03 23:50 - 2012-02-03 23:50 - 0000000 ____D C:\Users\mick\Downloads\backups
2012-02-03 23:49 - 2012-02-01 16:35 - 0008687 ____A C:\Users\mick\Downloads\hijackthis.log
2012-02-03 16:11 - 2012-02-03 16:10 - 0079214 ____A C:\TDSSKiller.2.7.9.0_03.02.2012_17.10.41_log.txt
2012-02-03 16:10 - 2012-02-03 16:10 - 2059312 ____A (Kaspersky Lab ZAO) C:\Users\mick\Downloads\tdsskiller.exe
2012-02-03 16:03 - 2012-02-03 16:03 - 0001759 ____A C:\Users\mick\Desktop\SafeReturner_log.txt
2012-02-03 16:03 - 2012-02-03 16:00 - 0000000 ____D C:\Users\All Users\SafeReturner
2012-02-03 16:03 - 2012-02-03 16:00 - 0000000 ____D C:\ProgramData\SafeReturner
2012-02-03 16:01 - 2012-02-03 16:01 - 0000102 ____A C:\Users\mick\Desktop\catchme.log
2012-02-03 16:01 - 2012-02-03 16:00 - 0000329 ____A C:\Users\mick\Desktop\AntiExeHijack.log
2012-02-03 16:01 - 2012-02-03 16:00 - 0000000 ____D C:\Program Files\Safe Returner
2012-02-03 16:00 - 2012-02-03 16:00 - 0001026 ____A C:\Users\Public\Desktop\Safe Returner.lnk
2012-02-03 16:00 - 2012-02-03 16:00 - 0001006 ____A C:\Users\Public\Desktop\Kill Rogue Process.lnk
2012-02-03 09:13 - 2012-02-03 09:13 - 5154304 ____A C:\Users\mick\Downloads\WindowsDefender.msi
2012-02-03 03:01 - 2012-02-03 03:01 - 0143696 ____A C:\Windows\Minidump\020312-22744-01.dmp
2012-02-02 09:18 - 2010-05-17 10:37 - 0000000 ____D C:\Users\All Users\regid.1986-12.com.adobe
2012-02-02 09:18 - 2010-05-17 10:37 - 0000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2012-02-01 18:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-02-01 18:40 - 2012-02-01 16:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0001073 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Users\mick\AppData\Roaming\Malwarebytes
2012-02-01 16:40 - 2012-02-01 16:40 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-02-01 16:34 - 2012-02-01 16:34 - 0401720 ____A (Trend Micro Inc.) C:\Users\mick\Downloads\iexplore.exe
2012-02-01 16:29 - 2012-02-01 16:29 - 9502424 ____A (Malwarebytes Corporation ) C:\Users\mick\Downloads\mbam-setup-1.60.1.1000.exe
2012-02-01 07:35 - 2010-04-14 14:32 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-02-01 07:34 - 2010-04-14 16:35 - 0000000 ____D C:\Program Files\Digsby
2012-02-01 02:17 - 2011-12-17 20:54 - 0000000 ____D C:\Program Files\Battlelog Web Plugins
2012-01-31 20:37 - 2012-01-31 20:37 - 3870904 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.110.0-retail-prod.exe
2012-01-30 16:30 - 2010-07-28 15:57 - 0000000 ____D C:\Users\mick\Downloads\360 mod
2012-01-30 09:46 - 2011-08-05 09:34 - 0000000 ____D C:\Program Files\Spotify
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\TortoiseSVN
2012-01-26 12:12 - 2012-01-26 12:12 - 0000000 ____D C:\Program Files\Common Files\TortoiseOverlays
2012-01-26 12:08 - 2012-01-26 12:07 - 13697024 ____A C:\Users\mick\Downloads\TortoiseSVN-1.7.4.22459-win32-svn-1.7.2.msi
2012-01-25 14:12 - 2010-09-07 11:30 - 0002398 ____A C:\Users\mick\Desktop\Google Chrome.lnk
2012-01-23 13:09 - 2011-09-17 22:05 - 0000000 ____D C:\Users\All Users\Rosetta Stone
2012-01-23 13:09 - 2011-09-17 22:05 - 0000000 ____D C:\ProgramData\Rosetta Stone
2012-01-20 11:55 - 2012-01-20 11:55 - 0001020 ____A C:\Users\mick\Start Menu\Programs\Startup\Dropbox.lnk
2012-01-20 11:55 - 2012-01-20 11:55 - 0001020 ____A C:\Users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
2012-01-16 14:25 - 2012-01-16 14:24 - 0004807 ____A C:\Windows\System32\jupdate-1.6.0_30-b12.log
2012-01-16 14:23 - 2012-01-16 14:23 - 0909600 ____A (Sun Microsystems, Inc.) C:\Users\mick\Downloads\chromeinstall.exe
2012-01-14 10:37 - 2012-01-14 10:37 - 0000000 ____D C:\Program Files\K-Lite Codec Pack
2012-01-14 10:35 - 2012-01-14 10:34 - 7413286 ____A ( ) C:\Users\mick\Downloads\K-Lite_Codec_Pack_810_Basic.exe
2012-01-13 18:35 - 2011-12-17 19:55 - 0076888 ____A C:\Windows\System32\PnkBstrA.exe
2012-01-13 18:28 - 2011-12-17 19:28 - 0000943 ____A C:\Users\Public\Desktop\Origin.lnk
2012-01-13 18:27 - 2011-12-17 19:28 - 0001561 ____A C:\Windows\KB893803v2.log
2012-01-13 18:27 - 2011-12-17 19:28 - 0000000 ____D C:\Program Files\Origin
2012-01-12 10:23 - 2012-01-12 10:22 - 52017986 ____A C:\Users\mick\Downloads\kelli_garner_bully_hd_03.avi
2012-01-11 02:08 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\Microsoft.NET
2012-01-11 02:06 - 2010-04-14 17:55 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-01-11 02:06 - 2010-04-14 17:55 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-01-11 02:03 - 2010-04-18 16:24 - 52128560 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-01-09 10:03 - 2012-01-09 10:02 - 4518720 ____A (FileZilla Project) C:\Users\mick\Downloads\FileZilla_3.5.3_win32-setup.exe
2012-01-09 10:03 - 2010-08-16 09:59 - 0000000 ____D C:\Program Files\FileZilla FTP Client
2012-01-06 11:49 - 2010-10-01 19:30 - 0000000 ____D C:\Users\mick\AppData\Local\Deployment
2012-01-02 23:28 - 2012-01-02 23:28 - 2570286 ____A C:\Windows\System32\abgx360.exe
2011-12-28 18:10 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\LiveKernelReports
2011-12-28 13:58 - 2011-08-10 09:59 - 0000000 ____D C:\Users\mick\AppData\Local\CloudBerry S3 Explorer PRO
2011-12-28 12:41 - 2011-12-28 12:40 - 8760040 ____A C:\Users\mick\Downloads\CloudBerryExplorerSetup_v3.2.2.27Pro.exe
2011-12-28 12:41 - 2011-08-10 09:59 - 0001318 ____A C:\Users\Public\Desktop\CloudBerry S3 Explorer PRO.lnk
2011-12-22 17:14 - 2011-12-22 17:14 - 0001102 ____A C:\Users\mick\Documents\joseph-blank.txt
2011-12-20 16:53 - 2010-04-14 20:53 - 0000000 ____D C:\Torrents
2011-12-19 16:51 - 2011-12-19 16:51 - 0000000 ____D C:\Windows\pss
2011-12-17 21:39 - 2010-07-07 19:48 - 0000000 ____D C:\Program Files\Common Files\Blizzard Entertainment
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\mick\AppData\Roaming\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\mick\AppData\Local\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\Users\All Users\ATI
2011-12-17 21:06 - 2011-12-17 21:06 - 0000000 ____D C:\ProgramData\ATI
2011-12-17 21:05 - 2011-03-15 17:04 - 0000000 ____D C:\Program Files\ATI Technologies
2011-12-17 21:05 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\DriverStore
2011-12-17 20:54 - 2011-12-17 20:54 - 0000000 ____D C:\Users\mick\Documents\Battlefield 3
2011-12-17 20:54 - 2011-12-17 20:54 - 0000000 ____D C:\Users\mick\AppData\Local\PunkBuster
2011-12-17 20:52 - 2011-12-17 20:52 - 0000000 ____A C:\Users\mick\Downloads\battlelog-web-plugins-1.104.0-retail-prod.exe
2011-12-17 20:29 - 2011-12-17 19:55 - 0138056 ____A C:\Users\mick\AppData\Roaming\PnkBstrK.sys
2011-12-17 19:59 - 2011-12-17 19:59 - 0000000 ____D C:\Users\All Users\EA Core
2011-12-17 19:59 - 2011-12-17 19:59 - 0000000 ____D C:\ProgramData\EA Core
2011-12-17 19:59 - 2011-12-17 19:28 - 0000000 ____D C:\Users\All Users\Electronic Arts
2011-12-17 19:59 - 2011-12-17 19:28 - 0000000 ____D C:\ProgramData\Electronic Arts
2011-12-17 19:58 - 2011-12-17 19:28 - 0000000 ____D C:\Users\All Users\Origin
2011-12-17 19:58 - 2011-12-17 19:28 - 0000000 ____D C:\ProgramData\Origin
2011-12-17 19:55 - 2011-12-17 19:55 - 0000000 ___HD C:\Program Files\Common Files\EAInstaller
2011-12-17 19:55 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\System32\LogFiles
2011-12-17 19:39 - 2011-12-17 19:28 - 0000000 ____D C:\Program Files\Origin Games
2011-12-17 19:37 - 2011-12-17 19:31 - 0000000 ____D C:\Users\mick\AppData\Roaming\Origin
2011-12-17 19:28 - 2011-12-17 19:28 - 0000000 ____D C:\Users\mick\AppData\Local\Origin
2011-12-17 19:27 - 2010-04-20 23:20 - 0000000 ____D C:\World of Warcraft
2011-12-17 19:01 - 2011-12-17 17:21 - 0000000 ____D C:\Users\mick\Desktop\Battlefield 3
2011-12-17 10:16 - 2010-11-02 08:46 - 0000000 ____D C:\Program Files\SystemRequirementsLab
2011-12-17 10:16 - 2010-11-02 08:42 - 0000000 ____D C:\Users\mick\AppData\Roaming\SystemRequirementsLab
2011-12-14 03:03 - 2009-07-13 18:37 - 0000000 ____D C:\Windows\rescache
2011-12-14 02:26 - 2009-07-13 20:33 - 3870744 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-14 02:06 - 2011-06-21 16:20 - 0000039 ____A C:\Windows\vbaddin.ini
2011-12-10 14:24 - 2012-02-01 16:40 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-12-07 12:57 - 2010-05-22 11:08 - 0001024 ____A C:\.rnd
2011-12-07 12:55 - 2011-12-07 12:55 - 0000000 ____D C:\usr
2011-12-07 12:48 - 2011-12-07 12:48 - 0000000 ____D C:\OpenSSL
2011-12-07 11:51 - 2010-04-26 12:20 - 0000000 ____D C:\Program Files\Common Files\Adobe AIR
2011-11-23 20:25 - 2011-12-13 11:43 - 2342912 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-19 06:01 - 2012-01-10 14:50 - 0067072 ____A (Microsoft Corporation) C:\Windows\System32\packager.dll
2011-11-18 07:42 - 2011-05-22 10:07 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-11-16 21:41 - 2012-01-31 03:12 - 0134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2011-11-16 21:41 - 2012-01-31 03:12 - 0067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2011-11-16 21:39 - 2012-01-31 03:12 - 0369352 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2011-11-16 21:38 - 2012-01-10 14:50 - 1288472 ____A (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2011-11-16 21:35 - 2012-01-31 03:12 - 0314880 ____A (Microsoft Corporation) C:\Windows\System32\webio.dll
2011-11-16 21:34 - 2012-01-31 03:12 - 0224768 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2011-11-16 21:34 - 2012-01-31 03:12 - 0100352 ____A (Microsoft Corporation) C:\Windows\System32\sspicli.dll
2011-11-16 21:34 - 2012-01-31 03:12 - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\secur32.dll
2011-11-16 21:34 - 2012-01-31 03:12 - 0015872 ____A (Microsoft Corporation) C:\Windows\System32\sspisrv.dll
2011-11-16 21:32 - 2012-01-31 03:12 - 1038848 ____A (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2011-11-16 21:29 - 2012-01-31 03:12 - 0022528 ____A (Microsoft Corporation) C:\Windows\System32\lsass.exe

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 4055.11 MB
Available physical RAM: 3140.53 MB
Total Pagefile: 4053.39 MB
Available Pagefile: 3266.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.31 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:232.78 GB) (Free:44.15 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
3 Drive e: () (Fixed) (Total:76.32 GB) (Free:66.1 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 7168 KB
Disk 1 Online 76 GB 13 MB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 232 GB 39 MB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 FAT Partition 39 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OS NTFS Partition 232 GB Healthy

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 76 GB 31 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E NTFS Partition 76 GB Healthy



==========================================================

Last Boot: 2012-02-08 23:45

======================= End Of Log ==========================

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 12 February 2012 - 02:48 AM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Last Boot: 2012-02-08 23:45
CMD: bootrec /FixMbr

 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 12 February 2012 - 02:54 AM

It has weird characters in part of the log, and won't let me copy and paste them. I've attached a screenshot of the log as well.

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 11-02-2012
Ran by SYSTEM at 2012-02-12 00:51:14 R:1
Running from E:\malware

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

========= bootrec /FixMbr =========

˙ūT

Attached Files



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 12 February 2012 - 03:05 AM

System Recovery Environment

To access the System Recovery Environment , simply boot your PC,

  • just before the system loads the Windows operating system, hit the [F8] Function 8 key on your keyboard which will launch the Advanced Boot Options menu.
  • There you will see a new option 'Repair Your Computer', select this option and hit 'Enter' on your keyboard.
  • Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
  • From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
  • Type the following into the "Command Prompt Window": and press enter

    bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 12 February 2012 - 03:30 AM

Great, I'm back in Windows 7 now. Below is the log from the pop up I got when Windows finally booted again. Do I need to continue the malware removal process?



Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: C000001D
BCP2: A42383EE
BCP3: A3B838F4
BCP4: A3B834D0
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\021212-17144-01.dmp
C:\Users\mick\AppData\Local\temp\WER-43399-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:45 PM

Posted 12 February 2012 - 03:35 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Wizzums

Wizzums
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 12 February 2012 - 04:15 AM

The scan popped up and said I was infected with Rootkit.ZeroAccess before initiating a reboot.

The scan completed and the computer rebooted. I logged in and received a pop up error dialog during the windows loading screen. The error was regarding explorer.exe. I didn't get to read much of it before the computer automatically rebooted.

When I logged back in again, everything loaded fine and ComboFix completed its scan. The log is below.



ComboFix 12-02-10.03 - mick 02/12/2012 1:45.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3031.2168 [GMT -7:00]
Running from: c:\users\mick\Desktop\ComboFix.exe
Command switches used :: c:\users\mick\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB39289$\1552991721\@
c:\windows\$NtUninstallKB39289$\1552991721\cfg.ini
c:\windows\$NtUninstallKB39289$\1552991721\Desktop.ini
c:\windows\$NtUninstallKB39289$\1552991721\L\xadqgnnk
c:\windows\$NtUninstallKB39289$\1552991721\oemid
c:\windows\$NtUninstallKB39289$\1552991721\U\00000001.@
c:\windows\$NtUninstallKB39289$\1552991721\U\00000002.@
c:\windows\$NtUninstallKB39289$\1552991721\U\00000004.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000000.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000004.@
c:\windows\$NtUninstallKB39289$\1552991721\U\80000032.@
c:\windows\$NtUninstallKB39289$\1552991721\version
c:\windows\$NtUninstallKB39289$\3703306941
.
Infected copy of c:\windows\system32\drivers\dtsoftbus01.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\msports.inf_x86_neutral_c1a802e06677f73f\serial.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.cdrom
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 08:57 . 2012-02-12 09:00 -------- d-----w- c:\users\mick\AppData\Local\temp
2012-02-12 08:57 . 2012-02-12 08:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-12 08:57 . 2009-07-13 23:45 83456 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-12 08:41 . 2011-09-18 06:04 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-12 07:49 . 2012-02-12 07:50 -------- d-----w- C:\FRST
2012-02-11 17:30 . 2012-02-11 17:30 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-02-11 17:30 . 2012-02-11 17:30 -------- d-----w- c:\users\mick\AppData\Roaming\FixTDSS
2012-02-09 20:27 . 2010-11-20 08:44 388096 ----a-w- c:\windows\system32\drivers\csc.sys
2012-02-07 05:57 . 2012-02-11 15:41 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-05 16:37 . 2012-02-12 08:59 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 00:00 . 2012-02-04 00:03 -------- d-----w- c:\programdata\SafeReturner
2012-02-04 00:00 . 2012-02-04 00:01 -------- d-----w- c:\program files\Safe Returner
2012-02-02 00:40 . 2012-02-02 00:40 -------- d-----w- c:\users\mick\AppData\Roaming\Malwarebytes
2012-02-02 00:40 . 2012-02-02 02:40 -------- d-----w- c:\programdata\Malwarebytes
2012-02-02 00:40 . 2012-02-02 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 00:40 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 11:12 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-31 11:12 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-31 11:12 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-31 11:12 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-31 11:12 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-31 11:12 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-31 11:12 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-31 11:12 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-31 11:12 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-31 11:12 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-26 20:12 . 2012-01-26 20:12 -------- d-----w- c:\program files\TortoiseSVN
2012-01-26 20:12 . 2012-01-26 20:12 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2012-01-16 22:25 . 2011-08-15 02:02 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-14 18:37 . 2011-03-02 11:43 175616 ----a-w- c:\windows\system32\unrar.dll
2012-01-14 18:37 . 2012-01-14 18:37 -------- d-----w- c:\program files\K-Lite Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-11 18:42 . 2011-04-05 17:21 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-11 18:40 . 2011-04-05 17:21 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-11 18:37 . 2011-04-05 17:21 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-07 04:55 . 2011-12-18 03:55 139176 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-02-07 04:55 . 2011-12-18 04:54 282864 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-02-07 04:55 . 2011-12-18 03:55 282864 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-02-07 04:55 . 2011-12-18 03:55 280904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-01-14 02:35 . 2011-12-18 03:55 76888 ----a-w- c:\windows\system32\PnkBstrA.exe
2012-01-03 07:28 . 2012-01-03 07:28 2570286 ----a-w- c:\windows\system32\abgx360.exe
2011-12-18 04:29 . 2011-12-18 03:55 138056 ----a-w- c:\users\mick\AppData\Roaming\PnkBstrK.sys
2011-11-24 04:25 . 2011-12-13 19:43 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01 . 2012-01-10 22:50 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-18 15:42 . 2011-05-22 18:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-17 05:38 . 2012-01-10 22:50 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-02-01 15:35 . 2011-03-10 19:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1298320]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\mick\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
UltraMon.lnk - c:\windows\Installer\{20A36691-B09B-4EF2-A371-64A5BD265E20}\IcoUltraMon.ico [2010-4-18 29310]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^Users^mick^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\mick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-23 01:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-31 07:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-07-23 05:10 402432 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-09-07 19:29 136176 ----atw- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Home Storage Manager]
2009-10-27 22:06 152936 ----a-w- c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 06:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-11-10 05:45 343168 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 20:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-09-24 20:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 136176]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netr73;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr73.sys [2010-02-24 562464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RegKernelHelp;RegKernelHelp;c:\program files\Safe Returner\RegKernelHelp.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-17 1343400]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-09-18 232512]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-11-10 176128]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-06-16 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacom\x86\novacomd.exe [2011-03-15 61440]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2011-03-31 80896]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-11-14 17184]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-11-10 8913920]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-11-10 263680]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athur.sys [2010-01-06 1500160]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-10-17 85520]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-06 273960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
PSSdk21
ndiscm
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 16:17]
.
2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-18 16:17]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000Core.job
- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-07 19:29]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2375669661-3830493300-2605543408-1000UA.job
- c:\users\mick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-07 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 127.0.0.1:80
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: mswsock.dll
Trusted Zone: teamitec.com\www
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\mick\AppData\Roaming\Mozilla\Firefox\Profiles\rgl6tyt3.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2388)
c:\windows\system32\MSWSOCK.dll
mswsock.DLL 74a30000 245760 \\?\globalroot\systemroot\system32\mswsock.DLL
c:\users\mick\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\System32\ping.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-02-12 02:12:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 09:12
ComboFix2.txt 2012-02-11 08:00
ComboFix3.txt 2012-02-09 20:56
ComboFix4.txt 2012-02-09 19:03
.
Pre-Run: 47,407,341,568 bytes free
Post-Run: 47,236,923,392 bytes free
.
- - End Of File - - 67F2E65DCAF619F29FBC8C90100B9C16




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users