Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting on links


  • This topic is locked This topic is locked
38 replies to this topic

#1 matteo85

matteo85

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 12 March 2012 - 03:52 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Administrator at 16:44:03 on 2012-03-12
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [CleanMem Mini Monitor] c:\program files\cleanmem\Mini_Monitor.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\e-muus~1.lnk - c:\program files\creative professional\e-mu usb audio\EmuUsbAudioCP.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: mswsock.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{967F1CAD-60AE-4B43-8FE2-281F1220E6B6} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pthm1l7i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pthm1l7i.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-03-12 13:29:24 583528 ----a-w- c:\windows\svcs.exe
2012-03-12 13:21:55 157184 ----a-w- c:\windows\system32\NEUSBw32.dll
2012-03-11 23:20:12 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-03-11 23:20:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-11 23:20:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-11 23:20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-11 18:34:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 14:09:55 -------- d-----w- c:\documents and settings\administrator\application data\f-secure
2012-03-11 14:09:22 -------- d-----w- c:\documents and settings\all users\application data\F-Secure
2012-03-10 21:37:00 -------- d-----w- C:\7bf16c882fee16eb472cde88
2012-03-09 16:37:22 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-03-07 23:56:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-05 20:18:11 -------- d-----w- c:\documents and settings\administrator\application data\NVIDIA
2012-02-21 01:23:23 -------- d-----w- c:\windows\system32\winrm
2012-02-21 01:23:23 -------- d-----w- c:\windows\system32\GroupPolicy
2012-02-21 01:23:17 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-02-21 01:22:24 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-02-21 00:59:40 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2012-02-21 00:59:17 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-21 00:59:17 220992 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-21 00:59:16 203072 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-21 00:59:16 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-21 00:59:10 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2012-02-21 00:59:10 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-21 00:58:55 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-02-21 00:58:55 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-02-21 00:58:55 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-02-21 00:58:15 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-21 00:58:15 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-21 00:56:46 -------- d-----w- C:\NVIDIA
2012-02-21 00:56:27 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2012-02-21 00:56:27 152064 ------w- c:\windows\system32\dllcache\schannel.dll
2012-02-21 00:56:25 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-02-21 00:56:25 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-02-21 00:56:25 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-02-21 00:56:25 1292288 ------w- c:\windows\system32\dllcache\quartz.dll
2012-02-21 00:56:23 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2012-02-21 00:56:21 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2012-02-21 00:56:20 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
2012-02-21 00:00:18 105472 ------w- c:\windows\system32\dllcache\mup.sys
2012-02-21 00:00:16 105984 ------w- c:\windows\system32\dllcache\url.dll
2012-02-20 23:59:43 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-02-20 21:35:30 -------- d-----w- c:\windows\CleanMem
2012-02-20 21:35:30 -------- d-----w- c:\program files\CleanMem
2012-02-20 18:00:51 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-02-20 17:29:12 -------- d-----w- c:\program files\RightMark
.
==================== Find3M ====================
.
2012-03-12 13:11:15 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 23:17:13 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-11 23:13:24 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-11 20:56:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-11 20:38:41 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-11 20:22:18 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-02 20:42:09 715038 ----a-w- c:\windows\unins000.exe
2012-01-12 16:54:47 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:45:42 919552 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:45:42 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:45:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:32:59 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 16:45:28.75 ===============


Every link I click redirects to a site with numbers as the address & the page never loads. I also notice if I have Firefox open that a new tab will randomly pop up with an ad etc. I'm running on XP. I do not any sort of antivirus software on this computer at present because I use it mainly for capturing & restoring audio which is requires my memory to be free. When I do my audio I disconnect from the internet. Every free antivirus program I've come across will not completely shut down without uninstall. I'm open to suggestions on that. But at present something is really going on here...

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 12 March 2012 - 06:18 PM

Hi,

Please do the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


NEXT

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • As we are only looking for a log of what is on the machine right now > choose to skip whatever is found
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 13 March 2012 - 07:47 AM

Thank you so much. Here is what you've requested:
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-12 20:27:48
-----------------------------
20:27:48.984 OS Version: Windows 5.1.2600 Service Pack 3
20:27:48.984 Number of processors: 1 586 0x7F02
20:27:48.984 ComputerName: MATT-9A02033ADE UserName: Administrator
20:27:53.656 Initialize success
20:32:32.765 AVAST engine defs: 12031200
23:52:33.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port0Path0Target0Lun0
23:52:33.812 Disk 0 Vendor: ST332081 HP22 Size: 305245MB BusType: 3
23:52:33.812 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS f72c140e
23:52:33.875 Disk 0 MBR read successfully
23:52:33.875 Disk 0 MBR scan
23:52:33.906 Disk 0 Windows XP default MBR code
23:52:33.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 292958 MB offset 63
23:52:34.000 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12284 MB offset 599979555
23:52:34.046 Disk 0 scanning sectors +625137345
23:52:34.484 Disk 0 scanning C:\WINDOWS\system32\drivers
23:52:38.984 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Sirefef-PL [Rtk]
23:53:20.906 Disk 0 trace - called modules:
23:53:20.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xef7c3fc0]<<
23:53:20.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a378030]
23:53:20.968 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> [0x8a0db828]
23:53:20.968 \Driver\00001733[0x89686da0] -> IRP_MJ_CREATE -> 0xef7c3fc0
23:53:23.718 AVAST engine scan C:\WINDOWS
23:55:16.406 AVAST engine scan C:\WINDOWS\system32
00:11:18.750 AVAST engine scan C:\WINDOWS\system32\drivers
00:11:23.468 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Sirefef-PL [Rtk]
00:13:54.750 AVAST engine scan C:\Documents and Settings\Administrator
00:37:14.906 File: C:\Documents and Settings\Administrator\My Documents\Downloads\ESET\ESET Fix v4.30A.exe **INFECTED** Win32:AutoIt-AMC [Trj]
00:49:00.234 AVAST engine scan C:\Documents and Settings\All Users
00:58:13.406 Scan finished successfully
08:41:29.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:41:29.328 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"



08:43:47.0312 0696 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
08:43:47.0609 0696 ============================================================
08:43:47.0609 0696 Current date / time: 2012/03/13 08:43:47.0609
08:43:47.0609 0696 SystemInfo:
08:43:47.0609 0696
08:43:47.0609 0696 OS Version: 5.1.2600 ServicePack: 3.0
08:43:47.0609 0696 Product type: Workstation
08:43:47.0609 0696 ComputerName: MATT-9A02033ADE
08:43:47.0609 0696 UserName: Administrator
08:43:47.0609 0696 Windows directory: C:\WINDOWS
08:43:47.0609 0696 System windows directory: C:\WINDOWS
08:43:47.0609 0696 Processor architecture: Intel x86
08:43:47.0609 0696 Number of processors: 1
08:43:47.0609 0696 Page size: 0x1000
08:43:47.0609 0696 Boot type: Normal boot
08:43:47.0609 0696 ============================================================
08:44:00.0656 0696 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
08:44:00.0687 0696 \Device\Harddisk0\DR0:
08:44:00.0703 0696 MBR used
08:44:00.0703 0696 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x23C2F5E4
08:44:00.0703 0696 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x23C2F623, BlocksNum 0x17FE09E
08:44:01.0421 0696 Initialize success
08:44:01.0421 0696 ============================================================
08:44:14.0000 0732 ============================================================
08:44:14.0000 0732 Scan started
08:44:14.0000 0732 Mode: Manual; TDLFS;
08:44:14.0000 0732 ============================================================
08:44:15.0531 0732 Abiosdsk - ok
08:44:15.0734 0732 abp480n5 - ok
08:44:16.0140 0732 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:44:16.0171 0732 ACPI - ok
08:44:16.0406 0732 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:44:16.0406 0732 ACPIEC - ok
08:44:16.0578 0732 adpu160m - ok
08:44:16.0734 0732 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:44:16.0750 0732 aec - ok
08:44:17.0000 0732 AFD (36b96de43c58e0198108bc14c0af4402) C:\WINDOWS\System32\drivers\afd.sys
08:44:17.0046 0732 AFD ( Virus.Win32.ZAccess.c ) - infected
08:44:17.0046 0732 AFD - detected Virus.Win32.ZAccess.c (0)
08:44:17.0484 0732 AgereSoftModem (c6fa08a8cca9001f3197525b07331715) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:44:17.0875 0732 AgereSoftModem - ok
08:44:18.0046 0732 Aha154x - ok
08:44:18.0296 0732 aic78u2 - ok
08:44:18.0515 0732 aic78xx - ok
08:44:18.0796 0732 AliIde - ok
08:44:19.0109 0732 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
08:44:19.0109 0732 AmdK8 - ok
08:44:19.0312 0732 amsint - ok
08:44:19.0484 0732 appliand (05eda44c080ebaf758f8a318488ffd75) C:\WINDOWS\system32\DRIVERS\appliand.sys
08:44:19.0484 0732 appliand - ok
08:44:19.0500 0732 appliandMP (05eda44c080ebaf758f8a318488ffd75) C:\WINDOWS\system32\DRIVERS\appliand.sys
08:44:19.0500 0732 appliandMP - ok
08:44:19.0640 0732 asc - ok
08:44:19.0734 0732 asc3350p - ok
08:44:19.0890 0732 asc3550 - ok
08:44:20.0156 0732 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:44:20.0156 0732 AsyncMac - ok
08:44:20.0437 0732 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
08:44:20.0437 0732 atapi - ok
08:44:20.0687 0732 Atdisk - ok
08:44:20.0921 0732 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:44:20.0921 0732 Atmarpc - ok
08:44:21.0234 0732 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:44:21.0250 0732 audstub - ok
08:44:21.0718 0732 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:44:21.0718 0732 cbidf2k - ok
08:44:21.0984 0732 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:44:22.0031 0732 CCDECODE - ok
08:44:22.0250 0732 cd20xrnt - ok
08:44:22.0671 0732 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:44:22.0671 0732 Cdaudio - ok
08:44:23.0000 0732 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:44:23.0046 0732 Cdfs - ok
08:44:23.0406 0732 cdrbsdrv (9008ad94f28360a2f1409592bfc7acf7) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
08:44:23.0453 0732 cdrbsdrv - ok
08:44:23.0734 0732 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:44:23.0734 0732 Cdrom - ok
08:44:23.0890 0732 Changer - ok
08:44:24.0046 0732 CmdIde - ok
08:44:24.0250 0732 Cpqarray - ok
08:44:24.0546 0732 dac2w2k - ok
08:44:24.0812 0732 dac960nt - ok
08:44:25.0218 0732 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
08:44:25.0234 0732 Disk - ok
08:44:25.0671 0732 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:44:25.0984 0732 dmboot - ok
08:44:26.0359 0732 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:44:26.0375 0732 dmio - ok
08:44:26.0703 0732 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:44:26.0703 0732 dmload - ok
08:44:26.0984 0732 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:44:27.0000 0732 DMusic - ok
08:44:27.0250 0732 dpti2o - ok
08:44:27.0578 0732 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:44:27.0593 0732 drmkaud - ok
08:44:28.0015 0732 emusba10 (0407b78faaa9437ffccd6c393d483309) C:\WINDOWS\system32\DRIVERS\emusba10.sys
08:44:28.0093 0732 emusba10 - ok
08:44:28.0375 0732 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
08:44:28.0437 0732 exFat - ok
08:44:28.0796 0732 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:44:28.0875 0732 Fastfat - ok
08:44:29.0203 0732 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:44:29.0218 0732 Fdc - ok
08:44:29.0546 0732 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:44:29.0546 0732 Fips - ok
08:44:29.0921 0732 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:44:29.0937 0732 Flpydisk - ok
08:44:30.0312 0732 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:44:30.0390 0732 FltMgr - ok
08:44:30.0703 0732 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:44:30.0718 0732 Fs_Rec - ok
08:44:30.0984 0732 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:44:31.0046 0732 Ftdisk - ok
08:44:31.0468 0732 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:44:31.0468 0732 Gpc - ok
08:44:31.0812 0732 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:44:31.0890 0732 HDAudBus - ok
08:44:32.0203 0732 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:44:32.0203 0732 hidusb - ok
08:44:32.0343 0732 hpn - ok
08:44:32.0500 0732 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
08:44:32.0578 0732 HTTP - ok
08:44:32.0781 0732 i2omgmt - ok
08:44:32.0921 0732 i2omp - ok
08:44:33.0140 0732 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
08:44:33.0140 0732 i8042prt - ok
08:44:33.0421 0732 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:44:33.0468 0732 Imapi - ok
08:44:33.0625 0732 ini910u - ok
08:44:34.0296 0732 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:44:35.0765 0732 IntcAzAudAddService - ok
08:44:36.0031 0732 IntelIde - ok
08:44:36.0375 0732 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:44:36.0390 0732 Ip6Fw - ok
08:44:36.0671 0732 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:44:36.0671 0732 IpFilterDriver - ok
08:44:36.0921 0732 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:44:36.0921 0732 IpInIp - ok
08:44:37.0234 0732 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:44:37.0359 0732 IpNat - ok
08:44:37.0656 0732 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:44:37.0671 0732 IPSec - ok
08:44:37.0921 0732 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:44:37.0937 0732 IRENUM - ok
08:44:38.0250 0732 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:44:38.0265 0732 isapnp - ok
08:44:38.0812 0732 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:44:38.0843 0732 Kbdclass - ok
08:44:39.0171 0732 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:44:39.0187 0732 kbdhid - ok
08:44:39.0656 0732 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:44:39.0671 0732 kmixer - ok
08:44:39.0875 0732 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
08:44:39.0875 0732 KSecDD - ok
08:44:40.0093 0732 lbrtfdc - ok
08:44:40.0312 0732 mcdbus - ok
08:44:40.0671 0732 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:44:40.0687 0732 Modem - ok
08:44:41.0234 0732 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:44:41.0234 0732 Mouclass - ok
08:44:41.0843 0732 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:44:41.0843 0732 mouhid - ok
08:44:42.0484 0732 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
08:44:42.0500 0732 MountMgr - ok
08:44:42.0953 0732 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
08:44:42.0968 0732 MPE - ok
08:44:43.0078 0732 mraid35x - ok
08:44:43.0187 0732 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:44:43.0203 0732 MRxDAV - ok
08:44:43.0468 0732 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:44:43.0640 0732 MRxSmb - ok
08:44:43.0968 0732 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:44:43.0968 0732 Msfs - ok
08:44:44.0109 0732 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:44:44.0109 0732 MSKSSRV - ok
08:44:44.0265 0732 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:44:44.0265 0732 MSPCLOCK - ok
08:44:44.0546 0732 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:44:44.0546 0732 MSPQM - ok
08:44:44.0703 0732 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:44:44.0703 0732 mssmbios - ok
08:44:44.0859 0732 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:44:44.0859 0732 MSTEE - ok
08:44:44.0984 0732 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
08:44:44.0984 0732 Mup - ok
08:44:45.0093 0732 mv61xxmm (354a04bf1603cb4b07346c470ea52e73) C:\WINDOWS\system32\drivers\mv61xxmm.sys
08:44:45.0109 0732 mv61xxmm - ok
08:44:45.0218 0732 mvxxmm (cfef13ba3dc5c6001d2066d3a596cd1b) C:\WINDOWS\system32\drivers\mvxxmm.sys
08:44:45.0234 0732 mvxxmm - ok
08:44:45.0421 0732 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:44:45.0421 0732 NABTSFEC - ok
08:44:45.0734 0732 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:44:45.0750 0732 NDIS - ok
08:44:46.0000 0732 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:44:46.0000 0732 NdisIP - ok
08:44:46.0125 0732 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:44:46.0125 0732 NdisTapi - ok
08:44:46.0703 0732 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:44:46.0718 0732 Ndisuio - ok
08:44:47.0218 0732 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:44:47.0250 0732 NdisWan - ok
08:44:47.0656 0732 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:44:47.0687 0732 NDProxy - ok
08:44:48.0015 0732 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:44:48.0046 0732 NetBIOS - ok
08:44:48.0546 0732 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:44:48.0593 0732 NetBT - ok
08:44:48.0968 0732 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:44:49.0000 0732 Npfs - ok
08:44:49.0468 0732 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
08:44:49.0593 0732 Ntfs - ok
08:44:50.0062 0732 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:44:50.0062 0732 Null - ok
08:44:51.0796 0732 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:44:52.0046 0732 nv - ok
08:44:52.0390 0732 nvatabus (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\drivers\nvatabus.sys
08:44:52.0421 0732 nvatabus - ok
08:44:52.0671 0732 NVENETFD (fb571595404ffdc5006540cffcfa88e4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:44:52.0671 0732 NVENETFD - ok
08:44:52.0859 0732 nvgts (52dce3b30c9d61c8e20fe3c6da4bdfb7) C:\WINDOWS\system32\DRIVERS\nvgts.sys
08:44:52.0859 0732 nvgts - ok
08:44:53.0031 0732 nvnetbus (c529b614ef88be0f62b886c67b516550) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:44:53.0046 0732 nvnetbus - ok
08:44:53.0250 0732 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:44:53.0265 0732 Parport - ok
08:44:53.0765 0732 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:44:53.0781 0732 PartMgr - ok
08:44:54.0156 0732 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:44:54.0156 0732 ParVdm - ok
08:44:54.0375 0732 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:44:54.0390 0732 PCI - ok
08:44:54.0500 0732 PCIDump - ok
08:44:54.0671 0732 PCIIde - ok
08:44:54.0937 0732 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:44:55.0031 0732 Pcmcia - ok
08:44:55.0234 0732 perc2 - ok
08:44:55.0437 0732 perc2hib - ok
08:44:55.0812 0732 pfc (f2b3785d7282bac66d4b644fc88749f0) C:\WINDOWS\system32\drivers\pfc.sys
08:44:55.0843 0732 pfc - ok
08:44:56.0140 0732 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:44:56.0203 0732 PptpMiniport - ok
08:44:56.0593 0732 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:44:56.0625 0732 Ptilink - ok
08:44:57.0000 0732 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:44:57.0062 0732 PxHelp20 - ok
08:44:57.0265 0732 ql1080 - ok
08:44:57.0421 0732 Ql10wnt - ok
08:44:57.0515 0732 ql12160 - ok
08:44:57.0687 0732 ql1240 - ok
08:44:57.0796 0732 ql1280 - ok
08:44:58.0140 0732 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:44:58.0140 0732 RasAcd - ok
08:44:58.0593 0732 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:44:58.0625 0732 Rasl2tp - ok
08:44:59.0125 0732 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:44:59.0203 0732 RasPppoe - ok
08:44:59.0671 0732 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:44:59.0671 0732 Raspti - ok
08:45:00.0046 0732 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:45:00.0109 0732 Rdbss - ok
08:45:00.0671 0732 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:45:00.0703 0732 redbook - ok
08:45:00.0953 0732 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
08:45:00.0953 0732 rspndr - ok
08:45:01.0453 0732 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:45:01.0453 0732 Secdrv - ok
08:45:01.0765 0732 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:45:01.0796 0732 Serial - ok
08:45:02.0062 0732 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:45:02.0109 0732 Sfloppy - ok
08:45:02.0390 0732 Simbad - ok
08:45:02.0828 0732 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:45:02.0828 0732 SLIP - ok
08:45:03.0125 0732 Sparrow - ok
08:45:03.0656 0732 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:45:03.0671 0732 splitter - ok
08:45:04.0078 0732 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
08:45:04.0156 0732 Srv - ok
08:45:04.0843 0732 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:45:04.0859 0732 streamip - ok
08:45:05.0281 0732 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:45:05.0296 0732 swenum - ok
08:45:06.0000 0732 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:45:06.0015 0732 swmidi - ok
08:45:06.0218 0732 symc810 - ok
08:45:06.0421 0732 symc8xx - ok
08:45:06.0781 0732 sym_hi - ok
08:45:07.0062 0732 sym_u3 - ok
08:45:07.0671 0732 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:45:07.0890 0732 sysaudio - ok
08:45:08.0093 0732 Tcpip (ea22da5c7ae7192a12e37a7c546220c6) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:45:08.0109 0732 Tcpip - ok
08:45:08.0296 0732 TosIde - ok
08:45:08.0515 0732 U6000ALL (299bad34371d9ddd624f1de84d893e87) C:\WINDOWS\system32\DRIVERS\dmdcap.sys
08:45:08.0531 0732 U6000ALL - ok
08:45:08.0750 0732 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:45:09.0031 0732 Udfs - ok
08:45:09.0187 0732 ultra - ok
08:45:09.0437 0732 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:45:09.0437 0732 Update - ok
08:45:09.0625 0732 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:45:09.0640 0732 usbaudio - ok
08:45:09.0828 0732 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:45:09.0843 0732 usbccgp - ok
08:45:10.0078 0732 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:45:10.0109 0732 usbehci - ok
08:45:10.0750 0732 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:45:10.0765 0732 usbhub - ok
08:45:10.0906 0732 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:45:10.0921 0732 usbohci - ok
08:45:11.0156 0732 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:45:11.0171 0732 usbscan - ok
08:45:11.0359 0732 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:45:11.0359 0732 usbstor - ok
08:45:11.0578 0732 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:45:11.0578 0732 VgaSave - ok
08:45:11.0718 0732 ViaIde - ok
08:45:11.0937 0732 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:45:11.0953 0732 VolSnap - ok
08:45:12.0250 0732 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:45:12.0250 0732 Wanarp - ok
08:45:12.0515 0732 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:45:12.0531 0732 wdmaud - ok
08:45:12.0843 0732 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:45:12.0843 0732 WSTCODEC - ok
08:45:13.0125 0732 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:45:13.0140 0732 WudfPf - ok
08:45:13.0328 0732 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:45:13.0359 0732 WudfRd - ok
08:45:13.0421 0732 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:45:19.0515 0732 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
08:45:19.0515 0732 \Device\Harddisk0\DR0 - detected TDSS File System (1)
08:45:19.0578 0732 Boot (0x1200) (a51770542c70a746038bc75266b1164e) \Device\Harddisk0\DR0\Partition0
08:45:19.0703 0732 \Device\Harddisk0\DR0\Partition0 - ok
08:45:19.0750 0732 Boot (0x1200) (4ca51e52383d4fdedc52e1dfcc01ea62) \Device\Harddisk0\DR0\Partition1
08:45:19.0875 0732 \Device\Harddisk0\DR0\Partition1 - ok
08:45:19.0875 0732 ============================================================
08:45:19.0875 0732 Scan finished
08:45:19.0875 0732 ============================================================
08:45:19.0890 2140 Detected object count: 2
08:45:19.0890 2140 Actual detected object count: 2
08:45:28.0359 2140 AFD ( Virus.Win32.ZAccess.c ) - skipped by user
08:45:28.0359 2140 AFD ( Virus.Win32.ZAccess.c ) - User select action: Skip
08:45:28.0359 2140 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
08:45:28.0359 2140 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
08:45:49.0640 1612 Deinitialize success

Attached Files

  • Attached File  MBR.zip   511bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 13 March 2012 - 06:27 PM

Hi

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



NEXT


Please re-run TDSSKiller:

  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 14 March 2012 - 07:57 AM

ComboFix 12-03-13.01 - Administrator 03/14/2012 8:37.1.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe
C:\install.exe
c:\windows\$NtUninstallKB40675$
c:\windows\$NtUninstallKB40675$\3872099060
c:\windows\$NtUninstallKB40675$\4090129705\@
c:\windows\$NtUninstallKB40675$\4090129705\cfg.ini
c:\windows\$NtUninstallKB40675$\4090129705\Desktop.ini
c:\windows\$NtUninstallKB40675$\4090129705\L\oouqdsls
c:\windows\$NtUninstallKB40675$\4090129705\oemid
c:\windows\$NtUninstallKB40675$\4090129705\U\00000001.@
c:\windows\$NtUninstallKB40675$\4090129705\U\00000002.@
c:\windows\$NtUninstallKB40675$\4090129705\U\00000004.@
c:\windows\$NtUninstallKB40675$\4090129705\U\80000000.@
c:\windows\$NtUninstallKB40675$\4090129705\U\80000004.@
c:\windows\$NtUninstallKB40675$\4090129705\U\80000032.@
c:\windows\$NtUninstallKB40675$\4090129705\version
c:\windows\svcs.exe
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\HpqRemHid.dll
c:\windows\system32\USB3Sw32.dll
c:\windows\XSxS
G:\autorun.inf
G:\Setup.exe
.
c:\windows\system32\srsvc.dll . . . is infected!!
.
c:\windows\system32\proquota.exe . . . is missing!!
.
c:\windows\system32\drivers\psched.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETWORKLOG
-------\Service_NetworkLog
-------\Legacy_z800mgmt
-------\Service_z800mgmt
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-12 19:25 . 2012-03-12 19:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-12 13:21 . 2012-03-12 13:21 157184 ----a-w- c:\windows\system32\NEUSBw32.dll
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-11 23:20 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-11 18:34 . 2012-03-11 20:57 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 14:09 . 2012-03-11 14:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure
2012-03-11 14:09 . 2012-03-11 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2012-03-10 21:37 . 2012-03-10 21:37 -------- d-----w- C:\7bf16c882fee16eb472cde88
2012-03-09 03:53 . 2012-03-14 05:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-03-09 01:38 . 2012-03-09 01:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-05 20:18 . 2012-03-05 20:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\NVIDIA
2012-02-21 01:23 . 2012-02-21 01:23 -------- d-----w- c:\windows\system32\winrm
2012-02-21 01:23 . 2012-02-21 01:23 -------- d-----w- c:\windows\system32\GroupPolicy
2012-02-21 01:23 . 2012-02-21 01:23 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-02-21 01:22 . 2011-08-16 10:32 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-02-21 01:15 . 2012-02-21 01:15 -------- d-----w- c:\program files\Microsoft.NET
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\UpdatusUser
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-02-21 00:59 . 2011-10-08 04:50 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-21 00:59 . 2011-10-08 04:50 220992 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-21 00:59 . 2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-21 00:59 . 2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-21 00:59 . 2011-10-08 04:50 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2012-02-21 00:59 . 2011-10-08 04:50 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-21 00:58 . 2012-02-21 00:59 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-02-21 00:58 . 2012-02-21 00:59 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-02-21 00:58 . 2012-02-21 00:58 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-02-21 00:58 . 2011-10-08 04:50 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-21 00:58 . 2011-10-08 04:50 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-21 00:56 . 2012-02-21 00:56 -------- d-----w- C:\NVIDIA
2012-02-21 00:56 . 2011-11-16 14:20 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2012-02-21 00:56 . 2011-11-16 14:20 152064 ------w- c:\windows\system32\dllcache\schannel.dll
2012-02-21 00:56 . 2011-11-03 15:27 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-02-21 00:56 . 2011-11-03 15:27 1292288 ------w- c:\windows\system32\dllcache\quartz.dll
2012-02-21 00:56 . 2011-10-14 14:47 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-02-21 00:56 . 2011-10-14 14:47 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-02-21 00:56 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2012-02-21 00:56 . 2011-11-25 21:56 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2012-02-21 00:56 . 2011-09-28 07:05 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
2012-02-21 00:00 . 2011-04-21 13:52 105472 ------w- c:\windows\system32\dllcache\mup.sys
2012-02-21 00:00 . 2011-12-17 19:45 105984 ------w- c:\windows\system32\dllcache\url.dll
2012-02-20 23:59 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-02-20 21:35 . 2012-02-20 21:35 -------- d-----w- c:\windows\CleanMem
2012-02-20 21:35 . 2012-02-20 21:35 -------- d-----w- c:\program files\CleanMem
2012-02-20 18:00 . 2002-12-29 06:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-02-20 17:29 . 2012-02-20 17:29 -------- d-----w- c:\program files\RightMark
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 13:11 . 2011-03-19 14:48 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 23:13 . 2010-09-25 12:00 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-11 20:56 . 2010-09-25 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-11 20:38 . 2010-09-25 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-11 20:22 . 2010-09-25 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-02 20:42 . 2012-02-02 20:42 715038 ----a-w- c:\windows\unins000.exe
2012-01-12 16:54 . 2010-09-25 12:00 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:45 . 2011-03-19 18:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:45 . 2010-09-25 12:00 919552 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:45 . 2010-09-25 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:32 . 2010-09-25 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-03-05 15:59 . 2011-11-12 19:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[-] 2010-09-25 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
.
.
.
.
.
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
c:\windows\System32\srsvc.dll ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
c:\windows\System32\termsrv.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CleanMem Mini Monitor"="c:\program files\CleanMem\Mini_Monitor.exe" [2011-10-21 1327104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-09-25 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
E-MU USB Audio Application.lnk - c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe [2011-3-20 274432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 12:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-MU USB Audio Control Panel]
2007-11-26 19:03 274432 ------w- c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-10-08 04:50 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-02-03 13:32 18085888 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"YahooAUService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 28256]
R3 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-08 2253120]
R3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\system32\DRIVERS\dmdcap.sys [2007-06-08 230784]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2010-09-25 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S0 mv61xxmm;mv61xxmm; [x]
S0 mvxxmm;mvxxmm; [x]
S2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe [2010-09-25 14336]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 28256]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys [2007-11-26 163352]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Sntnlusb
yediex
SED133x
epoxusdm
z800mgmt
QWAVE
tvichw32
SE2Cmdm
fah@c:+fah+fah-service+fah502-console.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-04-01 20:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pthm1l7i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-USB3Sw32 - USB3Sw32.dll
SafeBoot-01190808.sys
SafeBoot-02630339.sys
SafeBoot-14661544.sys
SafeBoot-14960930.sys
SafeBoot-15579758.sys
SafeBoot-18496335.sys
SafeBoot-20138433.sys
SafeBoot-21465789.sys
SafeBoot-24064671.sys
SafeBoot-35531007.sys
SafeBoot-44379584.sys
SafeBoot-50638575.sys
SafeBoot-53610226.sys
SafeBoot-69209089.sys
SafeBoot-69699050.sys
SafeBoot-80193149.sys
SafeBoot-83448864.sys
SafeBoot-86999885.sys
SafeBoot-89181453.sys
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe
MSConfigStartUp-UpdatePDRShortCut - c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 08:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exFat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fah@c:+fah+fah-service+fah502-console.exe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-1767777339-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,74,f6,ec,e6,66,0c,4c,88,fd,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,74,f6,ec,e6,66,0c,4c,88,fd,98,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,2d,72,8d,97,71,31,29,df,db,d6,0f,e5,d6,56,5c,6c,d3,f9,0a,ea,
31,ae,bc,a4,47,e5,09,5e,5e,fd,1c,60,62,7b,e0,cc,d7,7b,1e,06,c8,7e,19,17,e3,\
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="00029DFB4DC9971A"
"ScannerBuild"=dword:00001672
"ScannerVersionId"=dword:00001175
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000007
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|˙˙˙˙Ŕ•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,2d,72,8d,97,71,31,29,df,db,d6,0f,e5,d6,56,5c,6c,d3,f9,0a,ea,
31,ae,bc,a4,47,e5,09,5e,5e,fd,1c,60,62,7b,e0,cc,d7,7b,1e,06,c8,7e,19,17,e3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(536)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-14 08:50:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 12:50
.
Pre-Run: 34,963,484,672 bytes free
Post-Run: 35,511,033,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - CAB6E73000850BF0D0FCF93B97D37A25

08:53:55.0015 1740 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
08:53:55.0312 1740 ============================================================
08:53:55.0312 1740 Current date / time: 2012/03/14 08:53:55.0312
08:53:55.0312 1740 SystemInfo:
08:53:55.0312 1740
08:53:55.0312 1740 OS Version: 5.1.2600 ServicePack: 3.0
08:53:55.0312 1740 Product type: Workstation
08:53:55.0312 1740 ComputerName: MATT-9A02033ADE
08:53:55.0312 1740 UserName: Administrator
08:53:55.0312 1740 Windows directory: C:\WINDOWS
08:53:55.0312 1740 System windows directory: C:\WINDOWS
08:53:55.0312 1740 Processor architecture: Intel x86
08:53:55.0312 1740 Number of processors: 1
08:53:55.0312 1740 Page size: 0x1000
08:53:55.0312 1740 Boot type: Normal boot
08:53:55.0312 1740 ============================================================
08:53:56.0781 1740 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
08:53:56.0781 1740 Drive \Device\Harddisk1\DR3 - Size: 0x7470C05C00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:53:56.0796 1740 \Device\Harddisk0\DR0:
08:53:56.0796 1740 MBR used
08:53:56.0796 1740 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x23C2F5E4
08:53:56.0796 1740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x23C2F623, BlocksNum 0x17FE09E
08:53:56.0796 1740 \Device\Harddisk1\DR3:
08:53:56.0812 1740 MBR used
08:53:56.0812 1740 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
08:53:57.0031 1740 Initialize success
08:53:57.0031 1740 ============================================================
08:54:42.0546 1344 ============================================================
08:54:42.0546 1344 Scan started
08:54:42.0546 1344 Mode: Manual; TDLFS;
08:54:42.0546 1344 ============================================================
08:54:44.0031 1344 Abiosdsk - ok
08:54:44.0109 1344 abp480n5 - ok
08:54:44.0218 1344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:54:44.0218 1344 ACPI - ok
08:54:44.0328 1344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:54:44.0328 1344 ACPIEC - ok
08:54:44.0453 1344 adpu160m - ok
08:54:44.0593 1344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:54:44.0593 1344 aec - ok
08:54:44.0718 1344 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
08:54:44.0718 1344 AFD - ok
08:54:44.0875 1344 AgereSoftModem (c6fa08a8cca9001f3197525b07331715) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:54:44.0906 1344 AgereSoftModem - ok
08:54:45.0000 1344 Aha154x - ok
08:54:45.0078 1344 aic78u2 - ok
08:54:45.0156 1344 aic78xx - ok
08:54:45.0234 1344 AliIde - ok
08:54:45.0328 1344 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
08:54:45.0328 1344 AmdK8 - ok
08:54:45.0406 1344 amsint - ok
08:54:45.0531 1344 appliand (05eda44c080ebaf758f8a318488ffd75) C:\WINDOWS\system32\DRIVERS\appliand.sys
08:54:45.0531 1344 appliand - ok
08:54:45.0531 1344 appliandMP (05eda44c080ebaf758f8a318488ffd75) C:\WINDOWS\system32\DRIVERS\appliand.sys
08:54:45.0531 1344 appliandMP - ok
08:54:45.0625 1344 asc - ok
08:54:45.0703 1344 asc3350p - ok
08:54:45.0781 1344 asc3550 - ok
08:54:45.0843 1344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:54:45.0843 1344 AsyncMac - ok
08:54:45.0937 1344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
08:54:45.0937 1344 atapi - ok
08:54:46.0015 1344 Atdisk - ok
08:54:46.0125 1344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:54:46.0125 1344 Atmarpc - ok
08:54:46.0250 1344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:54:46.0250 1344 audstub - ok
08:54:46.0328 1344 Beep - ok
08:54:46.0343 1344 catchme - ok
08:54:46.0390 1344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:54:46.0390 1344 cbidf2k - ok
08:54:46.0515 1344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:54:46.0515 1344 CCDECODE - ok
08:54:46.0593 1344 cd20xrnt - ok
08:54:46.0687 1344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:54:46.0687 1344 Cdaudio - ok
08:54:46.0781 1344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:54:46.0781 1344 Cdfs - ok
08:54:46.0906 1344 cdrbsdrv (9008ad94f28360a2f1409592bfc7acf7) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
08:54:46.0906 1344 cdrbsdrv - ok
08:54:47.0015 1344 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:54:47.0015 1344 Cdrom - ok
08:54:47.0093 1344 Changer - ok
08:54:47.0171 1344 CmdIde - ok
08:54:47.0250 1344 Cpqarray - ok
08:54:47.0328 1344 dac2w2k - ok
08:54:47.0421 1344 dac960nt - ok
08:54:47.0531 1344 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
08:54:47.0531 1344 Disk - ok
08:54:47.0656 1344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:54:47.0656 1344 dmboot - ok
08:54:47.0781 1344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:54:47.0781 1344 dmio - ok
08:54:47.0875 1344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:54:47.0875 1344 dmload - ok
08:54:48.0000 1344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:54:48.0000 1344 DMusic - ok
08:54:48.0093 1344 dpti2o - ok
08:54:48.0187 1344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:54:48.0187 1344 drmkaud - ok
08:54:48.0312 1344 emusba10 (0407b78faaa9437ffccd6c393d483309) C:\WINDOWS\system32\DRIVERS\emusba10.sys
08:54:48.0312 1344 emusba10 - ok
08:54:48.0453 1344 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
08:54:48.0453 1344 exFat - ok
08:54:48.0578 1344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:54:48.0578 1344 Fastfat - ok
08:54:48.0687 1344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:54:48.0687 1344 Fdc - ok
08:54:48.0812 1344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:54:48.0812 1344 Fips - ok
08:54:48.0921 1344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:54:48.0921 1344 Flpydisk - ok
08:54:49.0031 1344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:54:49.0031 1344 FltMgr - ok
08:54:49.0125 1344 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:54:49.0125 1344 Fs_Rec - ok
08:54:49.0234 1344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:54:49.0234 1344 Ftdisk - ok
08:54:49.0359 1344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:54:49.0359 1344 Gpc - ok
08:54:49.0468 1344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:54:49.0468 1344 HDAudBus - ok
08:54:49.0593 1344 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:54:49.0593 1344 hidusb - ok
08:54:49.0671 1344 hpn - ok
08:54:49.0781 1344 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
08:54:49.0796 1344 HTTP - ok
08:54:49.0875 1344 i2omgmt - ok
08:54:49.0953 1344 i2omp - ok
08:54:50.0062 1344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
08:54:50.0062 1344 i8042prt - ok
08:54:50.0171 1344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:54:50.0171 1344 Imapi - ok
08:54:50.0250 1344 ini910u - ok
08:54:50.0437 1344 IntcAzAudAddService (14b48553be78472d2bd3a518658a1710) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:54:50.0468 1344 IntcAzAudAddService - ok
08:54:50.0546 1344 IntelIde - ok
08:54:50.0671 1344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:54:50.0671 1344 Ip6Fw - ok
08:54:50.0750 1344 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:54:50.0750 1344 IpFilterDriver - ok
08:54:50.0906 1344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:54:50.0906 1344 IpInIp - ok
08:54:51.0015 1344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:54:51.0015 1344 IpNat - ok
08:54:51.0125 1344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:54:51.0125 1344 IPSec - ok
08:54:51.0234 1344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:54:51.0234 1344 IRENUM - ok
08:54:51.0343 1344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:54:51.0359 1344 isapnp - ok
08:54:51.0484 1344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:54:51.0484 1344 Kbdclass - ok
08:54:51.0578 1344 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:54:51.0593 1344 kbdhid - ok
08:54:51.0687 1344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:54:51.0703 1344 kmixer - ok
08:54:51.0796 1344 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
08:54:51.0796 1344 KSecDD - ok
08:54:51.0890 1344 lbrtfdc - ok
08:54:51.0968 1344 mcdbus - ok
08:54:52.0078 1344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:54:52.0093 1344 Modem - ok
08:54:52.0203 1344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:54:52.0203 1344 Mouclass - ok
08:54:52.0312 1344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:54:52.0312 1344 mouhid - ok
08:54:52.0437 1344 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
08:54:52.0437 1344 MountMgr - ok
08:54:52.0562 1344 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
08:54:52.0562 1344 MPE - ok
08:54:52.0640 1344 mraid35x - ok
08:54:52.0750 1344 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:54:52.0750 1344 MRxDAV - ok
08:54:52.0859 1344 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:54:52.0875 1344 MRxSmb - ok
08:54:52.0984 1344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:54:52.0984 1344 Msfs - ok
08:54:53.0093 1344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:54:53.0093 1344 MSKSSRV - ok
08:54:53.0203 1344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:54:53.0203 1344 MSPCLOCK - ok
08:54:53.0312 1344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:54:53.0312 1344 MSPQM - ok
08:54:53.0468 1344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:54:53.0468 1344 mssmbios - ok
08:54:53.0578 1344 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:54:53.0578 1344 MSTEE - ok
08:54:53.0687 1344 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
08:54:53.0687 1344 Mup - ok
08:54:53.0781 1344 mv61xxmm (354a04bf1603cb4b07346c470ea52e73) C:\WINDOWS\system32\drivers\mv61xxmm.sys
08:54:53.0781 1344 mv61xxmm - ok
08:54:53.0890 1344 mvxxmm (cfef13ba3dc5c6001d2066d3a596cd1b) C:\WINDOWS\system32\drivers\mvxxmm.sys
08:54:53.0890 1344 mvxxmm - ok
08:54:54.0015 1344 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:54:54.0015 1344 NABTSFEC - ok
08:54:54.0125 1344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:54:54.0125 1344 NDIS - ok
08:54:54.0218 1344 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:54:54.0234 1344 NdisIP - ok
08:54:54.0328 1344 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:54:54.0343 1344 NdisTapi - ok
08:54:54.0468 1344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:54:54.0468 1344 Ndisuio - ok
08:54:54.0562 1344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:54:54.0578 1344 NdisWan - ok
08:54:54.0671 1344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:54:54.0671 1344 NDProxy - ok
08:54:54.0781 1344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:54:54.0781 1344 NetBIOS - ok
08:54:54.0890 1344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:54:54.0906 1344 NetBT - ok
08:54:55.0031 1344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:54:55.0031 1344 Npfs - ok
08:54:55.0140 1344 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
08:54:55.0140 1344 Ntfs - ok
08:54:55.0265 1344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:54:55.0265 1344 Null - ok
08:54:55.0593 1344 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:54:55.0796 1344 nv - ok
08:54:55.0906 1344 nvatabus (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\drivers\nvatabus.sys
08:54:55.0921 1344 nvatabus - ok
08:54:56.0031 1344 NVENETFD (fb571595404ffdc5006540cffcfa88e4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:54:56.0031 1344 NVENETFD - ok
08:54:56.0125 1344 nvgts (52dce3b30c9d61c8e20fe3c6da4bdfb7) C:\WINDOWS\system32\DRIVERS\nvgts.sys
08:54:56.0140 1344 nvgts - ok
08:54:56.0234 1344 nvnetbus (c529b614ef88be0f62b886c67b516550) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:54:56.0234 1344 nvnetbus - ok
08:54:56.0359 1344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:54:56.0359 1344 Parport - ok
08:54:56.0406 1344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:54:56.0406 1344 PartMgr - ok
08:54:56.0531 1344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:54:56.0531 1344 ParVdm - ok
08:54:56.0640 1344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:54:56.0640 1344 PCI - ok
08:54:56.0718 1344 PCIDump - ok
08:54:56.0796 1344 PCIIde - ok
08:54:56.0843 1344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:54:56.0843 1344 Pcmcia - ok
08:54:56.0921 1344 perc2 - ok
08:54:56.0984 1344 perc2hib - ok
08:54:57.0015 1344 pfc - ok
08:54:57.0062 1344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:54:57.0078 1344 PptpMiniport - ok
08:54:57.0171 1344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:54:57.0171 1344 Ptilink - ok
08:54:57.0234 1344 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:54:57.0234 1344 PxHelp20 - ok
08:54:57.0312 1344 ql1080 - ok
08:54:57.0375 1344 Ql10wnt - ok
08:54:57.0390 1344 ql12160 - ok
08:54:57.0406 1344 ql1240 - ok
08:54:57.0421 1344 ql1280 - ok
08:54:57.0453 1344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:54:57.0453 1344 RasAcd - ok
08:54:57.0562 1344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:54:57.0562 1344 Rasl2tp - ok
08:54:57.0671 1344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:54:57.0671 1344 RasPppoe - ok
08:54:57.0750 1344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:54:57.0750 1344 Raspti - ok
08:54:57.0843 1344 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:54:57.0843 1344 Rdbss - ok
08:54:57.0937 1344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:54:57.0953 1344 redbook - ok
08:54:58.0078 1344 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
08:54:58.0078 1344 rspndr - ok
08:54:58.0203 1344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:54:58.0203 1344 Secdrv - ok
08:54:58.0312 1344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:54:58.0312 1344 Serial - ok
08:54:58.0453 1344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:54:58.0453 1344 Sfloppy - ok
08:54:58.0531 1344 Simbad - ok
08:54:58.0656 1344 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:54:58.0656 1344 SLIP - ok
08:54:58.0734 1344 Sparrow - ok
08:54:58.0828 1344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:54:58.0828 1344 splitter - ok
08:54:58.0937 1344 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
08:54:58.0953 1344 Srv - ok
08:54:59.0078 1344 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:54:59.0078 1344 streamip - ok
08:54:59.0171 1344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:54:59.0171 1344 swenum - ok
08:54:59.0281 1344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:54:59.0281 1344 swmidi - ok
08:54:59.0375 1344 symc810 - ok
08:54:59.0453 1344 symc8xx - ok
08:54:59.0531 1344 sym_hi - ok
08:54:59.0609 1344 sym_u3 - ok
08:54:59.0718 1344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:54:59.0718 1344 sysaudio - ok
08:54:59.0828 1344 Tcpip (ea22da5c7ae7192a12e37a7c546220c6) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:54:59.0828 1344 Tcpip - ok
08:54:59.0906 1344 TosIde - ok
08:55:00.0031 1344 U6000ALL (299bad34371d9ddd624f1de84d893e87) C:\WINDOWS\system32\DRIVERS\dmdcap.sys
08:55:00.0031 1344 U6000ALL - ok
08:55:00.0140 1344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:55:00.0140 1344 Udfs - ok
08:55:00.0234 1344 ultra - ok
08:55:00.0343 1344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:55:00.0359 1344 Update - ok
08:55:00.0484 1344 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:55:00.0484 1344 usbaudio - ok
08:55:00.0593 1344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:55:00.0593 1344 usbccgp - ok
08:55:00.0687 1344 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:55:00.0687 1344 usbehci - ok
08:55:00.0843 1344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:55:00.0843 1344 usbhub - ok
08:55:00.0953 1344 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:55:00.0953 1344 usbohci - ok
08:55:01.0062 1344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:55:01.0062 1344 usbscan - ok
08:55:01.0171 1344 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:55:01.0171 1344 usbstor - ok
08:55:01.0281 1344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:55:01.0281 1344 VgaSave - ok
08:55:01.0375 1344 ViaIde - ok
08:55:01.0468 1344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:55:01.0468 1344 VolSnap - ok
08:55:01.0593 1344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:55:01.0609 1344 Wanarp - ok
08:55:01.0703 1344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:55:01.0703 1344 wdmaud - ok
08:55:01.0859 1344 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:55:01.0859 1344 WS2IFSL - ok
08:55:01.0968 1344 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:55:01.0968 1344 WSTCODEC - ok
08:55:02.0078 1344 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:55:02.0078 1344 WudfPf - ok
08:55:02.0187 1344 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:55:02.0187 1344 WudfRd - ok
08:55:02.0234 1344 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:55:02.0421 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
08:55:02.0421 1344 \Device\Harddisk0\DR0 - detected TDSS File System (1)
08:55:02.0437 1344 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
08:55:02.0531 1344 \Device\Harddisk1\DR3 - ok
08:55:02.0562 1344 Boot (0x1200) (a51770542c70a746038bc75266b1164e) \Device\Harddisk0\DR0\Partition0
08:55:02.0562 1344 \Device\Harddisk0\DR0\Partition0 - ok
08:55:02.0609 1344 Boot (0x1200) (4ca51e52383d4fdedc52e1dfcc01ea62) \Device\Harddisk0\DR0\Partition1
08:55:02.0609 1344 \Device\Harddisk0\DR0\Partition1 - ok
08:55:02.0609 1344 Boot (0x1200) (3fb980f8ae531f721235ef152485d7be) \Device\Harddisk1\DR3\Partition0
08:55:02.0609 1344 \Device\Harddisk1\DR3\Partition0 - ok
08:55:02.0609 1344 ============================================================
08:55:02.0609 1344 Scan finished
08:55:02.0609 1344 ============================================================
08:55:02.0625 1632 Detected object count: 1
08:55:02.0625 1632 Actual detected object count: 1
08:55:42.0890 1632 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
08:55:42.0890 1632 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
08:55:42.0890 1632 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
08:55:42.0890 1632 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
08:55:42.0890 1632 \Device\Harddisk0\DR0\TDLFS - deleted
08:55:42.0890 1632 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
08:56:04.0046 0940 Deinitialize success



Thank you. Here are both of the logs as requested.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 14 March 2012 - 05:02 PM

Hi,

We need to look for some file replacements

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *srsvc*
    *proquota*
    *psched*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 March 2012 - 08:58 AM

Here is that...thank you once again

SystemLook 30.07.11 by jpshortstuff
Log created at 09:13 on 15/03/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*srsvc*"
No files found.

Searching for "*proquota*"
No files found.

Searching for "*psched*"
No files found.

-= EOF =-

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 15 March 2012 - 02:11 PM

Please re-run ComboFix > allow it to update if it asks to do so

post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 March 2012 - 03:37 PM

ComboFix 12-03-13.01 - Administrator 03/15/2012 16:28:12.2.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\srsvc.dll . . . is infected!!
.
c:\windows\system32\proquota.exe . . . is missing!!
.
c:\windows\system32\drivers\psched.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))
.
.
2012-03-12 19:25 . 2012-03-12 19:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-12 13:21 . 2012-03-12 13:21 157184 ----a-w- c:\windows\system32\NEUSBw32.dll
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-11 23:20 . 2012-03-11 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-11 23:20 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-11 18:34 . 2012-03-14 12:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-11 14:09 . 2012-03-11 14:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\f-secure
2012-03-11 14:09 . 2012-03-11 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2012-03-10 21:37 . 2012-03-10 21:37 -------- d-----w- C:\7bf16c882fee16eb472cde88
2012-03-09 03:53 . 2012-03-14 05:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-03-09 01:38 . 2012-03-09 01:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-03-05 20:18 . 2012-03-05 20:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\NVIDIA
2012-02-21 01:23 . 2012-02-21 01:23 -------- d-----w- c:\windows\system32\winrm
2012-02-21 01:23 . 2012-02-21 01:23 -------- d-----w- c:\windows\system32\GroupPolicy
2012-02-21 01:23 . 2012-02-21 01:23 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-02-21 01:22 . 2011-08-16 10:32 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-02-21 01:15 . 2012-02-21 01:15 -------- d-----w- c:\program files\Microsoft.NET
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\UpdatusUser
2012-02-21 00:59 . 2012-02-21 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2012-02-21 00:59 . 2011-10-08 04:50 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2012-02-21 00:59 . 2011-10-08 04:50 220992 ----a-w- c:\windows\system32\nvcolor.exe
2012-02-21 00:59 . 2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-21 00:59 . 2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-21 00:59 . 2011-10-08 04:50 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2012-02-21 00:59 . 2011-10-08 04:50 54272 ----a-w- c:\windows\system32\nvwddi.dll
2012-02-21 00:58 . 2012-02-21 00:59 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-02-21 00:58 . 2012-02-21 00:59 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-02-21 00:58 . 2012-02-21 00:58 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-02-21 00:58 . 2011-10-08 04:50 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-21 00:58 . 2011-10-08 04:50 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-21 00:56 . 2012-02-21 00:56 -------- d-----w- C:\NVIDIA
2012-02-21 00:56 . 2011-11-16 14:20 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2012-02-21 00:56 . 2011-11-16 14:20 152064 ------w- c:\windows\system32\dllcache\schannel.dll
2012-02-21 00:56 . 2011-11-03 15:27 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-02-21 00:56 . 2011-11-03 15:27 1292288 ------w- c:\windows\system32\dllcache\quartz.dll
2012-02-21 00:56 . 2011-10-14 14:47 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-02-21 00:56 . 2011-10-14 14:47 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-02-21 00:56 . 2010-12-20 17:32 551936 ------w- c:\windows\system32\dllcache\oleaut32.dll
2012-02-21 00:56 . 2011-11-25 21:56 293376 ------w- c:\windows\system32\dllcache\winsrv.dll
2012-02-21 00:56 . 2011-09-28 07:05 599552 ------w- c:\windows\system32\dllcache\crypt32.dll
2012-02-21 00:00 . 2011-04-21 13:52 105472 ------w- c:\windows\system32\dllcache\mup.sys
2012-02-21 00:00 . 2011-12-17 19:45 105984 ------w- c:\windows\system32\dllcache\url.dll
2012-02-20 23:59 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-02-20 21:35 . 2012-02-20 21:35 -------- d-----w- c:\windows\CleanMem
2012-02-20 21:35 . 2012-02-20 21:35 -------- d-----w- c:\program files\CleanMem
2012-02-20 18:00 . 2002-12-29 06:14 81920 ----a-w- c:\windows\system32\Startup.cpl
2012-02-20 17:29 . 2012-02-20 17:29 -------- d-----w- c:\program files\RightMark
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 13:11 . 2011-03-19 14:48 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 23:13 . 2010-09-25 12:00 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-03-11 20:56 . 2010-09-25 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-11 20:38 . 2010-09-25 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-03-11 20:22 . 2010-09-25 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-02 20:42 . 2012-02-02 20:42 715038 ----a-w- c:\windows\unins000.exe
2012-01-12 16:54 . 2010-09-25 12:00 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:45 . 2011-03-19 18:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:45 . 2010-09-25 12:00 919552 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:45 . 2010-09-25 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-05 15:59 . 2011-11-12 19:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-09-25 . EA22DA5C7AE7192A12E37A7C546220C6 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2012-03-14_12.47.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-09-25 12:00 . 2012-03-14 12:49 66694 c:\windows\system32\perfc009.dat
+ 2010-09-25 12:00 . 2012-03-14 12:50 66694 c:\windows\system32\perfc009.dat
+ 2010-09-25 12:00 . 2012-03-14 12:50 438936 c:\windows\system32\perfh009.dat
- 2010-09-25 12:00 . 2012-03-14 12:49 438936 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CleanMem Mini Monitor"="c:\program files\CleanMem\Mini_Monitor.exe" [2011-10-21 1327104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-09-25 128512]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
E-MU USB Audio Application.lnk - c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe [2011-3-20 274432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 12:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25 1589208 ----a-w- c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-MU USB Audio Control Panel]
2007-11-26 19:03 274432 ------w- c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-10-08 04:50 16744256 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-10-08 04:50 203072 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2011-10-08 04:50 1632360 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-02-03 13:32 18085888 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"YahooAUService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 28256]
R3 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-08 2253120]
R3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\system32\DRIVERS\dmdcap.sys [2007-06-08 230784]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2010-09-25 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S0 mv61xxmm;mv61xxmm; [x]
S0 mvxxmm;mvxxmm; [x]
S2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe [2010-09-25 14336]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2010-06-24 28256]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\DRIVERS\emusba10.sys [2007-11-26 163352]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 78163647
*Deregistered* - 78163647
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Sntnlusb
yediex
SED133x
epoxusdm
z800mgmt
QWAVE
tvichw32
SE2Cmdm
fah@c:+fah+fah-service+fah502-console.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-15 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2009-04-01 20:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pthm1l7i.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-15 16:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exFat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fah@c:+fah+fah-service+fah502-console.exe]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-57989841-1767777339-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,74,f6,ec,e6,66,0c,4c,88,fd,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,77,74,f6,ec,e6,66,0c,4c,88,fd,98,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,2d,72,8d,97,71,31,29,df,db,d6,0f,e5,d6,56,5c,6c,d3,f9,0a,ea,
31,ae,bc,a4,47,e5,09,5e,5e,fd,1c,60,62,7b,e0,cc,d7,7b,1e,06,c8,7e,19,17,e3,\
.
[HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\Documents and Settings\\All Users\\Application Data\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:6090e758
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="00029DFB4DC9971A"
"ScannerBuild"=dword:00001672
"ScannerVersionId"=dword:00001175
"ScannerVersion"="Locked/open ESET for status."
"FixId"=dword:00000007
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|˙˙˙˙Ŕ•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,2d,72,8d,97,71,31,29,df,db,d6,0f,e5,d6,56,5c,6c,d3,f9,0a,ea,
31,ae,bc,a4,47,e5,09,5e,5e,fd,1c,60,62,7b,e0,cc,d7,7b,1e,06,c8,7e,19,17,e3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3072)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-15 16:34:37
ComboFix-quarantined-files.txt 2012-03-15 20:34
ComboFix2.txt 2012-03-14 12:50
.
Pre-Run: 34,942,148,608 bytes free
Post-Run: 34,933,354,496 bytes free
.
- - End Of File - - D333E097E349032ADE3F56DD84D4EDF2

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 15 March 2012 - 04:51 PM

Hi,

we still have some work to do, it appears as though there is still an active infection on your machine, I need to get another diagnostic log though before we move forward, please do the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 March 2012 - 06:50 PM

This application has failed to start because dbgeng.dll was not found. Re-installing the application may fix this problem.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 15 March 2012 - 06:57 PM

do you get that error when trying to run OTL?

Please download a fresh copy of OTL and try running it in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


NEXT


Please use system look to search for that file


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *dbgeng*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 March 2012 - 07:53 PM

Tried redownloading OTL in safe mode with networking...it gave the same error :(

SystemLook 30.07.11 by jpshortstuff
Log created at 20:52 on 15/03/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*dbgeng*"
No files found.

-= EOF =-

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 PM

Posted 15 March 2012 - 08:22 PM

you have quite a few missing system files

do you have access to an installation disk so we can replace them?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 matteo85

matteo85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 15 March 2012 - 08:41 PM

I do...I have the XP professional box with everything in it I believe...but of course I have no idea what to do lol

Edited by matteo85, 15 March 2012 - 09:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users