Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"nd PC on home network still infected


  • This topic is locked This topic is locked
44 replies to this topic

#1 duffsparky

duffsparky

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 06 March 2012 - 04:41 PM

Gringo recently helped me sort out an infection on one of my home netwroked PC's. A second PC on the network is also infected(?) and Boopme has been trying to help but so far we haven't got very far coz the %$*&^*%$ PC won't behave long enough; it either freezes or self reboots.

I don't know if it is an indicator of the problem but the speed of the fan(s) in the machine keep ramping up and down, so much so that I dismantled the whole thing this afternoon just in case the fan(s) (and may be the others issues were down to a bit of overheating due to dust etc blockage). Cleaned out the dust from both CPU's coolers and the power supply, also pulled off all connectors and reseated them just in case the probbo was a poor connection. After reassembling the PC switch it on and booted it up with the following results:-

  • Ist boot - System froze at >>Edited at 00:44 Windows desktop login screen<<. Only option was to switch it off and start again.
  • 2nd boot - System booted into Windows waited a couple of minutes and rebooted itself.
  • 3rd boot - Same as 2nd boot.
  • 4th boot - Same as 2nd boot.
  • 5th boot - System booted into Windows waited a couple of minutes but it did not reboot itself so I started GMER, which ran for about 30 seconds then PC froze.Only option was to switch it off and start again.
  • 6th boot - Same as 5th boot only GMER ran for a couple of minutes then froze,
  • 7th boot - Same as 6th boot.
  • 8th boot - Gave up trying to run GMER and decided to transfer dds logs from Desktop to other PC and send them to BC as requested but no joy there either, after right clicking dds log file the PC froze.
  • 9th boot - Same as 8th boot.
  • 10th boot - Same as 8th boot.
  • 11th boot - Gave up right clicking log files and opted to select them with left click then used Ctrl+ C, changed folder to Shared Documents, via Start -> My Computer -> Left click Shared Documents from 'Other Places' and pasted logs. Copied logs across to other PC via my network.


Frequently when I use the right click mouse function, the Window I am in freezes. Sometimes it is recoverable but most times not and a cold reboot is the only option.

Dismantling the PC this afternoon and removing the dust and or reseating all the connections seems to have sorted the fan(S) speed hunting issue, least ways for now

Infected PC has frozen again whilst I wrote this message.

>>Edited on 07/3/12 at 00:44 and added -> Since first submitting the post the PC has been booting to login screen waiting for several minutes then rebooting itself back to the login screen, waited for several minutes then rebooting itself back to the login screen. This has happened at least 6 or 7 times, however, it is now frozen with the 'Microsoft WindowsXP Professional' screen saver displayed, so I guess it didn't reboot itself this time (I'm not sure how long it has been frozen at this point, I was watching the TV).<<

>>>Edited on 07/3/12 at 01:34 Just restarted PC with automatic restart disabled and got the following Stop error message while attempting to run GMER:-

***Stop: 0x000000D1 (0x00000060, 0x00000005, 0x00000000, 0xF74A36AB)
*** atapi.sys - Address F74A36AB base at F749B000, DateStamp 4802539d

Then did a bit of research and came across this article:-
Simple methods to deal with 0x000000d1 Atapi.sys error message <<<

>>>>Edited on 07/3/12 at 11:30. Restarted machine this morning and logged in, started GMER which ran for a while then PC crashed with the following Stop error:-
PFN_LIST_CORRUPT etc etc
*** STOP: 0x0000004E (ox00000007, 0x00020892, 0x00000001,0x00000000)<<<<


Below are the 2 dds logs for my HP xw6000.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_31
Run on (HP xw6000) by 3rdadmin at 15:52:38 on 2012-03-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.720 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://download.bleepingcomputer.com/farbar/MiniToolBox.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: DataMngr: {7da17d5a-5718-4130-a605-fc316c827836} - c:\progra~1\search~1\datamngr\BROWSE~1.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\instal~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: eset.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\3rdadmin\application data\mozilla\firefox\profiles\ohwuiq1g.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: h:\program files\mozilla firefox 3 beta 3\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2007-1-5 30968]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-10 13496]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-8-5 233024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 uigcrdr;uigcrdr;c:\windows\system32\drivers\uigcrdr.SYS [2011-3-27 149120]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-11-12 27632]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-1-4 23456]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-8-1 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-8-1 8456]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-11-12 13224]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-5 40776]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1.tmp [2012-2-28 6144]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 ptiusbf;PTI USB Filter;c:\windows\system32\drivers\ptiusbf.sys [2001-4-14 22474]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2011-11-1 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2011-11-1 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2011-11-1 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2011-11-1 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2011-11-1 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2011-11-1 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2011-11-1 115752]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2011-2-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2011-2-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2011-2-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2011-2-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2011-2-23 98568]
S3 SIWIO;SIWIO;\??\h:\program files\siwio.sys --> h:\program files\SiwIo.sys [?]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [2010-8-9 5533]
.
=============== Created Last 30 ================
.
2012-03-06 13:28:11 -------- d-----w- c:\program files\Cobian Backup 10
2012-03-05 21:10:40 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-05 13:23:07 108 ----a-w- C:\gwap_fixdisks.cmd
2012-03-04 10:47:08 -------- d-----w- c:\program files\ESET
2012-03-03 21:02:42 -------- d-----w- c:\documents and settings\3rdadmin\local settings\application data\WMTools Downloaded Files
2012-03-03 15:09:35 -------- d-----w- c:\documents and settings\3rdadmin\local settings\application data\Temp
2012-03-03 15:09:35 -------- d-----w- c:\documents and settings\3rdadmin\local settings\application data\Adobe
2012-03-02 23:55:47 -------- d-----w- c:\documents and settings\3rdadmin\application data\SUPERAntiSpyware.com
2012-03-02 23:53:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-02 23:53:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-01 19:58:07 -------- d-----w- c:\documents and settings\3rdadmin\application data\DAEMON Tools Pro
2012-03-01 19:05:16 -------- d-----w- c:\documents and settings\3rdadmin\application data\Malwarebytes
2012-03-01 19:05:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-01 18:50:23 -------- d-----w- c:\documents and settings\3rdadmin\local settings\application data\Mozilla
2012-02-28 22:34:23 -------- d-----w- C:\savw_95_sa
2012-02-28 16:36:04 6144 ------w- c:\windows\system32\1.tmp
2012-02-24 12:17:59 -------- d-----w- C:\ComboFix
2012-02-17 15:35:21 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-02-16 20:18:38 -------- d-----w- c:\program files\Bleeping Computer Utilities
2012-02-16 16:12:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-16 15:54:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-16 13:36:27 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 13:36:27 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-07 15:39:34 -------- d--h--w- c:\windows\PIF
2012-02-07 14:43:53 -------- d-sha-r- C:\cmdcons
.
==================== Find3M ====================
.
2012-02-16 16:11:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-29 02:27:07 2396 ----a-w- c:\windows\system32\ASOROSet.bin
2012-01-28 18:24:12 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2012-01-28 17:58:33 821248 ----a-w- c:\program files\FreeISOBurner.exe
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 08:53:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-12-19 08:53:33 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-12-19 08:53:32 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-12-16 13:16:31 369664 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 15:53:54.51 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 05/02/2010 08:30:27
System Uptime: 06/03/2012 15:44:19 (0 hours ago)
.
Motherboard: Hewlett-Packard | | 080Ch
Processor: Intel® Xeon™ CPU 3.06GHz | XU1 PROCESSOR | 3056/533mhz
Processor: Intel® Xeon™ CPU 3.06GHz | XU2 PROCESSOR | 3056/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 12.025 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 20 GiB total, 8.946 GiB free.
G: is FIXED (NTFS) - 20 GiB total, 16.098 GiB free.
H: is FIXED (NTFS) - 59 GiB total, 55.039 GiB free.
I: is FIXED (NTFS) - 14 GiB total, 13.797 GiB free.
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP376: 03/02/2012 15:57:48 - System Checkpoint
RP377: 05/02/2012 15:50:00 - System Checkpoint
RP378: 07/02/2012 14:38:02 - ComboFix created restore point
RP379: 08/02/2012 16:28:59 - System Checkpoint
RP380: 10/02/2012 15:36:09 - System Checkpoint
RP381: 11/02/2012 23:12:54 - System Checkpoint
RP382: 16/02/2012 15:56:54 - Removed Adobe Reader 9.4.1.
RP383: 16/02/2012 15:58:02 - Installed Adobe Reader X (10.1.2).
RP384: 16/02/2012 16:09:17 - Removed Java™ 6 Update 23
RP385: 16/02/2012 16:10:27 - Installed Java™ 6 Update 31
RP386: 16/02/2012 16:28:35 - Software Distribution Service 3.0
RP387: 24/02/2012 12:51:00 - System Checkpoint
RP388: 28/02/2012 23:20:05 - System Checkpoint
RP389: 29/02/2012 00:33:11 - IObit Uninstaller restore point
RP390: 29/02/2012 00:34:04 - Removed Sophos Anti-Virus
RP391: 29/02/2012 00:42:52 - IObit Uninstaller restore point
RP392: 29/02/2012 13:07:59 - IObit Uninstaller restore point
RP393: 29/02/2012 15:46:00 - IObit Uninstaller restore point
RP394: 29/02/2012 15:46:50 - Removed Sophos AutoUpdate
RP395: 29/02/2012 15:56:23 - IObit Uninstaller restore point
RP396: 29/02/2012 19:28:25 - IObit Uninstaller restore point
RP397: 02/03/2012 19:01:00 - System Checkpoint
RP398: 03/03/2012 19:46:02 - System Checkpoint
RP399: 05/03/2012 00:16:43 - System Checkpoint
.
==== Installed Programs ======================
.
10-Strike LANState
Adobe Acrobat 6.0 Professional
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.5
Advanced System Optimizer
Advanced SystemCare 3
Agent Ransack 2010
Apple Application Support
Apple Software Update
Belarc Advisor 8.2
Bonjour
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
Brother MFL-Pro Suite
CadStd
CCleaner
CDBurnerXP
Cobian Backup 10
DAEMON Tools Pro
Data Doctor Recovery - SIM Card (Demo)
Data Doctor Recovery - SIM Card (Evaluation) 3.0.1.5
Defraggler
Dia (remove only)
DriverAgent by eSupport.com
EASEUS Partition Master 8.0.1 Home Edition
ErrorEND
ESET Online Scanner v3
GMX File Storage Manager
Google Earth
Google Update Helper
GoToAssist Corporate
HostsMan 3.2.73
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
HoverIP v1.0 beta
HP Product Detection
Iomega REV System Software
iTunes
Java Auto Updater
Java™ 6 Update 31
Junior Icon Editor
MailWasher Free 6.5.4
Matrox Graphics Software (remove only)
Matrox PowerDesk-SE
Matrox PowerSpace
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 97, Professional Edition
Microsoft Office File Validation Add-In
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MozBackup 1.4.10
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Thunderbird 10.0.2 (x86 en-GB)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyPDFConverter
MyPhoneExplorer
NeoTrace Pro 3.25 Trial
Nmap 5.21
PDF-Viewer
Picasa 3
QuickTime
RegTweaker version 3.2.2
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB2553010)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923789)
Sentinel Protection Installer 7.5.0
Smart Defrag 2
Sony Ericsson PC Companion 2.01.231
Stellar Phoenix Password Recovery
SUPERAntiSpyware
UK-Info People Finder V14
UltraMon
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
USBInfo
VitalSource Bookshelf
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.1.1
WinRAR 4.00 beta 4 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
29/02/2012 23:25:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss sptd Tcpip uigcrdr WS2IFSL
29/02/2012 19:35:34, error: Service Control Manager [7034] - The Remote Procedure Call (RPC) Locator service terminated unexpectedly. It has done this 1 time(s).
29/02/2012 18:06:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
29/02/2012 18:02:50, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm NetworkX sptd
28/02/2012 23:22:00, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
28/02/2012 22:35:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
28/02/2012 22:35:49, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
28/02/2012 22:35:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
28/02/2012 22:35:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service SAVService with arguments "" in order to run the server: {D2B7A809-15DC-40B4-A1E1-C61EA97191DB}
28/02/2012 19:09:39, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
28/02/2012 15:05:06, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm NetworkX SAVOnAccessControl SAVOnAccessFilter sptd
28/02/2012 15:05:06, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
28/02/2012 15:04:10, error: sptd [4] - Driver detected an internal error in its data structures for .
28/02/2012 14:55:25, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
28/02/2012 14:52:44, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter sptd Tcpip uigcrdr WS2IFSL
28/02/2012 14:52:44, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2012 14:52:44, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2012 14:52:44, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2012 14:52:44, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
28/02/2012 14:35:45, error: Service Control Manager [7022] - The Windows Time service hung on starting.
06/03/2012 15:32:04, error: Service Control Manager [7034] - The Cobian Backup 10 Volume Shadow Copy service service terminated unexpectedly. It has done this 1 time(s).
06/03/2012 15:32:01, error: Service Control Manager [7034] - The Cobian Backup 10 service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 02:45:45, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
05/03/2012 02:23:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm NetworkX SASDIFSV SASKUTIL sptd
05/03/2012 02:13:10, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 02:13:10, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
05/03/2012 02:13:03, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 02:00:37, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 02:00:37, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 02:00:20, error: Service Control Manager [7034] - The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly. It has done this 2 time(s).
05/03/2012 02:00:20, error: Service Control Manager [7031] - The IIS Admin service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.
05/03/2012 01:59:54, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 01:59:46, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 01:59:35, error: Service Control Manager [7034] - The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 01:59:35, error: Service Control Manager [7031] - The IIS Admin service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.
05/03/2012 01:59:31, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
05/03/2012 01:59:24, error: Service Control Manager [7034] - The NMSAccess service terminated unexpectedly. It has done this 1 time(s).
04/03/2012 19:27:35, error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
03/03/2012 14:56:39, error: Print [19] - Sharing printer failed + 1722, Printer Brother PC-FAX USB on xw6000 share name Brother PC-FAX USB on xw6000.
02/03/2012 21:58:01, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================

Thanks to whom-ever picks this up.

Bump As per instructions

EDIT: Please be patient. There are over 40 unanswered topics in this forum at present and the current average wait time to receive help is 4 days. ~Budapest

Edited by Budapest, 07 March 2012 - 05:17 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 12 March 2012 - 09:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I suspect that you have a Rootkit infection. your Atapi.sys could also be corrupted.

Try to run these first 2 tools.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post the logs you were able to save.

#3 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 12 March 2012 - 12:18 PM

The downloads keep failing and getting anything to download onto the troublesome PC is very difficult. During the previous malware removal session I had to transfer the software tools from another PC.

If the browsers IE and Firefox are infected could I use a way of downloading direct, without the need of a browser. I know this can be done but I don't know how to or if I should.

Cheers

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 12 March 2012 - 01:01 PM

You will need to download the files to a good computer.

Copy them to the infected computer and run them.

===

When at the other computer get this tool also.
Make the bootable CD or flash drive.
We may need to run it later.

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:
  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the content of the file for my review.
Let me know what problem persists.

#5 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 12 March 2012 - 08:14 PM

I'll have to put together another machine, so I can be sure it's clean, which might take a day or two but I'll be back.

Cheers.

#6 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 15 March 2012 - 11:54 AM

I've got a clean PC up and running and connected to the Internet. I can now download the anti-malware tools etc I/you required to check and hopefully clean up the infected PC(s).

The problem is now uploading the software tools to the infected machine(s) without infecting the media used. I have the option of using any of the following:-

  • Network link
  • Direct hard disk swapping
  • Hard disk swapping via external USB enclosure
  • Floppy disk
  • CDR and DVDR
  • CDRW and DVDRW
  • USB flash drive
  • Flash memory card via external USB adapter.

Apart from the Floppy, Cd and DVD disk options, for which I can use new media, I can't guarantee that any of the other methods will be malware free. Floppy disks typically do not have a large enough capacity, which leaves the CD/DVD options.

If I use CD/DVD's and I do not close the recording session, once I've burned the programs, can these CD/DVD's become infected once placed in an infected machine? It would seem a waste to close off CDR's after burning just one small program especially if there are more to follow.

If you can suggest an alternative solution please do, flash drives would be easiest but how do I make sure they are not and do not become infected? I obviously don't want to transfer malware back and forth between PC's which how I possibly infected this second machine whilst trying to fix the first one (then I transfered data using my network).

Can the TDS killer be run from a CD or must it be installed/placed on the infected machine?

Thanks.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 15 March 2012 - 01:00 PM

If I use CD/DVD's and I do not close the recording session, once I've burned the programs, can these CD/DVD's become infected once placed in an infected machine? It would seem a waste to close off CDR's after burning just one small program especially if there are more to follow.


CD's will not get infected.

A flash drive will....

Can the TDS killer be run from a CD or must it be installed/placed on the infected machine?

You can try it but I do not thinks so.

#8 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 15 March 2012 - 03:50 PM

CD's will not get infected.



Is that regardless of how the CD is written i.e. using XP's own in-built cd writer or third party software?

Cheers.

#9 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 15 March 2012 - 05:13 PM

I've downloaded and installed BurnAware Free but this software is bundled with Searchqu which was also installed at the same time without the option not to install it, which sucks. Can you assist with getting rid of Searchqu?

#10 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 15 March 2012 - 07:55 PM

Below are the logs for TDSKiller, aswMBR and SystemLook. I attempted to attached is the MBR.dat file but I received the following error message from you site:-

MBR.dat
You aren't permitted to upload this kind of file



--------------------------------------------


23:51:28.0796 2572 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
23:51:30.0812 2572 ============================================================
23:51:30.0812 2572 Current date / time: 2012/03/15 23:51:30.0812
23:51:30.0812 2572 SystemInfo:
23:51:30.0812 2572
23:51:30.0812 2572 OS Version: 5.1.2600 ServicePack: 3.0
23:51:30.0812 2572 Product type: Workstation
23:51:30.0812 2572 ComputerName: XW6000
23:51:30.0812 2572 UserName: 3rdadmin
23:51:30.0812 2572 Windows directory: C:\WINDOWS
23:51:30.0812 2572 System windows directory: C:\WINDOWS
23:51:30.0812 2572 Processor architecture: Intel x86
23:51:30.0812 2572 Number of processors: 4
23:51:30.0812 2572 Page size: 0x1000
23:51:30.0812 2572 Boot type: Normal boot
23:51:30.0812 2572 ============================================================
23:51:33.0000 2572 Drive \Device\Harddisk0\DR0 - Size: 0x9925B0000 (38.29 Gb), SectorSize: 0x200, Cylinders: 0x14BE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
23:51:33.0015 2572 Drive \Device\Harddisk1\DR1 - Size: 0x1BF286DE00 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
23:51:33.0015 2572 \Device\Harddisk0\DR0:
23:51:33.0015 2572 MBR used
23:51:33.0015 2572 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4C8DA91
23:51:33.0015 2572 \Device\Harddisk1\DR1:
23:51:33.0015 2572 MBR used
23:51:33.0015 2572 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2711637
23:51:33.0015 2572 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x2711676, BlocksNum 0x75304A1
23:51:33.0031 2572 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x9C41B56, BlocksNum 0x2711637
23:51:33.0031 2572 \Device\Harddisk1\DR1\Partition3: MBR, Type 0x7, StartLBA 0xC35318D, BlocksNum 0x1C3C773
23:51:33.0218 2572 Initialize success
23:51:33.0218 2572 ============================================================
23:51:38.0171 1024 ============================================================
23:51:38.0171 1024 Scan started
23:51:38.0171 1024 Mode: Manual;
23:51:38.0171 1024 ============================================================
23:51:39.0187 1024 Abiosdsk - ok
23:51:39.0406 1024 abp480n5 - ok
23:51:39.0734 1024 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:51:39.0796 1024 ACPI - ok
23:51:40.0093 1024 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:51:40.0093 1024 ACPIEC - ok
23:51:40.0328 1024 adpu160m - ok
23:51:40.0625 1024 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
23:51:40.0656 1024 adpu320 - ok
23:51:40.0953 1024 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
23:51:40.0953 1024 aeaudio - ok
23:51:41.0312 1024 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:51:41.0359 1024 aec - ok
23:51:41.0640 1024 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:51:41.0687 1024 AFD - ok
23:51:41.0968 1024 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:51:41.0984 1024 agp440 - ok
23:51:42.0187 1024 Aha154x - ok
23:51:42.0421 1024 aic78u2 - ok
23:51:42.0625 1024 aic78xx - ok
23:51:42.0859 1024 AliIde - ok
23:51:43.0078 1024 amsint - ok
23:51:43.0343 1024 asc - ok
23:51:43.0546 1024 asc3350p - ok
23:51:43.0750 1024 asc3550 - ok
23:51:44.0109 1024 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:51:44.0109 1024 AsyncMac - ok
23:51:44.0390 1024 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:51:44.0390 1024 atapi - ok
23:51:44.0578 1024 Atdisk - ok
23:51:44.0859 1024 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:51:44.0875 1024 Atmarpc - ok
23:51:45.0140 1024 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:51:45.0140 1024 audstub - ok
23:51:45.0515 1024 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
23:51:45.0515 1024 b57w2k - ok
23:51:45.0828 1024 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:51:45.0828 1024 Beep - ok
23:51:46.0125 1024 Blfp (07a758bffb297819252aa72bab0e6611) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
23:51:46.0140 1024 Blfp - ok
23:51:46.0484 1024 BrScnUsb (6cf3aed19c2185c60de2ae50ee37a342) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
23:51:46.0484 1024 BrScnUsb - ok
23:51:46.0734 1024 BrSerIf (26051d886f3333cb41857d6f52248de1) C:\WINDOWS\system32\Drivers\BrSerIf.sys
23:51:46.0750 1024 BrSerIf - ok
23:51:47.0031 1024 BrUsbSer (7ac85cdc03befd78908b3b6a73d201d0) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
23:51:47.0031 1024 BrUsbSer - ok
23:51:47.0203 1024 catchme - ok
23:51:47.0531 1024 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:51:47.0531 1024 cbidf2k - ok
23:51:47.0781 1024 cd20xrnt - ok
23:51:48.0031 1024 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:51:48.0031 1024 Cdaudio - ok
23:51:48.0328 1024 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:51:48.0343 1024 Cdfs - ok
23:51:48.0625 1024 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:51:48.0656 1024 Cdrom - ok
23:51:48.0859 1024 Changer - ok
23:51:49.0109 1024 CmdIde - ok
23:51:49.0421 1024 Cpqarray - ok
23:51:49.0671 1024 dac2w2k - ok
23:51:49.0890 1024 dac960nt - ok
23:51:50.0203 1024 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:51:50.0218 1024 Disk - ok
23:51:50.0765 1024 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:51:51.0031 1024 dmboot - ok
23:51:51.0390 1024 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:51:51.0437 1024 dmio - ok
23:51:51.0671 1024 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:51:51.0671 1024 dmload - ok
23:51:51.0984 1024 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:51:52.0000 1024 DMusic - ok
23:51:52.0281 1024 dpti2o - ok
23:51:52.0546 1024 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:51:52.0546 1024 drmkaud - ok
23:51:52.0796 1024 DrvAgent32 (651554e483712b708ede864d0ca1aa73) C:\WINDOWS\system32\Drivers\DrvAgent32.sys
23:51:52.0812 1024 DrvAgent32 - ok
23:51:53.0156 1024 dtsoftbus01 (16c5891c6d1fa0b5d9014f85a482eb20) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
23:51:53.0171 1024 dtsoftbus01 - ok
23:51:53.0421 1024 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
23:51:53.0421 1024 epmntdrv - ok
23:51:53.0687 1024 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
23:51:53.0718 1024 EuGdiDrv - ok
23:51:54.0062 1024 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:51:54.0109 1024 Fastfat - ok
23:51:54.0468 1024 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:51:54.0484 1024 Fdc - ok
23:51:54.0750 1024 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:51:54.0750 1024 Fips - ok
23:51:54.0968 1024 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:51:54.0968 1024 Flpydisk - ok
23:51:55.0265 1024 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:51:55.0312 1024 FltMgr - ok
23:51:55.0578 1024 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:51:55.0578 1024 Fs_Rec - ok
23:51:55.0843 1024 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:51:55.0875 1024 Ftdisk - ok
23:51:56.0250 1024 G400 (36feb2ddce5f84128c2a8dbc60538dad) C:\WINDOWS\system32\DRIVERS\G400m.sys
23:51:56.0359 1024 G400 - ok
23:51:56.0718 1024 G400DH (2dd3d27e36ebf6804c40b843ff10872f) C:\WINDOWS\system32\DRIVERS\g400dhm.sys
23:51:56.0843 1024 G400DH - ok
23:51:57.0156 1024 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:51:57.0156 1024 GEARAspiWDM - ok
23:51:57.0484 1024 ggflt (007aea2e06e7cef7372e40c277163959) C:\WINDOWS\system32\DRIVERS\ggflt.sys
23:51:57.0500 1024 ggflt - ok
23:51:57.0765 1024 ggsemc (c73de35960ca75c5ab4ae636b127c64e) C:\WINDOWS\system32\DRIVERS\ggsemc.sys
23:51:57.0781 1024 ggsemc - ok
23:51:58.0046 1024 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:51:58.0062 1024 Gpc - ok
23:51:58.0437 1024 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:51:58.0453 1024 HidUsb - ok
23:51:58.0703 1024 hpn - ok
23:51:59.0062 1024 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:51:59.0140 1024 HTTP - ok
23:51:59.0375 1024 i2omgmt - ok
23:51:59.0593 1024 i2omp - ok
23:51:59.0875 1024 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:51:59.0890 1024 i8042prt - ok
23:52:00.0171 1024 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:52:00.0187 1024 Imapi - ok
23:52:00.0484 1024 imdrvfsf (aec3108ef22cb12b8e35e4f84531be67) C:\WINDOWS\system32\DRIVERS\imdrvfsf.sys
23:52:00.0500 1024 imdrvfsf - ok
23:52:00.0734 1024 ini910u - ok
23:52:01.0015 1024 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:52:01.0015 1024 IntelIde - ok
23:52:01.0250 1024 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:52:01.0265 1024 intelppm - ok
23:52:01.0500 1024 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:52:01.0515 1024 Ip6Fw - ok
23:52:01.0765 1024 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:52:01.0781 1024 IpFilterDriver - ok
23:52:02.0062 1024 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:52:02.0078 1024 IpInIp - ok
23:52:02.0453 1024 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:52:02.0515 1024 IpNat - ok
23:52:02.0812 1024 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:52:02.0843 1024 IPSec - ok
23:52:03.0125 1024 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
23:52:03.0171 1024 irda - ok
23:52:03.0437 1024 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:52:03.0453 1024 IRENUM - ok
23:52:03.0703 1024 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
23:52:03.0703 1024 irsir - ok
23:52:04.0015 1024 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:52:04.0031 1024 isapnp - ok
23:52:04.0312 1024 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:52:04.0312 1024 Kbdclass - ok
23:52:04.0546 1024 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:52:04.0546 1024 kbdhid - ok
23:52:04.0828 1024 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:52:04.0890 1024 kmixer - ok
23:52:05.0187 1024 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:52:05.0218 1024 KSecDD - ok
23:52:05.0468 1024 lbrtfdc - ok
23:52:05.0812 1024 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
23:52:05.0828 1024 MBAMSwissArmy - ok
23:52:06.0031 1024 MEMSWEEP2 (d70476ad02d6fd75282b196d3b58831d) C:\WINDOWS\system32\1.tmp
23:52:06.0031 1024 MEMSWEEP2 - ok
23:52:06.0375 1024 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:52:06.0375 1024 mnmdd - ok
23:52:06.0640 1024 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:52:06.0640 1024 Modem - ok
23:52:06.0890 1024 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:52:06.0890 1024 Mouclass - ok
23:52:07.0156 1024 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:52:07.0156 1024 mouhid - ok
23:52:07.0484 1024 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:52:07.0500 1024 MountMgr - ok
23:52:07.0703 1024 mraid35x - ok
23:52:08.0000 1024 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:52:08.0062 1024 MRxDAV - ok
23:52:08.0531 1024 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:52:08.0687 1024 MRxSmb - ok
23:52:09.0000 1024 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:52:09.0015 1024 Msfs - ok
23:52:09.0312 1024 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:52:09.0312 1024 MSKSSRV - ok
23:52:09.0562 1024 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:52:09.0562 1024 MSPCLOCK - ok
23:52:09.0796 1024 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:52:09.0812 1024 MSPQM - ok
23:52:10.0078 1024 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:52:10.0078 1024 mssmbios - ok
23:52:10.0359 1024 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:52:10.0390 1024 Mup - ok
23:52:10.0750 1024 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:52:10.0796 1024 NDIS - ok
23:52:11.0015 1024 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:52:11.0031 1024 NdisTapi - ok
23:52:11.0296 1024 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:52:11.0296 1024 Ndisuio - ok
23:52:11.0546 1024 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:52:11.0578 1024 NdisWan - ok
23:52:11.0859 1024 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:52:11.0875 1024 NDProxy - ok
23:52:12.0156 1024 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:52:12.0171 1024 NetBIOS - ok
23:52:12.0562 1024 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:52:12.0609 1024 NetBT - ok
23:52:12.0921 1024 NetworkX (37011b0c609aed94be1a7bd8c4def574) C:\WINDOWS\system32\ckldrv.sys
23:52:12.0921 1024 NetworkX - ok
23:52:13.0265 1024 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
23:52:13.0281 1024 NPF - ok
23:52:13.0562 1024 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:52:13.0578 1024 Npfs - ok
23:52:14.0000 1024 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:52:14.0203 1024 Ntfs - ok
23:52:14.0546 1024 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:52:14.0546 1024 Null - ok
23:52:14.0796 1024 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:52:14.0796 1024 NwlnkFlt - ok
23:52:15.0031 1024 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:52:15.0046 1024 NwlnkFwd - ok
23:52:15.0437 1024 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:52:15.0468 1024 Parport - ok
23:52:15.0734 1024 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:52:15.0734 1024 PartMgr - ok
23:52:16.0031 1024 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:52:16.0031 1024 ParVdm - ok
23:52:16.0468 1024 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:52:16.0500 1024 PCI - ok
23:52:16.0765 1024 PCIDump - ok
23:52:17.0015 1024 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
23:52:17.0015 1024 PCIIde - ok
23:52:17.0328 1024 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:52:17.0359 1024 Pcmcia - ok
23:52:17.0593 1024 PDCOMP - ok
23:52:17.0796 1024 PDFRAME - ok
23:52:18.0000 1024 PDRELI - ok
23:52:18.0234 1024 PDRFRAME - ok
23:52:18.0484 1024 perc2 - ok
23:52:18.0703 1024 perc2hib - ok
23:52:19.0093 1024 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:52:19.0109 1024 PptpMiniport - ok
23:52:19.0453 1024 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:52:19.0468 1024 PSched - ok
23:52:19.0765 1024 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:52:19.0781 1024 Ptilink - ok
23:52:20.0015 1024 ptiusbf (d584964dffd9a0bbad086cf8f6ddfdc5) C:\WINDOWS\system32\DRIVERS\PTIUSBF.SYS
23:52:20.0031 1024 ptiusbf - ok
23:52:20.0265 1024 ql1080 - ok
23:52:20.0484 1024 Ql10wnt - ok
23:52:20.0687 1024 ql12160 - ok
23:52:20.0906 1024 ql1240 - ok
23:52:21.0125 1024 ql1280 - ok
23:52:21.0421 1024 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:52:21.0421 1024 RasAcd - ok
23:52:21.0687 1024 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
23:52:21.0703 1024 Rasirda - ok
23:52:21.0968 1024 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:52:21.0984 1024 Rasl2tp - ok
23:52:22.0265 1024 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:52:22.0281 1024 RasPppoe - ok
23:52:22.0578 1024 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:52:22.0593 1024 Raspti - ok
23:52:22.0890 1024 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:52:22.0953 1024 Rdbss - ok
23:52:23.0250 1024 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:52:23.0250 1024 RDPCDD - ok
23:52:23.0578 1024 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:52:23.0640 1024 rdpdr - ok
23:52:23.0953 1024 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:52:24.0000 1024 RDPWD - ok
23:52:24.0328 1024 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:52:24.0359 1024 redbook - ok
23:52:24.0765 1024 revfs (71644c853d27de5ffd032a7478e9157e) C:\WINDOWS\system32\drivers\revfs.sys
23:52:24.0859 1024 revfs - ok
23:52:25.0203 1024 s0016bus (59509ad6cbc28f2c73056268985b3e48) C:\WINDOWS\system32\DRIVERS\s0016bus.sys
23:52:25.0234 1024 s0016bus - ok
23:52:25.0453 1024 s0016mdfl (b98c3a6f91f4fba285af9606a240c6b4) C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys
23:52:25.0468 1024 s0016mdfl - ok
23:52:25.0703 1024 s0016mdm (8a83426f4fb7b5212825d9de76368b1a) C:\WINDOWS\system32\DRIVERS\s0016mdm.sys
23:52:25.0750 1024 s0016mdm - ok
23:52:26.0031 1024 s0016mgmt (7a78bba97feb5e6d24c49e93a3bf7287) C:\WINDOWS\system32\DRIVERS\s0016mgmt.sys
23:52:26.0078 1024 s0016mgmt - ok
23:52:26.0375 1024 s0016nd5 (34ef7b5f611957b73e7219dd5a222ad1) C:\WINDOWS\system32\DRIVERS\s0016nd5.sys
23:52:26.0390 1024 s0016nd5 - ok
23:52:26.0671 1024 s0016obex (36792935847143e4a3cda0dc87248487) C:\WINDOWS\system32\DRIVERS\s0016obex.sys
23:52:26.0718 1024 s0016obex - ok
23:52:26.0984 1024 s0016unic (927208754fb27fc3e7a659e77500c5d1) C:\WINDOWS\system32\DRIVERS\s0016unic.sys
23:52:27.0031 1024 s0016unic - ok
23:52:27.0328 1024 s115bus (e1ab463b36a7ef31d8a73a97a9b57afa) C:\WINDOWS\system32\DRIVERS\s115bus.sys
23:52:27.0375 1024 s115bus - ok
23:52:27.0656 1024 s115mdfl (e24113fc13b8737c94cf4e3415488c76) C:\WINDOWS\system32\DRIVERS\s115mdfl.sys
23:52:27.0671 1024 s115mdfl - ok
23:52:27.0953 1024 s115mdm (4029e49e7c673aa0670bd206b0af1b5b) C:\WINDOWS\system32\DRIVERS\s115mdm.sys
23:52:27.0984 1024 s115mdm - ok
23:52:28.0312 1024 s115mgmt (eb02ab4ca8bccecfde236cad8fc6e135) C:\WINDOWS\system32\DRIVERS\s115mgmt.sys
23:52:28.0343 1024 s115mgmt - ok
23:52:28.0640 1024 s115obex (089869db9ffd2ac807fa87fe82ac7761) C:\WINDOWS\system32\DRIVERS\s115obex.sys
23:52:28.0671 1024 s115obex - ok
23:52:28.0937 1024 s116bus (815445f4676cc96bc9aeec303c727e19) C:\WINDOWS\system32\DRIVERS\s116bus.sys
23:52:28.0968 1024 s116bus - ok
23:52:29.0250 1024 s116mdfl (333d1e0743e6de1779c3c418ac601c3a) C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
23:52:29.0250 1024 s116mdfl - ok
23:52:29.0562 1024 s116mdm (50d6e5b021e9ec7553ab8a3553cc1b6b) C:\WINDOWS\system32\DRIVERS\s116mdm.sys
23:52:29.0593 1024 s116mdm - ok
23:52:29.0906 1024 s116mgmt (1589aa53e43f8d193a7d4d580d3ffa95) C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
23:52:29.0937 1024 s116mgmt - ok
23:52:30.0218 1024 s116nd5 (306f85733671fe507470f0273025e768) C:\WINDOWS\system32\DRIVERS\s116nd5.sys
23:52:30.0234 1024 s116nd5 - ok
23:52:30.0515 1024 s116obex (ec32601f04a5a5de89315d0f55e73d66) C:\WINDOWS\system32\DRIVERS\s116obex.sys
23:52:30.0562 1024 s116obex - ok
23:52:30.0843 1024 s116unic (32e3ecb4b2b5887426eaf241a8149cde) C:\WINDOWS\system32\DRIVERS\s116unic.sys
23:52:30.0875 1024 s116unic - ok
23:52:30.0984 1024 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
23:52:30.0984 1024 SASDIFSV - ok
23:52:31.0125 1024 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
23:52:31.0125 1024 SASKUTIL - ok
23:52:31.0468 1024 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:52:31.0468 1024 Secdrv - ok
23:52:31.0765 1024 seehcri (e5b56569a9f79b70314fede6c953641e) C:\WINDOWS\system32\DRIVERS\seehcri.sys
23:52:31.0765 1024 seehcri - ok
23:52:32.0062 1024 Sentinel (a2cc81c30bef6ac9f27055490eef6de3) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
23:52:32.0062 1024 Sentinel - ok
23:52:32.0328 1024 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:52:32.0343 1024 serenum - ok
23:52:32.0609 1024 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:52:32.0640 1024 Serial - ok
23:52:32.0906 1024 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:52:32.0906 1024 Sfloppy - ok
23:52:33.0140 1024 Simbad - ok
23:52:33.0187 1024 SIWIO - ok
23:52:33.0500 1024 SmartDefragDriver (972dea0d8149d73c5b7a2c97b2e749e3) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
23:52:33.0500 1024 SmartDefragDriver - ok
23:52:33.0968 1024 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
23:52:34.0171 1024 smwdm - ok
23:52:34.0484 1024 Sparrow - ok
23:52:34.0734 1024 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:52:34.0734 1024 splitter - ok
23:52:35.0187 1024 sptd (8ea0fd60a5b047e0c734d51aace531c9) C:\WINDOWS\System32\Drivers\sptd.sys
23:52:35.0187 1024 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: 8ea0fd60a5b047e0c734d51aace531c9
23:52:35.0187 1024 sptd ( LockedFile.Multi.Generic ) - warning
23:52:35.0187 1024 sptd - detected LockedFile.Multi.Generic (1)
23:52:35.0500 1024 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:52:35.0531 1024 sr - ok
23:52:35.0937 1024 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:52:36.0046 1024 Srv - ok
23:52:36.0468 1024 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys
23:52:36.0468 1024 StarOpen - ok
23:52:36.0765 1024 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
23:52:36.0765 1024 StillCam - ok
23:52:37.0062 1024 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:52:37.0062 1024 swenum - ok
23:52:37.0359 1024 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:52:37.0390 1024 swmidi - ok
23:52:37.0656 1024 symc810 - ok
23:52:37.0875 1024 symc8xx - ok
23:52:38.0093 1024 sym_hi - ok
23:52:38.0328 1024 sym_u3 - ok
23:52:38.0609 1024 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:52:38.0625 1024 sysaudio - ok
23:52:39.0062 1024 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:52:39.0203 1024 Tcpip - ok
23:52:39.0484 1024 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:52:39.0500 1024 TDPIPE - ok
23:52:39.0750 1024 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:52:39.0765 1024 TDTCP - ok
23:52:39.0984 1024 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:52:40.0000 1024 TermDD - ok
23:52:40.0250 1024 TosIde - ok
23:52:40.0500 1024 TVICHW32 - ok
23:52:40.0781 1024 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:52:40.0796 1024 Udfs - ok
23:52:41.0109 1024 uigcrdr (6a53f947360e00d9318d247571f2e24f) C:\WINDOWS\system32\DRIVERS\uigcrdr.sys
23:52:41.0156 1024 uigcrdr - ok
23:52:41.0390 1024 ultra - ok
23:52:41.0531 1024 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys
23:52:41.0531 1024 UltraMonUtility - ok
23:52:41.0937 1024 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:52:42.0078 1024 Update - ok
23:52:42.0390 1024 USBAAPL - ok
23:52:42.0718 1024 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:52:42.0718 1024 usbccgp - ok
23:52:43.0046 1024 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:52:43.0046 1024 usbehci - ok
23:52:43.0328 1024 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:52:43.0343 1024 usbhub - ok
23:52:43.0656 1024 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:52:43.0656 1024 usbprint - ok
23:52:43.0890 1024 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:52:43.0906 1024 USBSTOR - ok
23:52:44.0125 1024 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:52:44.0125 1024 usbuhci - ok
23:52:44.0406 1024 UtilNT (9111ddfded7d6c10e9c6b6369e49cf1e) C:\WINDOWS\system32\drivers\UtilNT.sys
23:52:44.0406 1024 UtilNT - ok
23:52:44.0718 1024 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:52:44.0718 1024 VgaSave - ok
23:52:44.0921 1024 ViaIde - ok
23:52:45.0203 1024 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:52:45.0218 1024 VolSnap - ok
23:52:45.0500 1024 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:52:45.0515 1024 Wanarp - ok
23:52:45.0906 1024 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
23:52:46.0062 1024 Wdf01000 - ok
23:52:46.0312 1024 WDICA - ok
23:52:46.0609 1024 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:52:46.0640 1024 wdmaud - ok
23:52:47.0140 1024 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:52:47.0140 1024 WS2IFSL - ok
23:52:47.0484 1024 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:52:47.0500 1024 WudfPf - ok
23:52:47.0781 1024 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:52:47.0812 1024 WudfRd - ok
23:52:48.0140 1024 zebrceb (6e49cf9c48c551264c4af6de19447515) C:\WINDOWS\system32\DRIVERS\zebrceb.sys
23:52:48.0140 1024 zebrceb - ok
23:52:48.0250 1024 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
23:52:48.0500 1024 \Device\Harddisk0\DR0 - ok
23:52:48.0531 1024 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
23:52:48.0578 1024 \Device\Harddisk1\DR1 - ok
23:52:48.0609 1024 Boot (0x1200) (81fa42b344a8b12cd611f75e50425fa4) \Device\Harddisk0\DR0\Partition0
23:52:48.0609 1024 \Device\Harddisk0\DR0\Partition0 - ok
23:52:48.0640 1024 Boot (0x1200) (5c93074299c0edf113492ef361d91a39) \Device\Harddisk1\DR1\Partition0
23:52:48.0640 1024 \Device\Harddisk1\DR1\Partition0 - ok
23:52:48.0687 1024 Boot (0x1200) (14a38a73b483ebc183984587c551175c) \Device\Harddisk1\DR1\Partition1
23:52:48.0687 1024 \Device\Harddisk1\DR1\Partition1 - ok
23:52:48.0718 1024 Boot (0x1200) (e47f46f88f0cd549b7ec97e79a8dd85b) \Device\Harddisk1\DR1\Partition2
23:52:48.0718 1024 \Device\Harddisk1\DR1\Partition2 - ok
23:52:48.0750 1024 Boot (0x1200) (a38c6ed5fa9fbe2c6a300e3f52e25092) \Device\Harddisk1\DR1\Partition3
23:52:48.0750 1024 \Device\Harddisk1\DR1\Partition3 - ok
23:52:48.0765 1024 ============================================================
23:52:48.0765 1024 Scan finished
23:52:48.0765 1024 ============================================================
23:52:48.0812 3072 Detected object count: 1
23:52:48.0812 3072 Actual detected object count: 1
23:57:04.0390 3072 sptd ( LockedFile.Multi.Generic ) - skipped by user
23:57:04.0390 3072 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
23:59:57.0046 2516 Deinitialize success



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-16 00:00:00
-----------------------------
00:00:00.453 OS Version: Windows 5.1.2600 Service Pack 3
00:00:00.453 Number of processors: 4 586 0x209
00:00:00.453 ComputerName: XW6000 UserName:
00:00:01.812 Initialize success
00:02:34.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
00:02:34.250 Disk 0 Vendor: Maxtor_6E040L0 NAR61590 Size: 39205MB BusType: 3
00:02:34.250 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
00:02:34.250 Disk 1 Vendor: ST3120026A 8.01 Size: 114472MB BusType: 3
00:02:34.281 Disk 0 MBR read successfully
00:02:34.281 Disk 0 MBR scan
00:02:34.281 Disk 0 Windows XP default MBR code
00:02:34.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39195 MB offset 63
00:02:34.296 Disk 0 scanning sectors +80272080
00:02:35.109 Disk 0 scanning C:\WINDOWS\system32\drivers
00:02:58.437 Service scanning
00:03:28.593 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
00:03:35.765 Modules scanning
00:03:54.609 Disk 0 trace - called modules:
00:03:54.640 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys sptd.sys hal.dll intelide.sys
00:03:54.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f5fab8]
00:03:54.640 3 CLASSPNP.SYS[f76aefd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86f84d98]
00:03:54.640 Scan finished successfully
00:05:04.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\3rdadmin\Desktop\MBR.dat"
00:05:04.609 The log file has been saved successfully to "C:\Documents and Settings\3rdadmin\Desktop\aswMBR.txt"



SystemLook 30.07.11 by jpshortstuff
Log created at 00:41 on 16/03/2012 by 3rdadmin
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [16:40 03/02/2012] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 96512 bytes [17:41 19/08/2010] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c- 96512 bytes [12:00 04/08/2004] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [12:00 04/08/2004] [23:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-= EOF =-

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 16 March 2012 - 09:07 AM

I've downloaded and installed BurnAware Free but this software is bundled with Searchqu which was also installed at the same time without the option not to install it, which sucks. Can you assist with getting rid of Searchqu?


Thank you for the information. I will change my canned speed.

Do you remember getting an option to install or not this Searchqu or did it get installed without your consent?
===

Please post a fresh DDS log for my review.

===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall


I will give you a script to remove Searchqu after I have reviewed the files.

#12 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 16 March 2012 - 10:38 AM

I've downloaded and installed BurnAware Free but this software is bundled with Searchqu which was also installed at the same time without the option not to install it, which sucks. Can you assist with getting rid of Searchqu?


Thank you for the information. I will change my canned speed.

Do you remember getting an option to install or not this Searchqu or did it get installed without your consent?


I didn't see an option to install or not install Searchqu, which is why I said it sucks.

I'll get on with the scanning etc.

BTW what is canned speed and what info did I give to make you change yours - just wondering that's all.

I've just realised I haven't carried out the instructions below yet. Do you still want me to?

You will need to download the files to a good computer.

Copy them to the infected computer and run them.

===

When at the other computer get this tool also.
Make the bootable CD or flash drive.
We may need to run it later.

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?


Summarizing:

  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

Post the content of the file for my review.
Let me know what problem persists.


Edited by duffsparky, 16 March 2012 - 10:43 AM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 16 March 2012 - 12:18 PM

BTW what is canned speed and what info did I give to make you change yours

Sorry it should have been canned speech.

If we were to redo all of our speeches/instructions it would take a long time.
We have prepared text for many situations. I called them canned speech.

You are the first one reporting that this tool install Searchqu which I know is not recommended by this community.

p.s. Can this Toolbar be removed using the Add/Remove Programs list?

Edited by nasdaq, 16 March 2012 - 12:30 PM.


#14 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 16 March 2012 - 09:27 PM

There appears to be 2 versions of the Burnaware Free download.

  • One version comes bundled with Ask.com ToolBar and there is an option to not install that toolbar. This version I downloaded using your link and being redirected to hxxttp://fileforum.betanews.com/download/BurnAware_Free/1212419334/2. This version was downloaded onto my PC1(Play)which Gringo helped me clean out the malware from.
  • A 2nd version comes bundled with Searchqu and there is an option to not install it, although you have to select the custom installation of Burnaware and then deselect the Searchqu software, which I obviously missed.

This 2nd version of Burnaware Free I downloaded on to a recently built machine (PC4) with a reformated HDD and a fresh clean(?) install of XP Pro SP3 (put together to help with cleaning my other PCs of malware). For this download I did not use your link because it would not work when I typed the url taken from your link into the address bar. I accessed the BurnAware website via a Google search instead.

Also since installing this 2nd version of Burnaware Free another piece of software has installed in the form of a shortcut to 'Get The Best Facebook Chat Messenger' that has appeared on the desk top. The Properties of this shortcut show the Target as being 'http://www.ftalk.com/?r=135' and it starts in C:\Docume~1\{username}\LOCALS~1\TEMP', however, I could not find any reference to it in the folder indicated.

I do hope I haven't infected my clean PC4

This 2nd version of BurnAware can be uninstalled from Control Panel as can Searchqu although I'm now concerned this version of BurnAware has been hijacked/tampered with before I downloaded it. Uninstalling BA and SQ did not remove the 'Get The Best Facebook Chat Messenger' shortcut.

Edited by nasdaq, 17 March 2012 - 08:59 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:28 PM

Posted 17 March 2012 - 09:01 AM

This 2nd version of Burnaware Free I downloaded on to a recently built machine (PC4) with a reformated HDD and a fresh clean(?) install of XP Pro SP3 (put together to help with cleaning my other PCs of malware). For this download I did not use your link because it would not work when I typed the url taken from your link into the address bar. I accessed the BurnAware website via a Google search instead.


Well I'm not responsible for this version. Do you remember were you got it from?

===

So were do we stand with this computer that you ask to be reviewed.?



For any other computer you will have to start a new topic and get a helper to look at your logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users