50 replies to this topic

[DLGolfs]

I am getting erratic mouse movement, flashing dialog boxes, shuts down Outlook automatically, have to hard boot to shut computer down.
I can only use computer for 10 on Outlook or IE 7 then problem begins.
I run Lavasoft in the background and AVG free
I have a firewall on my router and on windows, no exceptions

Ran saftey live (windows one care) and trend micro scans,did not find it

Ran Hyjack this, nothing there I don't recognize as valid

Problem persists

Ran Malwarebytes and found 12 Trojan horse, log attached. Look at registry and they are gone

Deleted Cyberdefender also in registry and all related entries

Use computer problemis back.

Ran malware again and again full and partial and it did not find the problem, only cookies

Ran Lavasoft, and did not find anything until 4th try and only one trojan horse, not 12 like Malware, but this was after Malware ran
Still have problem

My question is first about the trojan horse, but why doesn't Malware picked it up after it happens again?

Secondly, I was ready to buy it but if it does not pick it up then why buy it and continue to have the problem?

I can't keep running the Malware whenit does not show anything and problem comes back.

My big questions is why Malware found the problem the first time and then when it returned, it did not

Attached Files

•  mbam_log_2009_05_16__17_50_27_.txt   2.41K   23 downloads
•  hijackthis__5_17_2009.txt   2.31K   20 downloads
•  mbam_log_2009_05_16__17_50_27_.txt   2.41K   19 downloads

[AdvancedSetup]

Sorry for the delay. If you still require assistance please post and let us know and we'll help you out.

Thanks

[DLGolfs]

I don't understand your answer "please post" I did post, that post is what you replied to!

I attached my files, etc.

My question is: WHY DIDN'T MALWAREBYTES PICK UP THE PROBLEM THE SECOND TIME? It picked it up once then when it occured again, it did not pick up anyting. I want to buy it but why should I if it does not work?
confused

AdvancedSetup, on May 20 2009, 01:59 AM, said:

Sorry for the delay. If you still require assistance please post and let us know and we'll help you out.

Thanks

[AdvancedSetup]

I asked so that I don't waste time writing up a repair routine. Many users post and if you don't reply within a few hours they leave and never come back.
If I spend time writing up stuff for everyone that is gone and not coming back it wastes a lot of my time.

Please run the following.

STEP 01
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 02
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

STEP 03

Please create a BOOTLOG

• Delete the following file if it exists. C:\Windows\ntbtlog.txt
  
• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
   
  If you're already running inside Windows you can enable it the following way.
   
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  
• NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  
• NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  
• The tab is called BOOT on Vista. Then choose Boot log

STEP 04
Please download the following scanning tool. GMER
[indent]

• Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  
• Double click on random named exe file and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[AdvancedSetup]

Please post a status update on this

Thanks

[DLGolfs]

First let me say that at at the begining of the procedure, I did not have the problem for one week

I performed all the tasks except one and have attahed the files, I could not fun GMER, actually the downloading of that file GAVE ME THE PROBLEM BACK!!

It would not let me save the download to my hard drive, I could only click run, then I could not click scan, the dialog box "ok" kept flashing, the dialog box flashed all over the place, I HAD THE PROBLEM AGAIN,

I ran a full scan with Malware and Lavasoft, and both did not detect anything.

I checked the registry and there were no trojan horse in the places that Malware found thiem initiallly.

I tried to search for the gmer.exe fiel and the wx8scbo7.exe (the file that it said it downloaded) and could not find either one.

NOW WHAT?????

I followed your procedure and got infected again...
How do I get rid of the downloaded file of GMER?
I deleted my temp files, is that enough?


Basically the screen flashing "clicking" all over and erratic, it will not let me open malware , or lavasoft, the only way to get rid of it is to do a hard reboot

Here is more informaiton:


quote name='AdvancedSetup' date='May 22 2009, 01:47 AM' post='82428']
Please post a status update on this

Thanks
[/quote]

Attached Files

•  Attach_5_22_2009.txt   14.17K   23 downloads
•  DDS__5_22_2009.txt   13.2K   16 downloads
•  mbam_log_2009_05_16__17_50_27_.txt   2.41K   17 downloads
•  mbam_log_2009_05_23__09_40_09_.txt   833bytes   24 downloads
•  mbam_log_2009_05_23__11_54_19_.txt   853bytes   22 downloads
•  ntbtlog.txt   28.09K   19 downloads

[DLGolfs]

I can only stay on line for a few mintues and then the problem starts, please send reply here and to DLGOLFS@zoominternet.net, otherwise I may not be able to access the answer.

Note: along with the erratic mouse, sometimes when I type it types it backwards.

It will not let me chose an icon, I have to reboot and as long as I stay off the IE then I am ok, Outlook also brings the problem tothe surface.

I did a system restore to the point before I downloaded the GMer,

can you tell me where it downloaded the file, so I can delete it?

I deleted my temp files but the problem is still there.
I did a system clean up, but after a certain amount of time on the net, it comes back

Malware does not detect it on full scan or partial scan

This is annoying, I wish I would never had downloaded the GMER, I was OK until that time

My AVG does not detect it, why doesn't Malware detect it? Lavasoft did detect it as Trojankill but now even that one did not detect it .

HELP me.....

DLGolfs, on May 23 2009, 02:06 PM, said:

First let me say that at at the begining of the procedure, I did not have the problem for one week

I performed all the tasks except one and have attahed the files, I could not fun GMER, actually the downloading of that file GAVE ME THE PROBLEM BACK!!

It would not let me save the download to my hard drive, I could only click run, then I could not click scan, the dialog box "ok" kept flashing, the dialog box flashed all over the place, I HAD THE PROBLEM AGAIN,

I ran a full scan with Malware and Lavasoft, and both did not detect anything.

I checked the registry and there were no trojan horse in the places that Malware found thiem initiallly.

I tried to search for the gmer.exe fiel and the wx8scbo7.exe (the file that it said it downloaded) and could not find either one.

NOW WHAT?????

I followed your procedure and got infected again...
How do I get rid of the downloaded file of GMER?
I deleted my temp files, is that enough?


Basically the screen flashing "clicking" all over and erratic, it will not let me open malware , or lavasoft, the only way to get rid of it is to do a hard reboot

Here is more informaiton:


quote name='AdvancedSetup' post='82428' date='May 22 2009, 01:47 AM']
Please post a status update on this

Thanks

[DLGolfs]

Just an update:

I ran Windows Defender, Spybot, Malware, Lavasoft , AVG fullscans and not one found the problem

It does seem to be gone again but the reports show nothing,

[AdvancedSetup]

If GMER is installed there should be a batch file named: C:\windows\gmer_uninstall.cmd you can run that to remove it.

I don't think that is your issue though. The bootlog shows that there is something running on the box out of the %temp% folder which is not good.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[DLGolfs]

I have read your reply and I am familar with the recovery console but have NO idea how to use it.

I am concerned that if the removal does give me a problem, that is , not being able to run the computer at all and therefore not being able to get on line for help, I am toast. I could do this combofix and be assured that I would not render me unable to use the computer, but after I read the procedure, this may not be true. I have built a compter, changed the registry, etc. but if I would get into a situation uisng this tool that I am stuck I have NO way of getting back to you. I would think I have would have to do this live, What do you think? See, I ran the GMER and got the problem again and it tooks days to get rid of it. Do you have a live service?

Why doesn't Malware get rid of this?

Since now the problem is gone, I have tried to attach another boot log that you can view to see if the problem still exsits, but the system would not let me so I have to paste in it in this post, sorry. I guess the file is too big.

Also, it seams that the problem (from the log from Malware) that the problem attacked the IE and Cyberdefender. So I deleted the CYberdenfender in the registry (I did this and the problem came back, although Malmware did not find it agian).

Also, in the msconfig, BOOT.ini section on the top there are several lines and it seams (and I might be mistaken) that there is an extra line

Multi (0) disk (0) partition (0) windows = "Microsoft Windows XP Pro" /fast detect/no execute = optin

As I said there are 5 lines in the top box and I can only highlight the one above, it will not let me highlight any of the others, is this normal?

In the WIN. INI tab, I disabled the following:

cyderkeepsafe
Mscondig Client ID {B54FC6DD etc.

I felt that I should disable this since Malware found the Trojan horse in this software in the registry.

Another note: in the processes the SVC.host runs even if IE is not open, is that my on line service? It runs all the time. This too is a problem b/c you want me to shut off my anti-virus and malware, and if it is running I may get a bigger problem. I am not trying to evoid the issue, but I have to be able to do the procedure and if I get a problem I would have to go to antoher computer, like in a library, get on the malware site, e-mail you and then kepp going back every day to see the reply. I can't take that chance. I want to get rid of it ,but I think this step needs to be done live. Do you understand my position?

Here is the boot log, maybe you can compare it and see if anything has changed:

Service Pack 3 5 23 2009 08:58:11.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver sisagp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys
Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys
Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS
Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\DOCUME~1\DORLAI~1\LOCALS~1\Temp\askiaaqy.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 3 5 23 2009 09:46:54.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver sisagp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys
Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys
Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS
Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 3 5 23 2009 18:22:03.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver sisagp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys
Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys
Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS
Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 3 5 26 2009 06:30:55.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver sisagp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys
Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys
Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS
Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

[AdvancedSetup]

Yes the box still shows a hidden program running. I understand your concern but there is always a possibility that the removal can break the computer. In fact some Malware almost assures that it will break the computer by removing it and it then requires some manipulation to undo the damage it has done, if it's even possible. Some Malware damages the system beyond easy repair methods.

Another option is to run this offline AV scanner and see if it can find and remove the infection. Though it too can potentially break the box as well.
I'm sorry but I can not guarantee that nothing will happen and the box will be okay. I can say that in 99.9% of all the posts I've done using Combofix and other tools the box has been fixed. Yes there have been a couple that have not survived the Malware and required a rebuild, but not many.


Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescuecd.exe
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]

[DLGolfs]

I will think about using the download and see if I want to use it. I will burn it and keep it.

Do you think I should wait until the problem appears again?

Why does it go away and then come back if it is indeed a bootable file?

Is there any live person I can talk to if my system crashes? That is , if this crashes my box?

Should I make a back up of all my data before I run it?

Can the "crash " be fixed with the recovery console?

Do you have a procedure of using the recovery console if I have to use it if a live person is not avaialble?

Lastly, about 1-2 months before this problem arose, I would shut my box off and then come home and it would be on. Would this you see in the boot.ini be the culprit and NOT related to the problem? Or is this the problem?

The only thing that I changed is the keyboard, I went to a wireless, almost immediately, I came home and the box was running. I cut the power now to stop it. THen I forget to turn the power off and nothing happens and then I forget to turn the power off and it is on, like today.

About a year ago, I had this same problem, ran trend micro and it was gone immediately, a trojan horse

WHy isnt' Malware picking it up and distroying it? I want to buy it but .....

[AdvancedSetup]

I will think about using the download and see if I want to use it. I will burn it and keep it.
AS: It is a good program to have around

Do you think I should wait until the problem appears again?
AS: No, not unless you never use this computer for ANY Banking or sites that require a password, etc as you could easily be handing that information over to someone else.
You have some file running in %temp% that has not been identified. Is it Malware or Virus, we don't know without running more tools, which do have the potential to break the box

Why does it go away and then come back if it is indeed a bootable file?
AS: I didn't write the file and I don't have a copy of it to analyze with a debugger so I can't really answer that for you.

Is there any live person I can talk to if my system crashes? That is , if this crashes my box?
AS: No, I'm sorry but forum support and email support is all that is provided

Should I make a back up of all my data before I run it?
AS: Backups are always a must. If you don't backup your data then you're just looking for trouble as sooner or later you could have a hard drive failure bad enough that the data could not be restored

Can the "crash " be fixed with the recovery console?
AS: Possibly, it really depends on what IF anything happens. Do you have the actual Windows XP intallation CD and the COA key on the side of your computer to reinstall Windows if you had to?

Do you have a procedure of using the recovery console if I have to use it if a live person is not avaialble?
AS: Its just basic DOS commands that can be ran. There are Websites that do discuss each and every command but I don't have it documented myself in a format that I can post.

Lastly, about 1-2 months before this problem arose, I would shut my box off and then come home and it would be on. Would this you see in the boot.ini be the culprit and NOT related to the problem? Or is this the problem?
AS: Very odd to have Malware/Virus perform such a task. I really don't see how they could even if they had complete control of your computer remotely. Wake On LAN would be the only way and I suppose it's possible but very unlikely to get that to work over the Internet.
That sounds more like an intermitten hardware problem that might have coincided with Malware.

The only thing that I changed is the keyboard, I went to a wireless, almost immediately, I came home and the box was running. I cut the power now to stop it. THen I forget to turn the power off and nothing happens and then I forget to turn the power off and it is on, like today.

About a year ago, I had this same problem, ran trend micro and it was gone immediately, a trojan horse
AS: With those exact symptoms I find it difficult to believe it was a Trojan

WHy isnt' Malware picking it up and distroying it? I want to buy it but .....
AS: New Malware comes out every day by the hour and there is not a single product on the market that can detect and remove every single piece of Malware at any given time. All of them update daily and track down new Malware and write code to remove it. All I can say is that Malwarebytes is one of the front runners when it comes to detecting and removing Malware. Whether or not you purchase the program does not affect the ability of detecting or removing Malware. The FREE or Payed version operate the same in that respect. The paid verison add live protection to attempt to stop Malware from getting on the box in the first place, it adds scheduling, and some other features described on the main Website page.

AS: If you can't take the time or risk of doing it on your own then I'd suggest taking it to a Computer Repair shop, but they're basically going to do quite similar tasks that I'm asking you to do except they're going to charge you and make you leave the computer with them for days.

[DLGolfs]

THANK YOU SO MUCH for the replies, I do have the XP disc and hope that it does not crash.

I have to wait unitl Saturday to do it, so if it does crash I will be ready.

I backed up my outlook .pst, doc, fav, ex, etc, pictures and am ready to do it Saturday.

I just don't know DOS commands for the recovery console, so I don't know what to type.

I will research it on Microsoft website to get information.

Wish me luck!!

One thing, why do you think that GMER brought it to the surface again?

Also, I never found the installation files for that program on my box.

[AdvancedSetup]

I think that CF is using GMER as part of its scanning tools (I've not checked to confirm this but that would be my guess)

Many of the recent Malware variants have started to heavily target many of the tools used to detect and remove them so it can be difficult to get them off at times.

[AdvancedSetup]

When ready please run the scans and post the logs. I have a busy weekend so not sure if I'll have time to reply before Monday night or not, but I'll try.

[DLGolfs]

WHat does CF stand for?

AdvancedSetup, on May 27 2009, 08:19 PM, said:

I think that CF is using GMER as part of its scanning tools (I've not checked to confirm this but that would be my guess)

Many of the recent Malware variants have started to heavily target many of the tools used to detect and remove them so it can be difficult to get them off at times.

[AdvancedSetup]

CF = ComboFix
MBAM = Malwarebytes Anti-Malware
HJT = Hijackthis

[DLGolfs]

Well, that is the faster I have every prayed : rolleyes:

All went OK, I hope that it is gone.

I have attached the hijack this, combofix and boot ini but it would not let me upload the HIjack this lot so I put thsi in the body of this mail.

I did not know ifyou wanted the DDS again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:43 AM, on 5/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtMonEx.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--
End of file - 1977 bytes

Attached Files

•  ComboFix.txt   19.23K   18 downloads
•  ntbtlog.txt   67.6K   19 downloads

[AdvancedSetup]

STEP 01
Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

[indent]Disable Teatimer
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
  
• Click Mode, choose Advanced Mode
  
• Go To the bottom of the Vertical Panel on the Left, Click Tools
  
• then, also in left panel, click Resident shows a red/white shield.
  
• If your firewall raises a question, say OK
  
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  
• OK any prompts.
  
• Use File, Exit to terminate Spybot
  
• Reboot your machine for the changes to take effect.

[/indent]


STEP 02
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

File::
C:\DOCUME~1\DORLAI~1\LOCALS~1\Temp\askiaaqy.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

• Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  
• Restart your computer (very important).
  
• Download and run this utility.
  
• It will ask to restart your computer (please allow it to).
  
• After the computer restarts, install the latest version from here
  Note: If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

BEFORE registering and starting the Protection Module, locate the Exclusion List for your Anti-Virus. Probably under an advanced menu in the program.
Add the following folders, sub-folders if you can, at a minimum add the files to the exclusion to be safe.

• C:\Program Files\Malwarebytes' Anti-Malware
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  
• C:\WINDOWS\system32\drivers\mbam.sys
  
• C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Then UPDATE the MBAM definition files and do a QUICK SCAN and post back that log.

STEP 04
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]