Jump to content

Erratic mouse, can't shut down, trojan horse


Recommended Posts

I am getting erratic mouse movement, flashing dialog boxes, shuts down Outlook automatically, have to hard boot to shut computer down.

I can only use computer for 10 on Outlook or IE 7 then problem begins.

I run Lavasoft in the background and AVG free

I have a firewall on my router and on windows, no exceptions

Ran saftey live (windows one care) and trend micro scans,did not find it

Ran Hyjack this, nothing there I don't recognize as valid

Problem persists

Ran Malwarebytes and found 12 Trojan horse, log attached. Look at registry and they are gone

Deleted Cyberdefender also in registry and all related entries

Use computer problemis back.

Ran malware again and again full and partial and it did not find the problem, only cookies

Ran Lavasoft, and did not find anything until 4th try and only one trojan horse, not 12 like Malware, but this was after Malware ran

Still have problem

My question is first about the trojan horse, but why doesn't Malware picked it up after it happens again?

Secondly, I was ready to buy it but if it does not pick it up then why buy it and continue to have the problem?

I can't keep running the Malware whenit does not show anything and problem comes back.

My big questions is why Malware found the problem the first time and then when it returned, it did not

mbam_log_2009_05_16__17_50_27_.txt

hijackthis__5_17_2009.txt

mbam_log_2009_05_16__17_50_27_.txt

mbam_log_2009_05_16__17_50_27_.txt

hijackthis__5_17_2009.txt

mbam_log_2009_05_16__17_50_27_.txt

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

I don't understand your answer "please post" I did post, that post is what you replied to!

I attached my files, etc.

My question is: WHY DIDN'T MALWAREBYTES PICK UP THE PROBLEM THE SECOND TIME? It picked it up once then when it occured again, it did not pick up anyting. I want to buy it but why should I if it does not work?

confused :)

Sorry for the delay. If you still require assistance please post and let us know and we'll help you out.

Thanks

Link to post
Share on other sites

  • Root Admin

I asked so that I don't waste time writing up a repair routine. Many users post and if you don't reply within a few hours they leave and never come back.

If I spend time writing up stuff for everyone that is gone and not coming back it wastes a lot of my time.

Please run the following.

STEP 01

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

First let me say that at at the begining of the procedure, I did not have the problem for one week

I performed all the tasks except one and have attahed the files, I could not fun GMER, actually the downloading of that file GAVE ME THE PROBLEM BACK!!

It would not let me save the download to my hard drive, I could only click run, then I could not click scan, the dialog box "ok" kept flashing, the dialog box flashed all over the place, I HAD THE PROBLEM AGAIN,

I ran a full scan with Malware and Lavasoft, and both did not detect anything.

I checked the registry and there were no trojan horse in the places that Malware found thiem initiallly.

I tried to search for the gmer.exe fiel and the wx8scbo7.exe (the file that it said it downloaded) and could not find either one.

NOW WHAT?????

I followed your procedure and got infected again...

How do I get rid of the downloaded file of GMER?

I deleted my temp files, is that enough?

Basically the screen flashing "clicking" all over and erratic, it will not let me open malware , or lavasoft, the only way to get rid of it is to do a hard reboot

Here is more informaiton:

quote name='AdvancedSetup' date='May 22 2009, 01:47 AM' post='82428']

Please post a status update on this

Thanks

Attach_5_22_2009.txt

DDS__5_22_2009.txt

mbam_log_2009_05_16__17_50_27_.txt

mbam_log_2009_05_23__09_40_09_.txt

mbam_log_2009_05_23__11_54_19_.txt

ntbtlog.txt

Attach_5_22_2009.txt

DDS__5_22_2009.txt

mbam_log_2009_05_16__17_50_27_.txt

mbam_log_2009_05_23__09_40_09_.txt

mbam_log_2009_05_23__11_54_19_.txt

ntbtlog.txt

Link to post
Share on other sites

I can only stay on line for a few mintues and then the problem starts, please send reply here and to DLGOLFS@zoominternet.net, otherwise I may not be able to access the answer.

Note: along with the erratic mouse, sometimes when I type it types it backwards.

It will not let me chose an icon, I have to reboot and as long as I stay off the IE then I am ok, Outlook also brings the problem tothe surface.

I did a system restore to the point before I downloaded the GMer,

can you tell me where it downloaded the file, so I can delete it?

I deleted my temp files but the problem is still there.

I did a system clean up, but after a certain amount of time on the net, it comes back

Malware does not detect it on full scan or partial scan

This is annoying, I wish I would never had downloaded the GMER, I was OK until that time

My AVG does not detect it, why doesn't Malware detect it? Lavasoft did detect it as Trojankill but now even that one did not detect it .

HELP me.....

First let me say that at at the begining of the procedure, I did not have the problem for one week

I performed all the tasks except one and have attahed the files, I could not fun GMER, actually the downloading of that file GAVE ME THE PROBLEM BACK!!

It would not let me save the download to my hard drive, I could only click run, then I could not click scan, the dialog box "ok" kept flashing, the dialog box flashed all over the place, I HAD THE PROBLEM AGAIN,

I ran a full scan with Malware and Lavasoft, and both did not detect anything.

I checked the registry and there were no trojan horse in the places that Malware found thiem initiallly.

I tried to search for the gmer.exe fiel and the wx8scbo7.exe (the file that it said it downloaded) and could not find either one.

NOW WHAT?????

I followed your procedure and got infected again...

How do I get rid of the downloaded file of GMER?

I deleted my temp files, is that enough?

Basically the screen flashing "clicking" all over and erratic, it will not let me open malware , or lavasoft, the only way to get rid of it is to do a hard reboot

Here is more informaiton:

quote name='AdvancedSetup' date='May 22 2009, 01:47 AM' post='82428']

Please post a status update on this

Thanks

Link to post
Share on other sites

  • Root Admin

If GMER is installed there should be a batch file named: C:\windows\gmer_uninstall.cmd you can run that to remove it.

I don't think that is your issue though. The bootlog shows that there is something running on the box out of the %temp% folder which is not good.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

I have read your reply and I am familar with the recovery console but have NO idea how to use it.

I am concerned that if the removal does give me a problem, that is , not being able to run the computer at all and therefore not being able to get on line for help, I am toast. I could do this combofix and be assured that I would not render me unable to use the computer, but after I read the procedure, this may not be true. I have built a compter, changed the registry, etc. but if I would get into a situation uisng this tool that I am stuck I have NO way of getting back to you. I would think I have would have to do this live, What do you think? See, I ran the GMER and got the problem again and it tooks days to get rid of it. Do you have a live service?

Why doesn't Malware get rid of this?

Since now the problem is gone, I have tried to attach another boot log that you can view to see if the problem still exsits, but the system would not let me so I have to paste in it in this post, sorry. I guess the file is too big.

Also, it seams that the problem (from the log from Malware) that the problem attacked the IE and Cyberdefender. So I deleted the CYberdenfender in the registry (I did this and the problem came back, although Malmware did not find it agian).

Also, in the msconfig, BOOT.ini section on the top there are several lines and it seams (and I might be mistaken) that there is an extra line

Multi (0) disk (0) partition (0) windows = "Microsoft Windows XP Pro" /fast detect/no execute = optin

As I said there are 5 lines in the top box and I can only highlight the one above, it will not let me highlight any of the others, is this normal?

In the WIN. INI tab, I disabled the following:

cyderkeepsafe

Mscondig Client ID {B54FC6DD etc.

I felt that I should disable this since Malware found the Trojan horse in this software in the registry.

Another note: in the processes the SVC.host runs even if IE is not open, is that my on line service? It runs all the time. This too is a problem b/c you want me to shut off my anti-virus and malware, and if it is running I may get a bigger problem. I am not trying to evoid the issue, but I have to be able to do the procedure and if I get a problem I would have to go to antoher computer, like in a library, get on the malware site, e-mail you and then kepp going back every day to see the reply. I can't take that chance. I want to get rid of it ,but I think this step needs to be done live. Do you understand my position?

Here is the boot log, maybe you can compare it and see if anything has changed:

Service Pack 3 5 23 2009 08:58:11.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver Lbd.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sisagp.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys

Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys

Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys

Loaded driver \SystemRoot\system32\drivers\msmpu401.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys

Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS

Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys

Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys

Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\drivers\cmuda.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS

Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys

Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys

Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\DOCUME~1\DORLAI~1\LOCALS~1\Temp\askiaaqy.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 3 5 23 2009 09:46:54.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver Lbd.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sisagp.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys

Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys

Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys

Loaded driver \SystemRoot\system32\drivers\msmpu401.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys

Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS

Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys

Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys

Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\drivers\cmuda.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS

Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys

Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys

Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 3 5 23 2009 18:22:03.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver Lbd.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sisagp.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys

Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys

Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys

Loaded driver \SystemRoot\system32\drivers\msmpu401.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys

Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS

Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys

Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys

Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\drivers\cmuda.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS

Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys

Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 3 5 26 2009 06:30:55.500

Loaded driver \WINDOWS\system32\ntoskrnl.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver Lbd.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver sisagp.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042mou.Sys

Loaded driver \SystemRoot\system32\DRIVERS\LMouKE.Sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\L8042Kbd.sys

Loaded driver \SystemRoot\System32\DRIVERS\msikbd2k.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys

Loaded driver \SystemRoot\system32\drivers\msmpu401.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\DRIVERS\InCDPass.sys

Loaded driver \SystemRoot\System32\Drivers\incdrm.SYS

Loaded driver \SystemRoot\system32\DRIVERS\vvoice.sys

Loaded driver \SystemRoot\system32\DRIVERS\vpctcom.sys

Loaded driver \SystemRoot\system32\DRIVERS\vmodem.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptserial.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\drivers\cmuda.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netflx3.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\InCDfs.SYS

Loaded driver \SystemRoot\System32\Drivers\InCDrec.SYS

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys

Loaded driver \SystemRoot\System32\DRIVERS\USBSTOR.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys

Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \??\C:\WINDOWS\system32\drivers\hardlock.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\System32\DRIVERS\asyncmac.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Link to post
Share on other sites

  • Root Admin

Yes the box still shows a hidden program running. I understand your concern but there is always a possibility that the removal can break the computer. In fact some Malware almost assures that it will break the computer by removing it and it then requires some manipulation to undo the damage it has done, if it's even possible. Some Malware damages the system beyond easy repair methods.

Another option is to run this offline AV scanner and see if it can find and remove the infection. Though it too can potentially break the box as well.

I'm sorry but I can not guarantee that nothing will happen and the box will be okay. I can say that in 99.9% of all the posts I've done using Combofix and other tools the box has been fixed. Yes there have been a couple that have not survived the Malware and required a rebuild, but not many.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

I will think about using the download and see if I want to use it. I will burn it and keep it.

Do you think I should wait until the problem appears again?

Why does it go away and then come back if it is indeed a bootable file?

Is there any live person I can talk to if my system crashes? That is , if this crashes my box?

Should I make a back up of all my data before I run it?

Can the "crash " be fixed with the recovery console?

Do you have a procedure of using the recovery console if I have to use it if a live person is not avaialble?

Lastly, about 1-2 months before this problem arose, I would shut my box off and then come home and it would be on. Would this you see in the boot.ini be the culprit and NOT related to the problem? Or is this the problem?

The only thing that I changed is the keyboard, I went to a wireless, almost immediately, I came home and the box was running. I cut the power now to stop it. THen I forget to turn the power off and nothing happens and then I forget to turn the power off and it is on, like today.

About a year ago, I had this same problem, ran trend micro and it was gone immediately, a trojan horse

WHy isnt' Malware picking it up and distroying it? I want to buy it but .....

Link to post
Share on other sites

  • Root Admin

I will think about using the download and see if I want to use it. I will burn it and keep it.

AS: It is a good program to have around

Do you think I should wait until the problem appears again?

AS: No, not unless you never use this computer for ANY Banking or sites that require a password, etc as you could easily be handing that information over to someone else.

You have some file running in %temp% that has not been identified. Is it Malware or Virus, we don't know without running more tools, which do have the potential to break the box

Why does it go away and then come back if it is indeed a bootable file?

AS: I didn't write the file and I don't have a copy of it to analyze with a debugger so I can't really answer that for you.

Is there any live person I can talk to if my system crashes? That is , if this crashes my box?

AS: No, I'm sorry but forum support and email support is all that is provided

Should I make a back up of all my data before I run it?

AS: Backups are always a must. If you don't backup your data then you're just looking for trouble as sooner or later you could have a hard drive failure bad enough that the data could not be restored

Can the "crash " be fixed with the recovery console?

AS: Possibly, it really depends on what IF anything happens. Do you have the actual Windows XP intallation CD and the COA key on the side of your computer to reinstall Windows if you had to?

Do you have a procedure of using the recovery console if I have to use it if a live person is not avaialble?

AS: Its just basic DOS commands that can be ran. There are Websites that do discuss each and every command but I don't have it documented myself in a format that I can post.

Lastly, about 1-2 months before this problem arose, I would shut my box off and then come home and it would be on. Would this you see in the boot.ini be the culprit and NOT related to the problem? Or is this the problem?

AS: Very odd to have Malware/Virus perform such a task. I really don't see how they could even if they had complete control of your computer remotely. Wake On LAN would be the only way and I suppose it's possible but very unlikely to get that to work over the Internet.

That sounds more like an intermitten hardware problem that might have coincided with Malware.

The only thing that I changed is the keyboard, I went to a wireless, almost immediately, I came home and the box was running. I cut the power now to stop it. THen I forget to turn the power off and nothing happens and then I forget to turn the power off and it is on, like today.

About a year ago, I had this same problem, ran trend micro and it was gone immediately, a trojan horse

AS: With those exact symptoms I find it difficult to believe it was a Trojan

WHy isnt' Malware picking it up and distroying it? I want to buy it but .....

AS: New Malware comes out every day by the hour and there is not a single product on the market that can detect and remove every single piece of Malware at any given time. All of them update daily and track down new Malware and write code to remove it. All I can say is that Malwarebytes is one of the front runners when it comes to detecting and removing Malware. Whether or not you purchase the program does not affect the ability of detecting or removing Malware. The FREE or Payed version operate the same in that respect. The paid verison add live protection to attempt to stop Malware from getting on the box in the first place, it adds scheduling, and some other features described on the main Website page.

AS: If you can't take the time or risk of doing it on your own then I'd suggest taking it to a Computer Repair shop, but they're basically going to do quite similar tasks that I'm asking you to do except they're going to charge you and make you leave the computer with them for days.

Link to post
Share on other sites

THANK YOU SO MUCH for the replies, I do have the XP disc and hope that it does not crash.

I have to wait unitl Saturday to do it, so if it does crash I will be ready.

I backed up my outlook .pst, doc, fav, ex, etc, pictures and am ready to do it Saturday.

I just don't know DOS commands for the recovery console, so I don't know what to type.

I will research it on Microsoft website to get information.

Wish me luck!!

One thing, why do you think that GMER brought it to the surface again?

Also, I never found the installation files for that program on my box.

Link to post
Share on other sites

  • Root Admin

I think that CF is using GMER as part of its scanning tools (I've not checked to confirm this but that would be my guess)

Many of the recent Malware variants have started to heavily target many of the tools used to detect and remove them so it can be difficult to get them off at times.

Link to post
Share on other sites

WHat does CF stand for?

I think that CF is using GMER as part of its scanning tools (I've not checked to confirm this but that would be my guess)

Many of the recent Malware variants have started to heavily target many of the tools used to detect and remove them so it can be difficult to get them off at times.

Link to post
Share on other sites

Well, that is the faster I have every prayed : rolleyes:

All went OK, I hope that it is gone.

I have attached the hijack this, combofix and boot ini but it would not let me upload the HIjack this lot so I put thsi in the body of this mail.

I did not know ifyou wanted the DDS again

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:57:43 AM, on 5/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\tlntsvr.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtMonEx.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--

End of file - 1977 bytes

ComboFix.txt

ntbtlog.txt

ComboFix.txt

ntbtlog.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

File::
C:\DOCUME~1\DORLAI~1\LOCALS~1\Temp\askiaaqy.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

  1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  2. Restart your computer (very important).
  3. Download and run this utility.
  4. It will ask to restart your computer (please allow it to).
  5. After the computer restarts, install the latest version from here
    Note: If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

BEFORE registering and starting the Protection Module, locate the Exclusion List for your Anti-Virus. Probably under an advanced menu in the program.

Add the following folders, sub-folders if you can, at a minimum add the files to the exclusion to be safe.

  • C:\Program Files\Malwarebytes' Anti-Malware
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\WINDOWS\system32\drivers\mbam.sys
  • C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Then UPDATE the MBAM definition files and do a QUICK SCAN and post back that log.

STEP 04

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:01:54 AM, on 5/31/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\tlntsvr.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe

C:\Program Files\Visioneer\OneTouch 4.0\OtMonEx.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

--

End of file - 2059 bytes

ComboFix.txt

ntbtlog.txt

DDS.txt

Attach.txt

mbam_log_2009_05_31__09_45_12_.txt

ComboFix.txt

ntbtlog.txt

DDS.txt

Attach.txt

mbam_log_2009_05_31__09_45_12_.txt

Link to post
Share on other sites

  • Root Admin

Well all the logs don't show anything.

You need to redo the bootlog though as you did not delete it as requested.

Here in the log it shows it's been rebooted and run at least 6 times.

 Service Pack 3 5 23 2009 08:58:11.500
Service Pack 3 5 23 2009 09:46:54.500
Service Pack 3 5 23 2009 18:22:03.500
Service Pack 3 5 26 2009 06:30:55.500
Service Pack 3 5 30 2009 09:01:20.500
Service Pack 3 5 31 2009 09:49:44.500

Please delete the file, then reboot and upload the NEW one.

Thanks.

Are you still having any signs of infection?

    Please create a BOOTLOG
  • Delete the following file if it exists. C:\Windows\ntbtlog.txt
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

Here is the boot log, sorry did not know to delete it

ALso, AVG found a two tracking cookies for Ad-aware AAWService.exe and Windows Defender MSMpENg.exe so I placed those in the exception list.

BUT it did find a tracking cookies on c/programs, etc in ieexplore.exe of

Cookie 2o7 msportal.112.2o7(1).txt

I quarantined it in virus vault, should I delete it ?

I was OK unitl this AM, I was in Excel and my mouse pointer would not let me scroll, but let me do other things, not as bad as it usually is. Most of time once I have the problem, I have to re-boot to get rid of it

I did notice that after I ran the combofix for the second time, my computer was faster.

I just got another infection in ieexpolorer of trfficmp, I deleted them

ntbtlog.txt

ntbtlog.txt

Link to post
Share on other sites

I could not add this, at first I thought the infection was there a little bit, but later, it escalated and I had to hard boot.

Funny thing is if I reboot and run any of the spyware products, they don't find anything but the problem goes away, It takes longer for it to appear again, then it appears, I reboot , run the program and it is gone. If I do this in 3 days it is completely gone.

Then it comes back when you have me run the programs and scans. I am not blaming you at all. I appreciate your time. I am just giving you information so you can figure out what is happening.

I now have Windows Defender, Spybot, Lavasoft (paid version for Lavasoft) all running on a full scan at night at different intervals. THen AVG runs after those and it finds tracking cookies, crazy.

I would definately buy the Malware and have it run also (I bought lavasaoft) but if it can't find this problem then there is no use in doing for now. I will replace the Lavasoft with Malware if we can find the problem without me formatting my hard drive.

Malware did find it in the beginning and I sent that log sometime ago. All the threats were with Cyberdenfer of which I totally deleted it from my box, I hope. Maybe I did not get all of it?

I do hope you don't have me format my hard drive, please! Such a lot of work and I just will not be able to do it until the weekend. Also, I only have 3 installs for Office 2007 and have used them all. I willhave to call Microsoft to see if it will let me install again. THat will cost me a lot of money if I can't install it again.

Anyway, my AVG is finding a lot of tracking cookies and I have set the controls to delete them instead of holding them for me to delete.

I did add the ADaware and windows defenders in the exceptions but it seems to still show tracking cookies.

My concern is the one that is targeting IE at C:\Windows\IE

I am work now and will ck the post from here.

I ran the Malware before I left, but even though I have the problem it still does not show the problem, it tells me I am clean.

I would suspect that my boot.ini still shows the hidden program.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.