Jump to content

Infected with Vundo


Recommended Posts

I seem to have picked up a version of Vundo that I can't get rid of. I have downloaded the most current version of Malwarebytes and updated it. I have to use a renamed version of mbam.exec because it keeps disappearing. I'm not sure if it's the malware or my Mcafee Total Protection that's doing it. I also cannot update the definitions. I get the error "MBAM_ERROR_UPDATING(0,0,SHRegGetPath)". The only way I can get the most current version of the definitions is to turn off my McAfee and reinstall. Turning it off and running the update option still gives me the same error. I also get a message "unable to load fatemoko.dll" on startup. Here is the log from the complete scan I did after the install/update:

-------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4172

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/6/2010 11:47:48 AM

mbam-log-2010-06-06 (11-47-48).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|)

Objects scanned: 244655

Time elapsed: 1 hour(s), 30 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\SYSTEM32\gugatemi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{7277edb3-76d0-40a6-8702-5af3f8612b15} (Trojan.Vundo.H) -> Quarantined

and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\simaduheg (Trojan.Vundo.H) ->

Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7277ed

b3-76d0-40a6-8702-5af3f8612b15} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\yoyiteka

j (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilijeyute (Trojan.Vundo) ->

Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

(Trojan.Vundo.H) -> Data: c:\windows\system32\gugatemi.dll -> Quarantined and deleted

successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

(Trojan.Vundo.H) -> Data: system32\gugatemi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

(Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\gugatemi.dll (Trojan.Vundo.H) -> Delete on reboot.

------------

Following the reboot I ran a Quick Scan:

------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4172

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/6/2010 12:34:07 PM

mbam-log-2010-06-06 (12-34-07).txt

Scan type: Quick scan

Objects scanned: 161847

Time elapsed: 29 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wilijeyute (Trojan.Vundo) ->

Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

(Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------

This pattern occurrs repeatedly - there's always wilijeyute found after a scan/reboot, and the

number of infected items grows until I scan again.

I downloaded and ran defogger. After it was finished, it did not ask me to do a reboot, it just

gave me the box to click disable/enable again. I closed the box and went ahead and rebooted

manually.

I then ran DDS. Those results are:

--------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sue at 13:04:38.34 on Sun 06/06/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1457 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat

4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Anti-Theft\McPvTray.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\Sue\My Documents\Downloads\malwarebytes\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uWindow Title = Microsoft Internet Explorer provided by AT&T WorldNet Service

uSearch Bar = hxxp://www.worldnet.att.net/ie4/search/index.html

mSearch Bar =

uInternet Settings,ProxyOverride = <local>

uSearchAssistant =

uCustomizeSearch =

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} -

c:\progra~1\mcafee\msk\mskapbho.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common

files\mcafee\systemcore\ScriptSn.20100518064312.dll

BHO: {a2de3a5b-fcf5-43c1-bb7d-a1f92b4749b5} - humisela.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter

uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [TomcatStartup] "c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe"

mRun: [statusClient] "c:\program files\hewlett-packard\toolbox2.0\apache tomcat

4.0\webapps\toolbox\statusclient\StatusClient.exe" /auto

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ADUserMon] "c:\program files\iomega\autodisk\ADUserMon.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter

edition\3.0\apps\apdproxy.exe"

mRun: [iomega Drive Icons] "c:\program files\iomega\driveicons\ImgIcon.exe"

mRun: [Deskup] "c:\program files\iomega\driveicons\deskup.exe" /IMGSTART

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] "nwiz.exe" /install

mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray] c:\program files\mcafee\anti-theft\McPvTray.exe

mRun: [wilijeyute] Rundll32.exe "fatemoko.dll",s

StartupFolder: c:\documents and settings\sue\start menu\programs\startup\PowerReg Scheduler

V3.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program

files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\setpoint\SetPoint.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6F750200-1362-4815-A476-88533DE61D0C} -

hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -

hxxp://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program

files\hp\hpcoretech\comp\hpuiprot.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure

networks shared\platform\puresp4.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

AppInit_DLLs: wopebulu.dll dunumeda.dll c:\windows\system32\dipagowe.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

SSODL: megoyukuf - {d1d6d5ac-b918-4749-8439-bca1dbc3ad3a} - c:\windows\system32\dipagowe.dll

STS: mujuzedij: {d1d6d5ac-b918-4749-8439-bca1dbc3ad3a} - c:\windows\system32\dipagowe.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\documents and

settings\all users\documents\eudora\EuShlExt.dll

LSA: Notification Packages = scecli wopebulu.dll dunumeda.dll

============= SERVICES / DRIVERS ===============

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-6 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-14 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program

files\mcafee\siteadvisor\McSACore.exe [2009-6-6 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-14 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common

files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-14 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe"

/McCoreSvc [2010-4-14 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-14

170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common

files\mcafee\systemcore\mfefire.exe [2010-4-14 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common

files\mcafee\systemcore\mfevtps.exe [2010-4-14 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-14 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-17 152320]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-17 51688]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-14 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-14 88480]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys

[2010-4-14 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-14 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-17 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-17 40552]

S3 PCD5SRVC{3F6A8B78-EC003E00-05040000};PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode

Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2007-12-5 20640]

=============== Created Last 30 ================

2010-06-06 16:57:20 0 ----a-w- c:\documents and settings\sue\defogger_reenable

2010-06-06 04:24:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-06 04:24:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-29 02:03:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-04-27 21:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-04-27 21:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-04-27 21:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-04-27 21:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-04-27 21:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-04-27 21:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-04-27 21:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-04-27 21:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-04-12 22:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2008-09-12 13:18:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 13:06:39.84 ===============

I then attempted to run GMER. I made sure that IEAT/EAT & show all were unchecked. The only drive checked was the C:\ drive. This seemed to run ok at first, but then it just hung. The last 2 entries were for attacheD ....

I waited for a couple of hours, thinking maybe it was processing behind the scenes. After no response, I finally started trying to figure out what was happening. The cpu was pegged at 100% constantly. I finally had to power the machine down.

I've attached the Attach.txt file as a zip file, but I wanted someone to review everything before I try to run the GMER again. When I do, should I reexecute DDS first? I have NOT run the defogger again, so everything should still be disabled, unless the power down / restart would affect that.

Please let me know what I should do, and if any steps need to be re-run.

Thank you.

Sue

Attach.zip

Link to post
Share on other sites

Hi Screen317,

Thank you for your help. I've downloaded ComboFix, but have 1 question before I run it. The instructions state that one of the first things it does is create a system restore point. At one time during my attempts to clean the pc, I turned off system restore following instructions I found on McAfee's web site. It stated that for Vundo, that sometimes it hid in the restore files, and system restore needed to be turned off for it to clean those files. I never turned it back on (over sight on my part). I am assuming I need to turn it back on before running ComboFix. I just wanted to verify since it was turned off when I ran the other tools for you. Sorry if this is a stupid question, but I don't want to make any assumptions during this process.

Also, when I post the ComboFix.txt, do you want it pasted into the reply, or attached as a file?

Thanks again,

Sue

Link to post
Share on other sites

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Here's the combofix.txt:

ComboFix 10-06-09.01 - Sue 06/09/2010 21:40:23.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT -4:00]

Running from: c:\documents and settings\Sue\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ed\GoToAssistDownloadHelper.exe

c:\documents and settings\Sue\GoToAssistDownloadHelper.exe

c:\windows\system32\dunumeda.dll

c:\windows\system32\pepufebe.dll

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-06 04:24 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-06 04:24 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-29 02:03 . 2010-06-06 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-01 15:13 . 2010-04-06 00:12 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-18 10:48 . 2009-09-19 22:43 -------- d-----w- c:\documents and settings\Sue\Application Data\HpUpdate

2010-05-03 20:10 . 2003-12-20 23:56 -------- d-----w- c:\program files\Java

2010-05-02 14:14 . 2009-06-07 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Anti-Theft

2010-05-02 14:10 . 2004-10-29 16:51 -------- d-----w- c:\program files\McAfee

2010-05-02 14:10 . 2004-10-29 16:51 -------- d-----w- c:\documents and settings\Sue\Application Data\McAfee

2010-04-27 21:16 . 2010-04-14 11:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-04-27 21:16 . 2010-04-14 11:29 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-04-27 21:16 . 2010-04-14 11:29 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-04-27 21:16 . 2010-04-14 11:29 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-04-27 21:16 . 2010-04-14 11:29 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-04-27 21:16 . 2010-04-14 11:29 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-04-27 21:16 . 2010-04-14 11:29 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-04-27 21:16 . 2009-06-07 03:40 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-04-27 21:16 . 2007-01-17 17:51 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-04-27 21:16 . 2007-01-17 17:51 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-04-15 02:05 . 2003-12-21 00:10 -------- d-----w- c:\program files\McAfee.com

2010-04-14 11:35 . 2007-01-17 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-04-14 11:33 . 2009-06-07 03:38 -------- d-----w- c:\program files\Common Files\McAfee

2010-04-12 22:29 . 2010-05-03 20:10 411368 ----a-w- c:\windows\system32\deployJava1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]

"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]

"nwiz"="nwiz.exe" [2007-06-29 1626112]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-07 642856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]

"McPvTray"="c:\program files\McAfee\Anti-Theft\McPvTray.exe" [2009-11-17 670312]

c:\documents and settings\Sue\Start Menu\Programs\Startup\

PowerReg Scheduler V3.exe [2008-1-12 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-11 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\documents and settings\All Users\Documents\Eudora\EuShlExt.dll" [2004-04-19 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\WINDOWS\\SYSTEM32\\HPBPRO.EXE"=

R0 McPvDrv;McPvDrv Driver;c:\windows\SYSTEM32\DRIVERS\McPvDrv.sys [11/17/2009 12:15 PM 63080]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/14/2010 7:29 AM 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/6/2009 11:45 PM 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/14/2010 7:28 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/14/2010 7:28 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/14/2010 7:29 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/14/2010 7:29 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/14/2010 7:29 AM 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/14/2010 7:29 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/14/2010 7:29 AM 88480]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/14/2010 7:29 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/14/2010 7:29 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2004-04-04 c:\windows\Tasks\HP DArC Task 2005-01-12 09:20ewlett-Packard2005-01-12 09:20p psc 2400 series1A27E83E7A731CB1FD8ABAD5272A9B91E11387A6081097537.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 19:54]

2004-04-07 c:\windows\Tasks\HP DArC Task 2005-01-12 09:20ewlett-Packard2005-01-12 09:20p psc 2400 series1A27E83E7A731CB1FD8ABAD5272A9B91E11387A6081300756.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 19:54]

2004-05-29 c:\windows\Tasks\HP DArC Task 2005-01-12 09:20ewlett-Packard2005-01-12 09:20p psc 2400 series1A27E83E7A731CB1FD8ABAD5272A9B91E11387A6085854520.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 19:54]

2004-06-28 c:\windows\Tasks\HP DArC Task 2005-01-12 09:20ewlett-Packard2005-01-12 09:20p psc 2400 series1A27E83E7A731CB1FD8ABAD5272A9B91E11387A6088460029.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 19:54]

2003-12-25 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2004-05-29 c:\windows\Tasks\WebReg 20040529141647.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 05:43]

2004-08-28 c:\windows\Tasks\WebReg 20040828041305.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 05:43]

2004-09-28 c:\windows\Tasks\WebReg 20040928041409.job

- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 05:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.att.net/

mSearch Bar =

uInternet Settings,ProxyOverride = <local>

uSearchAssistant =

uCustomizeSearch =

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

BHO-{a2de3a5b-fcf5-43c1-bb7d-a1f92b4749b5} - humisela.dll

HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe

HKLM-Run-simaduheg - c:\windows\system32\pepufebe.dll

HKLM-Run-wilijeyute - fatemoko.dll

SharedTaskScheduler-{d1d6d5ac-b918-4749-8439-bca1dbc3ad3a} - c:\windows\system32\dipagowe.dll

SharedTaskScheduler-{405d7ee5-564b-4278-aab0-33b31f541be0} - c:\windows\system32\pepufebe.dll

SSODL-megoyukuf-{d1d6d5ac-b918-4749-8439-bca1dbc3ad3a} - c:\windows\system32\dipagowe.dll

SSODL-wahigahor-{405d7ee5-564b-4278-aab0-33b31f541be0} - c:\windows\system32\pepufebe.dll

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-09 22:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF7637000]<< >>UNKNOWN [0xF7627000]<< >>UNKNOWN [0xF771F000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF74C0000]<< >>UNKNOWN [0xF7A4F000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> 0xf763bf28

\Driver\ACPI -> 0xf75aecb8

\Driver\atapi -> 0xf74c6852

IoDeviceObjectType -> DeleteProcedure -> 0x805e710a

ParseProcedure -> 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805e710a

ParseProcedure -> 0x80578f7a

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0xf787fbb0

PacketIndicateHandler -> 0xf788ca21

SendHandler -> 0xf786a87b

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-912575385-3299834854-850382090-1008\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3456)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\program files\Iomega\DriveIcons\IMGHOOK.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\System32\HPZipm12.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\BCMSMMSG.exe

c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2010-06-09 22:21:34 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-10 02:21

Pre-Run: 16,925,171,712 bytes free

Post-Run: 17,274,953,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 3DD3F2D1B416312187914CB96A2D4E64

And the DDS.log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Sue at 22:25:19.68 on Wed 06/09/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1568 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\McAfee\Anti-Theft\McPvTray.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

C:\Documents and Settings\Sue\My Documents\Downloads\malwarebytes\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/

mSearch Bar =

uInternet Settings,ProxyOverride = <local>

uSearchAssistant =

uCustomizeSearch =

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518064312.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [TomcatStartup] "c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe"

mRun: [statusClient] "c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe" /auto

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ADUserMon] "c:\program files\iomega\autodisk\ADUserMon.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [iomega Drive Icons] "c:\program files\iomega\driveicons\ImgIcon.exe"

mRun: [Deskup] "c:\program files\iomega\driveicons\deskup.exe" /IMGSTART

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] "nwiz.exe" /install

mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McPvTray] c:\program files\mcafee\anti-theft\McPvTray.exe

StartupFolder: c:\documents and settings\sue\start menu\programs\startup\PowerReg Scheduler V3.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxp://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\documents and settings\all users\documents\eudora\EuShlExt.dll

============= SERVICES / DRIVERS ===============

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-6 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-14 82952]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-6-6 93320]

R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-14 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-14 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-14 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-14 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-14 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-14 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-14 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-1-17 152320]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-1-17 51688]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-14 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-14 88480]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-14 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-14 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-1-17 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-1-17 40552]

=============== Created Last 30 ================

2010-06-10 01:31:41 0 d-sha-r- C:\cmdcons

2010-06-10 01:23:54 98816 ----a-w- c:\windows\sed.exe

2010-06-10 01:23:54 77312 ----a-w- c:\windows\MBR.exe

2010-06-10 01:23:54 256512 ----a-w- c:\windows\PEV.exe

2010-06-10 01:23:54 161792 ----a-w- c:\windows\SWREG.exe

2010-06-06 16:57:20 0 ----a-w- c:\documents and settings\sue\defogger_reenable

2010-06-06 04:24:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-06 04:24:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-29 02:03:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-04-27 21:16:24 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-04-27 21:16:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-04-27 21:16:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-04-27 21:16:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-04-27 21:16:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-04-27 21:16:24 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-04-27 21:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-04-27 21:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-04-27 21:16:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-04-27 21:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-04-12 22:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2008-09-12 13:18:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 22:25:55.07 ===============

Thanks,

Sue

Link to post
Share on other sites

  • Staff

Hi Sue,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

-screen317

Link to post
Share on other sites

  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

-screen317

Hi,

I ran the exe but it didn't find anything to delete and didn't reboot. Here's the log:

22:08:16:843 2820 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

22:08:16:843 2820 ================================================================================

22:08:16:843 2820 SystemInfo:

22:08:16:843 2820 OS Version: 5.1.2600 ServicePack: 3.0

22:08:16:843 2820 Product type: Workstation

22:08:16:843 2820 ComputerName: KOBEL

22:08:16:843 2820 UserName: Sue

22:08:16:843 2820 Windows directory: C:\WINDOWS

22:08:16:843 2820 Processor architecture: Intel x86

22:08:16:843 2820 Number of processors: 1

22:08:16:843 2820 Page size: 0x1000

22:08:16:843 2820 Boot type: Normal boot

22:08:16:843 2820 ================================================================================

22:08:17:093 2820 Initialize success

22:08:17:093 2820

22:08:17:093 2820 Scanning Services ...

22:08:17:609 2820 Raw services enum returned 385 services

22:08:17:625 2820

22:08:17:625 2820 Scanning Drivers ...

22:08:18:562 2820 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

22:08:18:765 2820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

22:08:18:921 2820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

22:08:19:062 2820 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

22:08:19:187 2820 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

22:08:19:281 2820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

22:08:19:515 2820 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

22:08:19:750 2820 AFS2K (c685cc27a2e637f0dcb5a45e67cc6f74) C:\WINDOWS\system32\drivers\AFS2K.sys

22:08:19:953 2820 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys

22:08:20:078 2820 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

22:08:20:203 2820 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

22:08:20:359 2820 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

22:08:20:468 2820 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

22:08:20:578 2820 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

22:08:20:687 2820 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

22:08:20:812 2820 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

22:08:20:921 2820 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

22:08:21:078 2820 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

22:08:21:203 2820 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

22:08:21:296 2820 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

22:08:21:406 2820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

22:08:21:515 2820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

22:08:21:750 2820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

22:08:21:921 2820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

22:08:22:468 2820 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys

22:08:22:718 2820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

22:08:22:812 2820 bvrp_pci (73458867c8963c76260c18d7bdb15625) C:\WINDOWS\system32\drivers\bvrp_pci.sys

22:08:22:968 2820 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

22:08:23:078 2820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

22:08:23:187 2820 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

22:08:23:265 2820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

22:08:23:390 2820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

22:08:23:500 2820 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

22:08:23:656 2820 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys

22:08:23:812 2820 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

22:08:23:937 2820 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

22:08:24:078 2820 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

22:08:24:312 2820 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

22:08:24:453 2820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

22:08:24:578 2820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

22:08:24:781 2820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

22:08:24:937 2820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

22:08:25:078 2820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

22:08:25:281 2820 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

22:08:25:531 2820 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

22:08:25:671 2820 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

22:08:25:765 2820 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

22:08:25:875 2820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

22:08:26:093 2820 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys

22:08:26:234 2820 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys

22:08:26:421 2820 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

22:08:26:609 2820 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

22:08:26:703 2820 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys

22:08:26:828 2820 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

22:08:26:937 2820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

22:08:27:171 2820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

22:08:27:312 2820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

22:08:27:406 2820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

22:08:27:531 2820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

22:08:27:687 2820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

22:08:27:812 2820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

22:08:27:984 2820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

22:08:28:156 2820 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

22:08:28:328 2820 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

22:08:28:500 2820 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

22:08:28:703 2820 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

22:08:28:890 2820 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

22:08:29:062 2820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

22:08:29:437 2820 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

22:08:29:578 2820 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

22:08:29:781 2820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

22:08:30:000 2820 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

22:08:30:234 2820 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

22:08:30:390 2820 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

22:08:30:593 2820 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

22:08:30:781 2820 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

22:08:30:984 2820 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

22:08:31:203 2820 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

22:08:31:359 2820 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

22:08:31:687 2820 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

22:08:31:906 2820 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

22:08:32:046 2820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

22:08:32:218 2820 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

22:08:32:312 2820 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

22:08:32:453 2820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

22:08:32:609 2820 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys

22:08:32:765 2820 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

22:08:32:890 2820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

22:08:33:031 2820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

22:08:33:218 2820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

22:08:33:453 2820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

22:08:33:640 2820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

22:08:33:750 2820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

22:08:33:921 2820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

22:08:34:078 2820 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

22:08:34:203 2820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

22:08:34:453 2820 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

22:08:34:640 2820 L8042Kbd (d1968dea7baff4a917858c384339cec8) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys

22:08:34:750 2820 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys

22:08:35:015 2820 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

22:08:35:203 2820 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

22:08:35:406 2820 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys

22:08:35:625 2820 McPvDrv (d1c7dce92a59663bea52244d165b215e) C:\WINDOWS\system32\drivers\McPvDrv.sys

22:08:35:859 2820 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys

22:08:36:093 2820 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys

22:08:36:296 2820 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys

22:08:36:453 2820 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys

22:08:36:625 2820 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys

22:08:36:828 2820 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

22:08:36:828 2820 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

22:08:36:968 2820 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys

22:08:37:187 2820 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

22:08:37:281 2820 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

22:08:37:437 2820 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys

22:08:37:593 2820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

22:08:37:718 2820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

22:08:37:812 2820 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

22:08:37:937 2820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

22:08:38:093 2820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

22:08:38:234 2820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

22:08:38:343 2820 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

22:08:38:578 2820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

22:08:38:984 2820 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

22:08:39:187 2820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

22:08:39:296 2820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

22:08:39:421 2820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

22:08:39:515 2820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

22:08:39:671 2820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

22:08:39:765 2820 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

22:08:39:921 2820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

22:08:40:109 2820 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

22:08:40:203 2820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

22:08:40:390 2820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

22:08:40:578 2820 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

22:08:40:718 2820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

22:08:40:921 2820 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

22:08:41:093 2820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

22:08:41:234 2820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

22:08:41:437 2820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

22:08:41:812 2820 nv (f8be83f0c686533170f7537e94bf411a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

22:08:42:015 2820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

22:08:42:125 2820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

22:08:42:312 2820 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys

22:08:42:421 2820 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

22:08:42:593 2820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

22:08:42:781 2820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

22:08:42:921 2820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

22:08:43:109 2820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

22:08:43:406 2820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

22:08:43:625 2820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

22:08:44:000 2820 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

22:08:44:187 2820 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

22:08:44:375 2820 pnarp (ce27fc8bdc54b3ac63d53e2d5f6cc929) C:\WINDOWS\system32\DRIVERS\pnarp.sys

22:08:44:531 2820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

22:08:44:687 2820 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

22:08:44:781 2820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

22:08:44:906 2820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

22:08:45:000 2820 purendis (f4fd591e86ecb6b5d000c7d6c987416b) C:\WINDOWS\system32\DRIVERS\purendis.sys

22:08:45:156 2820 PxHelp20 (7e1eacdecba39e0b2a35306426f0decc) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

22:08:45:265 2820 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

22:08:45:390 2820 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

22:08:45:515 2820 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

22:08:45:671 2820 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

22:08:45:796 2820 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

22:08:45:906 2820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

22:08:46:078 2820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

22:08:46:187 2820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

22:08:46:250 2820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

22:08:46:375 2820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

22:08:46:562 2820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

22:08:46:671 2820 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

22:08:46:875 2820 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

22:08:47:093 2820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

22:08:47:296 2820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

22:08:47:421 2820 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

22:08:47:625 2820 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

22:08:47:828 2820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

22:08:48:046 2820 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

22:08:48:171 2820 smwdm (39f9595d2f6f7eb93f45a466789a6f49) C:\WINDOWS\system32\drivers\smwdm.sys

22:08:48:390 2820 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

22:08:48:546 2820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

22:08:48:781 2820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

22:08:49:031 2820 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

22:08:49:281 2820 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys

22:08:49:421 2820 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys

22:08:49:562 2820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

22:08:49:656 2820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

22:08:49:812 2820 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

22:08:50:015 2820 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

22:08:50:203 2820 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

22:08:50:406 2820 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

22:08:50:562 2820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

22:08:50:796 2820 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

22:08:51:046 2820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

22:08:51:187 2820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

22:08:51:390 2820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

22:08:51:546 2820 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys

22:08:51:687 2820 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys

22:08:51:796 2820 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys

22:08:51:921 2820 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys

22:08:52:125 2820 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys

22:08:52:234 2820 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys

22:08:52:343 2820 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys

22:08:52:453 2820 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys

22:08:52:640 2820 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys

22:08:52:828 2820 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

22:08:52:953 2820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

22:08:53:156 2820 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

22:08:53:359 2820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

22:08:53:593 2820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

22:08:53:765 2820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

22:08:53:921 2820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

22:08:54:062 2820 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

22:08:54:171 2820 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

22:08:54:343 2820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

22:08:54:421 2820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

22:08:54:546 2820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

22:08:54:640 2820 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

22:08:54:796 2820 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

22:08:54:937 2820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

22:08:55:125 2820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

22:08:55:453 2820 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

22:08:55:765 2820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

22:08:55:906 2820 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

22:08:56:062 2820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

22:08:56:218 2820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

22:08:56:234 2820

22:08:56:234 2820 Completed

22:08:56:234 2820

22:08:56:234 2820 Results:

22:08:56:234 2820 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

22:08:56:234 2820 File objects infected / cured / cured on reboot: 0 / 0 / 0

22:08:56:234 2820

22:08:56:234 2820 KLMD(ARK) unloaded successfully

I also get a clean scan with Malwarebytes, but I still can't update the definitions. I still get error "MBAM_ERROR_UPDATING(0,0,SHRegGetPath)". Maybe I need to reinstall now that my system is (I think) clean? If you confirm that my system is clean, then I can start a new topic in the general forum for the updating problem.

Thanks,

Sue

Link to post
Share on other sites

  • Staff

Hi,

Things are looking good, but let's double-check to be sure.

Please delete your copy of ComboFix, grab a fresh copy, run it, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

This detection...

File:C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}RP2\A0000097.dll

...is in System Restore and is not an active infection.

The rest of the items McAfee flagged (including SecurityCheck) are false positives. Please ignore McAfee's warning and download/run SecurityCheck. It's a program I wrote myself; it's not malicious.

This...

C:\WINDOWS\SWREG.EXE (Not cleaned)

...is one of the files that ComboFix uses and could potentially be abused by malware, hence the detection. The others that weren't cleaned were also in System Restore.

We will deal with that now.

First, ensure that a copy of ComboFix.exe is on your Desktop (don't run it).

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Restart your computer and let me know what issues remain.

Link to post
Share on other sites

[..snipped..]

The rest of the items McAfee flagged (including SecurityCheck) are false positives. Please ignore McAfee's warning and download/run SecurityCheck. It's a program I wrote myself; it's not malicious.

[..snipped..]

First, ensure that a copy of ComboFix.exe is on your Desktop (don't run it).

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Restart your computer and let me know what issues remain.

Hi,

I downloaded Security check and ran it. Here's the results:

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee Total Protection

McAfee Anti-Theft

McAfee Shredder

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 20

Java 2 Runtime Environment, SE v1.4.2

Adobe Flash Player

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

I ran the Combofix /uninstall, and it ran fine and uninstalled combofix.

I rebooted, and the machine started fine, as it has the last few days. I ran an update for Malwarebytes and the data base updated to the most recent version.

So what's next? I guess I should update my Adobe Acrobat reader.

Thanks once again for all your help.

Sue

Link to post
Share on other sites

Hi,

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java 2 Runtime Environment, SE v1.4.2

Adobe Reader 7.1.0

Restart your computer.

Get the latest version of Adobe Reader.

Let me know what issues remain.

-screen317

Hi,

I uninstalled the two programs, rebooted, installed the latest Adobe reader, rebooted, and so far so good. Mawarebytes updates fine, no error messages on reboot.

Sue

Link to post
Share on other sites

  • Staff

Great. Delete SecurityCheck.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Hi,

Thank you. I've downloaded all the recommended files, but still need to install them. I do have one last question. At the start of all this, I ran the defogger /disable program. Should I now run defogger /enable?

Thank you very much for all your help.

Sue

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.