1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive [InActive] BSOD/mysterious driver

Discussion in 'Malware and Virus Removal Archive' started by teener, 2008/09/30.

  1. 2008/09/30
    teener

    teener Inactive Thread Starter

    Joined:
    2008/09/29
    Messages:
    3
    Likes Received:
    0
    Hi all,

    Arie suggested I run RSIT on the system and then post to this forum (after previously posting in Windows XP). Below are the log.txt and info.txt files. Interesting... I noticed the question marks in the path on two of the driver listings - ymegordc and tmcomm. ymegordc is the mystery driver I had referenced in my first post.

    As background, I've got 10 identical XP systems, configured with the same image. They blue screen randomly, and after reviewing logs, booting to safe mode, and replacing the memory, I finally started looking at verifying the drivers and found DebugWiz to look at the minidumps. I found that strange driver, ymegordc (also referenced as zmegordc) using Driver Verifier and in the minidumps, and it's also referenced in the registry. But, I'm unable to locate the actual file using explorer. Hence my posting here. Thanks!!!

    Here's the text of the RSIT files:

    info.txt logfile of random's system information tool 1.04 2008-09-30 07:39:42

    ======Uninstall list======

    -->MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
    Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
    Broadcom NetXtreme Ethernet Controller-->MsiExec.exe /X{7E369B27-13E2-41A5-9879-358EE1C8B5AD}
    DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
    HijackThis 2.0.2--> "C:\Program Files\trend micro\HijackThis.exe" /uninstall
    HP Client Management Interface 1.00 D8-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E4EA6A5A-E6FE-481E-81D0-958B2713B62C}\Setup.exe" -l0x9 uninstall
    HP Color LaserJet 2820/2830/2840 2.0--> "C:\Program Files\HP\Digital Imaging\{1030DCDC-2425-407d-BEE1-13558B837FCA}\setup\hpzscr01.exe" -datfile hppscr01.dat
    HP Extended Capabilities 4.7-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
    HP Image Zone 4.7-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
    HP Software Update-->MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
    IIF Transaction Creator-->C:\WINDOWS\IIF Transaction Creator Uninstaller.exe
    Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
    InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
    InterVideo WinDVD 7--> "C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
    Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
    Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
    Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
    Nortel Networks Desktop Assistant v 1.3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{71B90506-005A-4F6C-AAAC-AC8F9CEC1F86} /l1033
    QuickBooks Pro 2008-->msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME= "pro" QBFULLNAME= "QuickBooks Pro 2008" ADDREMOVE=1
    SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
    Trend Micro Client/Server Security Agent--> "C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe "
    Windows Installer 3.1 (KB893803)--> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe "

    ======Hosts File======

    10.250.199.253 NPI9C1161

    ======Security center information======

    AV: Trend Micro Client-Server Security Agent AntiVirus
    FW: Trend Micro Client-Server Security Agent Firewall (disabled)

    ======Environment variables======

    "ComSpec "=%SystemRoot%\system32\cmd.exe
    "Path "=%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM; "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\MAILFRONTIER ";C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32;C:\PROGRA~1\FARSTONE\VDPPRO\;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
    "windir "=%SystemRoot%
    "FP_NO_HOST_CHECK "=NO
    "OS "=Windows_NT
    "PROCESSOR_ARCHITECTURE "=x86
    "PROCESSOR_LEVEL "=15
    "PROCESSOR_IDENTIFIER "=x86 Family 15 Model 4 Stepping 1, GenuineIntel
    "PROCESSOR_REVISION "=0401
    "NUMBER_OF_PROCESSORS "=2
    "PATHEXT "=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP "=%SystemRoot%\TEMP
    "TMP "=%SystemRoot%\TEMP

    -----------------EOF-----------------

    Logfile of random's system information tool 1.04 (written by random/random)
    Run by administrator at 2008-09-30 07:39:26
    Microsoft Windows XP Professional Service Pack 2
    System drive C: has 65 GB (86%) free of 76 GB
    Total RAM: 1015 MB (51% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:39:39 AM, on 9/30/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
    C:\WINDOWS\TEMP\HL592E.EXE
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\SYSTEM32\logon.scr
    C:\WINDOWS\SYSTEM32\rdpclip.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\administrator\Desktop\RSIT.exe
    C:\Program Files\trend micro\administrator.exe

    O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKUS\S-1-5-21-1547161642-1958367476-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-4143570112-3122652770-2327534051-1130\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'username redactedbyTina')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = redacted.local
    O17 - HKLM\Software\..\Telephony: DomainName = redacted.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = redacted.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = redacted.local
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
    O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
    O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

    --
    End of file - 5912 bytes

    ======Registry dump======

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0005A87D-D626-4B3A-84F9-1D9571695F55}]
    ThunderIEHelper Class - C:\WINDOWS\system32\xunleibho_v14.dll [2006-03-02 86016]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTHelper "=C:\WINDOWS\CTHELPER.EXE [2006-08-11 17920]
    "CTxfiHlp "=C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944]
    "IgfxTray "=C:\WINDOWS\system32\igfxtray.exe [2007-01-13 131072]
    "HotKeysCmds "=C:\WINDOWS\system32\hkcmd.exe [2007-01-13 163840]
    "Persistence "=C:\WINDOWS\system32\igfxpers.exe [2007-01-13 135168]
    "OfficeScanNT Monitor "=C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [2007-03-29 394952]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
    "HP Software Update "=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-09-13 49152]
    " "= []
    "Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
    "TomcatStartup 2.5 "=C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe [2004-11-12 245760]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
    antiwpa.dll []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINDOWS\SYSTEM32\igfxdev.dll [2007-01-13 204800]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun "=145

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveAutoRun "=

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\InterVideo\DVD7\WinDVD.exe "= "C:\Program Files\InterVideo\DVD7\WinDVD.exe:*:Enabled:WinDVD "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe "= "C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager "

    ======List of files/folders created in the last 3 months======

    2008-09-30 07:39:26 ----D---- C:\rsit
    2008-09-30 07:38:30 ----D---- C:\Documents and Settings\administrator\Application Data\Macromedia
    2008-09-30 07:38:27 ----D---- C:\Documents and Settings\administrator\Application Data\Adobe
    2008-07-29 08:29:17 ----D---- C:\Program Files\Citrix

    ======List of files/folders modified in the last 3 months======

    2008-09-30 07:39:39 ----D---- C:\Program Files\Trend Micro
    2008-09-30 07:39:27 ----D---- C:\WINDOWS\Prefetch
    2008-09-30 07:37:33 ----D---- C:\WINDOWS
    2008-09-30 01:55:15 ----D---- C:\WINDOWS\security
    2008-09-30 00:32:35 ----A---- C:\WINDOWS\cfgall.ini
    2008-09-30 00:00:02 ----D---- C:\WINDOWS\system32
    2008-09-29 14:06:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
    2008-09-29 14:02:31 ----D---- C:\WINDOWS\Temp
    2008-09-29 14:02:26 ----SHD---- C:\WINDOWS\CSC
    2008-09-29 14:02:24 ----D---- C:\WINDOWS\Minidump
    2008-09-29 10:57:51 ----A---- C:\WINDOWS\SchedLgU.Txt
    2008-09-29 10:40:26 ----D---- C:\WINDOWS\system32\CatRoot2
    2008-09-25 09:20:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2008-09-25 07:35:38 ----HD---- C:\WINDOWS\inf
    2008-09-25 07:35:36 ----D---- C:\WINDOWS\Help
    2008-09-25 07:33:11 ----SD---- C:\Documents and Settings\administrator\Application Data\Microsoft
    2008-09-24 16:07:33 ----A---- C:\WINDOWS\_iserr31.ini
    2008-09-24 16:07:33 ----A---- C:\WINDOWS\_isenv31.ini
    2008-09-24 16:07:33 ----A---- C:\WINDOWS\_delis32.ini
    2008-07-29 08:29:17 ----RD---- C:\Program Files
    2008-07-18 22:10:48 ----A---- C:\WINDOWS\system32\cdm.dll
    2008-07-18 22:10:42 ----A---- C:\WINDOWS\system32\wuauclt.exe
    2008-07-18 22:10:40 ----A---- C:\WINDOWS\system32\wups2.dll
    2008-07-18 22:10:24 ----A---- C:\WINDOWS\system32\wucltui.dll.mui
    2008-07-18 22:10:20 ----A---- C:\WINDOWS\system32\wups.dll
    2008-07-18 22:09:46 ----A---- C:\WINDOWS\system32\wucltui.dll
    2008-07-18 22:09:44 ----A---- C:\WINDOWS\system32\wuweb.dll
    2008-07-18 22:09:44 ----A---- C:\WINDOWS\system32\wuapi.dll
    2008-07-18 22:09:42 ----A---- C:\WINDOWS\system32\wuaueng.dll
    2008-07-18 22:09:42 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
    2008-07-18 22:08:34 ----A---- C:\WINDOWS\system32\wuaueng.dll.mui
    2008-07-17 09:26:22 ----SHD---- C:\WINDOWS\Installer
    2008-07-17 09:26:22 ----HD---- C:\Config.Msi
    2008-07-17 09:26:19 ----D---- C:\Program Files\Adobe

    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-04 12160]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
    R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
    R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1997-12-22 23936]
    R2 TM_CFW;Common Firewall Driver; \??\C:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys []
    R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
    R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys []
    R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys []
    R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys []
    R2 ymegordc;ymegordc; \??\C:\WINDOWS\system32\drivers\zmegordc.sys []
    R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-10-23 100384]
    R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2006-05-10 156160]
    R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-01-13 5672032]
    R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2007-07-14 10368]
    R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-15 612416]
    R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
    S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
    S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
    S3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2006-08-11 502272]
    S3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2006-08-11 499584]
    S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-11-10 340704]
    S3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-08-11 7168]
    S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-08-11 143872]
    S3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2006-08-11 78336]
    S3 fsRamDsk;RamDisk Drive Service; C:\WINDOWS\System32\Drivers\fsRamDsk.sys [2004-09-21 37409]
    S3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2006-08-11 766976]
    S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2006-08-11 154112]
    S3 hap17v2k;Creative P17V HAL Driver; C:\WINDOWS\system32\drivers\hap17v2k.sys [2006-08-11 180224]
    S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
    S3 N5SG;Airlink101 SuperG Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\N5SG.sys [2006-11-03 467040]
    S3 NETMW145;AirLink101 300N Wireless PCI Adapter; C:\WINDOWS\system32\DRIVERS\NETMW145.sys [2006-07-31 548096]
    S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
    S3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2006-08-11 116224]
    S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
    S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN); C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-02-04 247296]
    S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\ZDPNDIS5.SYS []

    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

    R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan; C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [2007-03-29 603856]
    R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall; C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe [2007-03-29 282704]
    R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
    R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-02-27 20480]
    R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
    R2 tmlisten;Trend Micro Client/Server Security Agent Listener; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2007-03-29 685776]
    R2 zmegordc;zmegordc; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
    S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
    S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2007-05-24 61440]

    -----------------EOF-----------------
     
    teener,
    #1
  2. 2008/10/01
    teener

    teener Inactive Thread Starter

    Joined:
    2008/09/29
    Messages:
    3
    Likes Received:
    0
    In case anyone cares, the file - zmegordc.sys - was a rootkit/trojan. Not a nice one at all. I was able to see the file if I mapped a drive to the system from an uninfected one. I changed the name of the file and sent it to myself. Norton caught it, and according to them it was called Hacktool.rootkit. Makes my skin crawl. Every one of the systems that was created from an image was infected with this and Trend didn't catch it. They sent me a new signature file, but this is no new virus. I'm rather ticked off. My theory is that since this virus doesn't spread itself around, it was there in the image. The client purchased all 10 systems from a vendor in San Diego, and I'll be trying to contact them to see what they say about it. I'm still waiting on Trend for some removal instructions, but haven't heard back from them. Could be challenging trying to clean it up remotely...
     
    teener,
    #2


  3. to hide this advert.

  4. 2008/10/01
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi teener
    Please do this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Thanks
    Geri
     
    Geri,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...